network accountability in the age of dongles

hulsebus
New Contributor III

I have been in discussions with cybersecurity regarding network accountability now that ethernet dongles (especially the case with the macbook pros) are becoming more and more common. We've discussed the fact that essentially anyone that plugs a given dongle into any random machine gets its network address based on the dongle, regardless of the computer. There are concerns about machines getting unauthorized network access because they're plugging into someone else's dongle. Has anyone else dealt with this and/or took steps to address it?

6 REPLIES 6

jdye
New Contributor III

Unless your security settings are set to grant access based on MAC Address (something easy to spoof in the first place) it shouldn't be an issue, right?

hulsebus
New Contributor III

We don't grant access based on mac address, but we do have a number of different security zones with access to different servers and different network access that live in different network subnets. From a network monitoring standpoint, if I take my laptop (that lives in one zone) to another building (and another security zone), my laptop gets the dns name and ip of the machine the dongle is registered for. That basically gives me unauthorized access to the other network (although auth is still required for file servers, etc).

One suggestion that was made is to somehow limit on the client-side what dongles will function on a given machine, but I haven't any software/settings to actually make that happen.

easyedc
Valued Contributor II

I'm not sure what environment you're working in, but we have slowly implemented a ForeScout network authentication which uses a pre-shared key deployed to corporate assets which diverts you to production networks, while computers without that key get diverted to guest VLAN. That "successfully" accomplishes this, however we have mixed results at times with the key needing to be re-deployed. When it works, seems to work well.

hulsebus
New Contributor III

@easyedc that looks like a very interesting product. I'll pass that along to our cybersecurity group.

So does it use the key as a computer differentiator or just as a "token" to get a production network? One of the concerns cybersecurity expressed was someone with a low-security laptop plugging into a dongle on a high-security network. While they shouldn't be able to do much because of other security measures in place, having the possibility there is unnerving.

easyedc
Valued Contributor II

@hulsebus we have an older implementation of ForeScout, so we have a service account created locally (in our case we placed it in

/private/var/CreatedUserName/

and then created a directory which contains the pre-shared key. so for us its at

/private/var/CreatedUserName/.ssh/authorized_keys

Upon connecting to the network, the management console has the credentials of the service account, and as long as the key is installed, gets granted access to read if the host is trusted or not.

Since we implemented ForeScout 5 or so years ago, they've since created an app that can be installed on trusted hosts which contains the keys.

PeterG
Contributor II

We wrote a script and had it execute via a launchd. It compared MAC address of the dongle to the 'assigned' MAC address on the client's machine. (Hidden away in a plist). If they didn't match it shut the port off and displayed a dialog to the user.

We had a bunch of stuff that we stored in the ComputerConfig.plist
We wrote to it and read from it via our scripts.

Dirty, but it worked.