To Improve Safety of Defense Networks, Eighty-Six Dot1x

a-image/Shutterstock.com

The protocol creates the false sense of security that all devices are being screened, even if minimally, for security when in fact they are not.

This past August, the Defense Department officially launched its first enterprise cybersecurity program since 2012: Comply-to-Connect, or C2C. The program aims to deliver enterprisewide capabilities to secure DOD’s global networks across information technology, operational technology and internet of things devices. C2C will become one of the largest government cybersecurity initiatives in the world and will impact all branches of the U.S. armed forces. 

DOD’s implementation of C2C is a definitive statement that the department is moving away from a particular networking protocol which, until now, has governed how devices are allowed to connect to DOD networks. This protocol has increasingly become a thorn in the side of those of us truly concerned with securing the DOD enterprise. That protocol is 802.1x, or “Dot1x.”

802.1x is a network authentication protocol established in the late 1990s that permits a device access to an organization’s network by evaluating its credentials (e.g. user name/password or a digital certificate) against information held within an authentication server (usually a Remote Authentication Dial-In User Service, or “RADIUS,” server). The 802.1x protocol performs no analysis on a device’s security state and makes no assessment of whether the user of a device is in fact the correct, authorized user. A good analogy for 802.1x is a doorman who only checks to see if a person’s name is on his list and whether he has an ID, but takes no notice of the fact that the person is carrying a gas can and lighter. 

For many years, 802.1x was an adequate way to manage network access control (NAC) because networks consisted mainly of “traditional IT devices,” including laptops, desktops and servers, which run a mainstream operating system such as Windows, Mac or Linux. 802.1x doesn’t natively offer an opportunity to inspect these devices for their security or configuration status before connection, so inspection after connection was managed by third-party products that utilize security agents. An agent is a little piece of software downloaded onto a device that communicates with a server and allows for device inspection and can initiate certain remediations such as patching and configuration management. 

Relying on a combination of 802.1x and agent-based security tools worked fairly well for DOD until the mid-2000s when we began to see networks explode with “non-traditional devices,” specifically, OT and IOT devices. Within the DOD, this includes things like building automation and environmental systems, mission-supporting IOT devices like audio-visual equipment, security cameras, IP-enabled door locks and even weapons systems. Most of these types of devices do not have traditional operating systems, do not support a security agent and are not 802.1x-compatible. These devices cannot be authenticated with 802.1x. So what regulates these devices’ network access? The scary answer to this is nothing.

The way 802.1x handles OT and IOT devices lies at the heart of one of DOD’s most concerning cybersecurity gaps. The 802.1x system will identify the non-802.1x-ready systems and automatically add them to a list of “permitted devices” called a Media Access Control (MAC) Authorization Bypass, or “MAC Auth Bypass,” or sometimes just “MAB.” Let me repeat that: any device that cannot be authenticated by 802.1x by default gets added to a bypass list and is granted network privileges anyway. We know from experience that MABs are not very well-maintained and not updated frequently. We also know that being included in the MAB often grants devices virtually unrestricted access to network resources. Finally, we know that device identifiers like MAC addresses can be impersonated, or “spoofed,” by attackers. Forescout often sees examples of devices that were retired from service only to see these MAC addresses show back up on the network, this time associated with different devices, and engaging in malicious behavior. Recalling our earlier analogy about the doorman: The MAB is the equivalent of your doorman waiving through any person who isn’t on his list and has no ID. Herein perhaps lies 802.1x’s biggest flaw: It creates the false sense of security that all devices are being screened, even if minimally, for security when in fact they are not.

Why, then, hasn’t the government—especially the military—moved toward more secure methods for conducting NAC for this growing component of today’s network? Why has the DOD, in particular, held fast to this outdated protocol? Like many organizations, DOD took a very long time to decide who owned the security of networked systems that weren’t originally under the purview of the IT security teams. For example, until recently, facilities engineers were responsible for securing heating, ventilation and air conditioning systems, even after those systems began to run in whole or part on computer networks. This phenomenon, referred to it as the “IT/OT Convergence,” is not unique to the DOD; we observe it in the private sector as well. Yet within the DOD, organization charts and lines of reporting are slow to evolve, so the security of networked equipment and systems was left to the owners of those systems who were not particularly well equipped to manage cyber risks to these systems—if they were even aware of them in the first place.

The inability of the DOD to address the security of OT and IOT devices (both organizationally and technically) was bound to result in a security tidal wave. Some within the DOD foresaw this and tried to address it. In February 2017, the Commanders of U.S. Northern Command and U.S. Pacific Command issued the “Eight Star Memo,” which implored the Secretary of Defense to assist them in protecting industrial control systems and devices on their networks. In 2018, JFHQ-DODIN and U.S. Cyber Command created strong definitions of “devices,” creating six categories of endpoints that will continue to guide DOD and shape the direction of future cybersecurity objectives and programs. These categories include: mobile devices (e.g., phones, handhelds, tablets); workstations and servers; network user support devices (e.g., printers, smart boards, VoIP phones); network infrastructure (e.g., switches, routers); internet of things (e.g., refrigerators, coffee machines, thermostats); and platform information technology (e.g., weapons systems, medical systems, industrial control systems, vehicles).

The absence of any NAC protocol or technology for nontraditional devices connecting is the precise gap C2C seeks to close. C2C effectively ends the policy of relying on 802.1x for NAC because the entire program is premised on the need for DOD to identify, assess and secure all assets, not just computers. Unlike 802.1x, C2C relies on cybersecurity best practices to identify, authenticate, and assess a device for compliance before it is admitted to the network. This includes profiling all traffic emanating from a device, querying a device using standard protocols to assess its posture, and checking a device against Active Directory resources to ensure it is safe and compliant for access. C2C allows DOD to determine, at a very granular level, the specific authorizations and compliance levels for every single device individually, in real time, and enforces what network resources each device may access. This approach is the complete opposite of 802.1x.  

Today, networks are exploding in size not because people are adding Windows workstations to them, but because they are connecting all manner of smart technology, IOT and OT for improved efficiency, security, safety and convenience. Yet we are still regulating how these devices access the network with a 20th-century protocol that offers no way to address the fastest-growing threat to networks. The official launch of C2C signals a major pivot away from outdated methods of monitoring and controlling networks. We have a tremendous amount of work ahead of us, first deploying the C2C toolset and then, as soon as possible, using it to identify and inventory all of the connecting assets so there is an accurate, complete and continuous picture of what DOD networks really are, and important decisions about mitigating cyber risk on these networks can be made. 

Katherine Gronberg is vice president for government affairs at Forescout.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.