counteract to enforce iot best practices - sysbus.eu · counteract to enforce iot best dr. götz...
TRANSCRIPT
Deployment of IoT devices in organizations is a fact of live. Today, IoT devices are getting moreexposed and more commonlyused as gateways to get unauthorized network access.
To secure their network, whiledeploying IoT devices, companies need visibility, segmentation, classification and detection ofall endpoints in their networks.Visibility on what is connected tothe network – no matter if corporate managed devices, personaldevices and IoT devices.
Through dynamic network segmentation companies are able tolimit the impact and/or to remediate security breaches. Classification allows the identificationmalicious behavior of any endpoint. Suspicious behavior originating from unmanaged IoT devices is also detected.
IAIT tested three common IoTSecurity Threat scenario’s. In allthree cases ForeScout’s CounterACT successfully identified andblocked the attack. ForeScout’sCounterACT is not only well suited for protecting corporate networks against threats posed byhijacked PCs and servers, but al
so to an excellent tool to defendagainst attacks that run via IoTcomponents.
ArchitectureFor a large percentage of itsfunctionality, ForeScout CounterACT works without agents on theadministrated devices. That’swhy it can secure communications not only with known components, but also with unknowndevices. Furthermore, it doesn’tmatter whether the products thatneed protection are administratedor not, nor does it matter whetherthe systems are stationary, mobile, physical, virtual or embedded.
In ongoing operation, CounterACT determines diverse key datafor the newly added devices.These data include, for example,users, operating system, deviceconfiguration, existing software,
patch status, running services,and the status of the securitysoftware. Afterwards, based onthe acquired data and predefinedpolicies, CounterACT classifiesthe various devices and, if necessary, takes measures to protectthe network. For example, if desired, the administrators can configure the solution so that onlycomponents with uptodate virusscanner signatures are permitted to enter the network.
CounterACT also monitors allsystems currently in operation.Rogue components that were active without the knowledge of theIT department are now a thing ofthe past, as are socalled “blindspots,” which were formerlyopaque to the company’s IT staff.The majority of the work runsautomatically, so this product saves time by enabling administrators to secure their networks
Test: ForeScout CounterACT 7
CounterACT to enforce IoT Best
Dr. Götz Güttich
ForeScout CounterACT is a security solution for business networks that identifies andevaluates components as soon as they connect to the network. This product is therefore
not only suitable for securing “classical” environments, but also for protectingcommunication with “Internet of Things” devices. In our testing laboratory, we took a
close look at CounterACT’s abilities in this context.
1
Practices
much more quickly. To protectthe company’s IT resources fromendpoints that are deemed risky,ForeScout’s solution also offers aquarantine in which a client can,for example, update its antiviruspattern or import necessary patches before granting them accessto the LAN. Furthermore, CounterACT is also able to influencethe configuration of switches
and, for example, close portsthrough which suspicious activities occur.
CounterACT is available as botha virtual solution and in the formof an appliance. The appliancescome in several different hardware versions and can protect networks with up to a million endpoints. The product works with avariety of switches, routers,VPNs, WLAN components, firewalls, patch management systems, antivirus solutions, directories, and troubleticket systems.When implementing CounterACT in an existing network, theadministrators only need to ensu
re that the security solution is given access to the network’s traffic; no changes in the infrastructure are necessary.
Thanks to the abovementionedfunctionalities, CounterACT secures the company’s networkagainst devices of customers, visitors and employees (BYOD)that are not administrated by the
company’s IT department, and also protects against malware, botnets and InternetofThings (IOT)devices. As such, CounterACThelps ensure compliance and protect networks against both external attacks and threats from within the company.
Mode of functioningIn operation, ForeScout’s solution works out of band in the network. For example, it canconnect to a mirror port, where itanalyses the data communication.In this context, CounterACT immediately detects new devices asthey enter the network and caneven identify components wi
thout IP addresses becauseCounterACT also scrutinizestraffic that’s handled only viaMAC addresses. Afterwards,CounterACT collects the abovementioned data and applies predefined rules which specify howto proceed with the individualdevices.
For example, relying on predefined credentials, the product willattempt to log in to a Windowscomputer. If it succeeds, it classifies the computer as a devicethat’s administrated by the IT department and assigns it morecomprehensive access rights thanwould be granted to the notebookof a guest who cannot log in andwho is therefore only permittedaccess to the Internet. If activemeasures are necessary (for example, because a component isdeemed risky), then CounterACTis able to send data via a socalled “response port” into the network in order to sever connectionbetween the potentially risky device and LAN devices (byblocking a switch port or relocating an attacker into quarantinedVLAN). Warnings can also betransmitted into the network inthis same way.
IoT as a threatIoT devices are becoming increasingly commonplace and are therefore causing security problemswhich should not be underestimated. After an IoT device (an IPtelephone or a camera, for example) has connected to the network, the device is not merelyable to transmit data into the network and receive data from thenetwork: it can also become agateway for hackers. Hacked devices are operable via the network; their IP stacks are seldomhardened and their potential se
2
The Initial Setup Wizard starts on the CounterACT appliance after the first
login.
curity vulnerabilities can be exploited in the same way as classical IT components can be misused. Insufficient encryption andweak authentification schemataalso play roles in this context.
Similar to the situation with various mobile devices, there is aneven greater threat potential forIoT components than for “nor
mal” computers because there isabsolutely no assurance that themanufacturers of the IoT deviceshave identified potential securityproblems in their products or intend to speedily remedy thosevulnerabilities. IoT devices aretherefore a latent threat whichshould always be taken into consideration because hackers canuse them to access data in thenetwork.
The testIn our test, we implementedCounterACT in our network environment and configured theproduct so that it classified ourcomponents, secured them, andmonitored their ongoing operation. Afterwards, we generated various policies that we used to secure our network against typical
attack scenarios via IoT devices.Finally, we checked the effectiveness of these rules.
Putting into operationTo put the CounterACT appliance into operation, we began byconnecting the solution to a monitor and a keyboard, which wethen booted up. After the systemstartup, the product asked us
about the keyboard layout and offered us three configuration options. The first option called itself“Standard”: this is the configuration as a standalone applianceand it is the one that we used inour test.
Alternatively, in a highly accessible environment, the solution canalso be set up as a “Primary” or“Secondary Node.” In the nextstep, the administrators can choose between implementing CounterACT as an appliance or as anenterprise manager. In the enterprisemanager mode, the productis also able to coordinate otherCounterACT appliances in largerenvironments. But this modeplayed no role in our test becausewe had only one appliance at ourdisposal.
Now our tasks were to specifythe administrator’s password, thehost’s name, and the network interface for management accesses.Our appliance was equipped withfour network interfaces. We defined the first of them as the accessfor the administrators. In the finalstep, we also specified networkconfiguration for the management interface with IP address,gateway, network mask and similar items; afterwards, the setupwas accepted and the appliancebecame accessible via the network.
As soon as the initial configuration was completed, we connectedthe appliance’s fourth port (whichwould be assigned the task offunctioning as the monitoringport during operation) to a mirrorport of our Cisco LAN switch soit would be able to view the traffic in our network. We thenconnected the third port (whichwould work as the response port)via a normal network connectionon the same switch.
This completed the hardwareconfiguration and we could afterwards begin finishing the installation of the CounterACT system. In operation, the solution isconfigured via the “CounterACTConsole”, which is available asmanagement workstations underLinux and Windows. We installedit on a computer with Windows10 Version 1607 in the 64bit variant. This system was equippedwith a QuadCore processor,eight gigabyte RAM and 200 gigabyte available hard disc space.
As is usual under Windows, Wizard coordinates the installationof the console. The administratorwill not encounter any difficulties. After the first login with the
3
CounterACT after successful configuration of access to our Cisco switch.
console on the appliance, westarted the “Initial Setup” assistant. This begins by showing awelcome screen and then wantsto know the time zone, the timeof day, and which NTP servershould be used (if there is one).Afterwards, the responsible employees can specify the administrator email with mail relay, thedirectory that should be used for
user authentification (MicrosoftActive Directory, LDAP, NovelleDirectory, Sun Directory Serveror IBM Lotus Notes), and the domain credentials that the appliance uses in operation in order tolog in at the host and to performa deep inspection on the host.
The next configuration dialoguefocuses on the authentificationservers. We had already specifiedour active directory controller, so
this was already in the list; but, ifnecessary, the administrators nowhave the opportunity to enter additional data.
Afterwards, the Wizard askedabout the IP areas that the appliance should regard as the internal network. The Wizard alsowanted to know the enforcementmode. The options here are: “Full
Enforcement” with NAT detection; “Auto Discovery”, in whichthe product continually monitorsto determine if new componentshave come into the network; and“Partial Enforcement” withoutthreat protection, HTTP actionsand virtual firewall. With the virtual firewall, the solution is ableto use a kind of “man in themiddle” attack to prohibit datatransfers and thus remove endpoints from the traffic.
Under “Channels”, the responsible employees specify whichports should be used for whichtasks (monitoring, response, etc.).The “Switch” area specifies access data for Alcatel, Cisco, Brocade, Huawei, Palo Alto Networks, and many other switchesthrough which the appliance canthen alter the switch configurations (if necessary), for example,to reconfigure ports.
In the “Policy” point, the responsible individuals specify the ruleswhich will be implemented toclassify network components,ensure their security (for example, by monitoring the updatestatus of the antivirus pattern),and monitor the components intheir ongoing operation. In ourtest, we postponed the policy definition for a later date and initially specified an empty set of rules.
Finally, the “Inventory” area offers the responsible employees anonhostrelated network overview. This overview can show,for example, open ports in thenetwork or Windows servicesthat are running in the network.With this final item, the configuration Wizard closes itself and,after a restart, the appliance begins its work.
Configuration in ongoing operationNow let’s look at a few practicalexamples to show how CounterACT can be used to secure company networks against threatsposed by IoT devices. The firstexample takes effect in the aforementioned scenarios in whichIoT components are hacked andthen misused as gateways intothe network to steal data. The second example shows how admi
4
In operation, ForeScout’s solution collects many details about the network’s
components.
nistrators can secure specificclasses of devices against misuse;printers are used as an examplein this instance. The third example explores how the appliancedetects port scans in the networkand defends against them. Attackers usually conduct portscans after they have gained afoothold on a device. Such scansenable attackers to determinewhich services are available.
Example number 1: detectingand securing hacked IoT devicesIf an attacker takes over a device(for example, a smart TV in aconference room or a webcam),they can change the MAC address of this device so that it will
pretend to be another product.Many companies work with security solutions that are based onaccess control lists (ACLs). The
se lists classify the devices in thenetwork: for example, they specify that the computer with theMAC addressFC:FC:48:23:b0:c4 is a Windowsclient and that the device with theMAC addressD8:1F:CC:28:d1:00 is a smartTV.
Based on this classification, many corporate security solutionsnow permit access to specificcomponents, so it be sensible togrant the access rights for certainfile servers to Mac OS or Windows computers and simultaneously to ensure that IP camerasand smart TVs are not grantedaccess to these servers. In manyinstances, it accordingly suffices
merely to change the MAC address of a hacked IoT device tothwart the security products andto gain access to the data. Con
versely, in many environments, itcan try to disguise itself as another operating system: for example, if a Linuxbased webcampretends to be a Windows system, this alone may often sufficeto receive higherlevel rights.
To ensure security in such a scenario, administrators must firstgenerate a CounterACT rule thatassigns the existing devices toparticular groups, for example,network devices (routers andswitches), Linux servers, Windows PCs, Mac OS systems,printers, VoIP solutions, etc. Asdescribed above, this functionsautomatically in the context ofthe network scan based on thedata acquired during the scan.For example, if an administratorwants to assign all of his company’s IP cameras to the group of“IP cameras” and if all existingcameras are either Axis, DLinkor Mobotix, then the responsibleemployee can use the CounterACT console to specify a policythat reassigns into the “IP cameras” group all devices that haveMAC addresses which belong tothe aforementioned manufacturers.
But this does not yet make it clear where the camera comes from:it could also be a rogue devicewhich accidentally (or intentionally) comes from one of theaforementioned manufacturers,just like one of the company’sordinary cameras. That’s why itmakes sense to expand the groupof “IP cameras” to include twosubgroups. The first subgroup,which is named “Corporate IPCameras”, should contain all ofthe company’s cameras. The second subgroup is logically named“NonCorporate Devices” andincludes all cameras which the
5
If necessary, in the context of classification, administrators can precisely spe
cify which ports on a system are allowed or not allowed to remain open. Based
on these data, they are then assigned to their appropriate groups.
appliance doesn’t already know.This distinction can be made viaa MAC address list: if the responsible employees enter all IPaddresses of IP cameras throughout their company into the policy definition, then CounterACTcan securely distinguish betweenforeign cameras and cameraswhich belong to the company.
During the scan, CounterACTnot only determines the MAC addresses of the devices in the network, but also (as discussed) dis
covers other parameters such asIP addresses, open ports or theoperating system. This securitysolution is accordingly able to recognize a device, even if a parameter (for example, MAC address or the operating systemused) has been altered.
If a webcam is hacked and the attacker uses MAC addressspoofing to disguise the webcamunder the MAC address of aknown Windows client and thusthwart the ACLs, then CounterACT detects the fact that the device is now active in the networkunder an altered MAC address.
This address is not in the list ofknown MAC addresses of IP cameras, so, in the next step, thesuspicious device is assigned tothe group of “NonCorporate Devices”.
The attacker has thus been identified, but now it must be madeharmless. This is why the peopleresponsible for IT augment thepolicy with an action which assures that no data theft ensues. Several different options are available here. For example, all devices
in the group of “NonCorporateDevices” can be placed in a quarantined VLAN where they cancause no harm.
Alternatively, CounterACT canalso be set up to automaticallyblock the switch port on whichthe affected device depends. Thesecurity solution accesses theswitch configuration for this option. Simultaneously, the productcan send alarms to the administrators and can also initiate manyother actions. In this way, it becomes relatively simple for acompany to prevent data theftthrough IoT devices via MAC
address spoofing. In our test, weused a Linux client under Fedora24 to simulate MAC spoofing:CounterACT immediately detected our manipulation.
Incidentally: if an attacker disguises itself as another operatingsystem (in our example, as aWindows client), then another setof rules comes into play. This isbecause in our scenario, we began by classifying the Windowsdevices. The distinction between“Windows” or “not Windows”was made prior to its assignmentto the group of “IP cameras”. Thehacked device, which disguiseditself as a Windows solution, wasconsequently not assigned to thegroup of IP cameras, but amongthe Windows systems. Varioussecurity rules can be specified forthese: in our test, all Windowssystems that CounterACTcouldn’t log into (that is, also ourtest computer with false operatingsystem identification) werequarantined so they could do noharm.
Example number 2: printerP2P clarificationOur second scenario assumes thatan attacker has taken control of aprinter and afterwards attemptsvia P2P to use this printer to move data off the company’s premises. CounterACT likewisethwarts this attempt. The affectedpolicy initially assigns the components in the network to specificgroups. In our example, printerscan be recognized because port9100 for print orders is open andport 80 for the configuration interface is likewise open. If all ofthe printers in a company aremade by the same manufacturer(for example, Xerox), then theNIC manufacturer can again beused for classification. If ne
6
CounterACT detects a large number of different attack scenarios.
cessary, it is even possible to instruct CounterACT to call up the
printer’s web interface and checkif it exports specific contentssuch as the identity of the contactperson within the company. If allof the aforementioned factors aredetermined to apply, then theprinter lands in the group of“Corporate Printers.”
If a hacker now sets up a P2Pservice on the computer, thisusually causes additional ports toopen. CounterACT detects theseadditional openings in ongoingoperation and accordingly reassigns the printer to the group of“NonCorporate Devices.” Various actions can be defined here;the security appliance then undertakes these actions to preventdata theft.
Example number 3: defenseagainst port scansOur third example involves portscans. If a hacker penetrates intoan unknown network, then hisnext step after he has taken overthe first device will most likelybe to run a port scan in the net
work. This will enable him tofind out which services are offe
red by which machines. That’swhy it is important to speedilydetect and isolate computers or
other systems in the network thatrun port scans which haven’t been authorized by the IT department – before these computers orother systems can be misused toattack network services. CounterACT can be used here too. To doso, the responsible individualssimply need to specify their security appliance to check whetherany existing systems in the network are running port scans. Various other malicious events canalso be detected, for example,
hostname scans, NetBIOS namescans, password scans, SNMPcommunity scans, and similarevents. As soon as ForeScout’ssolution has noticed an activity ofthis kind, it can perform an actionsuch as blocking the affectedswitch port or putting the affected system into quarantine. Thisisolates the attacker and protectsthe network from any further actions which the attacker mightundertake. In our test, we conducted port scans under Windowssystems and under KaliLinux:CounterACT immediately detected our actions.
SummaryA security appliance such as ForeScout CounterACT is not onlyexcellently well suited for protecting corporate networksagainst threats posed by hijackedPCs and servers, but can also de
fend against attacks that run viaIoT components. CounterACT’srange of functions is impressive,but configuring individual policies is comparatively uncomplicated because this product’s manufacturer has conceived its configuration and management interface in a very comprehensibleway. In our test, the rules for ourthree attack scenarios were speedily as well as easily implemented and caused no negative surprises in operation.
Detailed information about a previously run password scan.
CounterACT identifies a system under KaliLinux which has performed a portscan.
7