The protocol creates the false sense of security that all devices are being screened, even if minimally, for security when in fact they are not.
This past August, the Defense Department officially launched its first enterprise cybersecurity program since 2012: Comply-to-Connect, or C2C. The program aims to deliver enterprisewide capabilities to secure DOD’s global networks across information technology, operational technology and internet of things devices. C2C will become one of the largest government cybersecurity initiatives in the world and will impact all branches of the U.S. armed forces.
DOD’s implementation of C2C is a definitive statement that the department is moving away from a particular networking protocol which, until now, has governed how devices are allowed to connect to DOD networks. This protocol has increasingly become a thorn in the side of those of us truly concerned with securing the DOD enterprise. That protocol is 802.1x, or “Dot1x.”
802.1x is a network authentication protocol established in the late 1990s that permits a device access to an organization’s network by evaluating its credentials (e.g. user name/password or a digital certificate) against information held within an authentication server (usually a Remote Authentication Dial-In User Service, or “RADIUS,” server). The 802.1x protocol performs no analysis on a device’s security state and makes no assessment of whether the user of a device is in fact the correct, authorized user. A good analogy for 802.1x is a doorman who only checks to see if a person’s name is on his list and whether he has an ID, but takes no notice of the fact that the person is carrying a gas can and lighter.
For many years, 802.1x was an adequate way to manage network access control (NAC) because networks consisted mainly of “traditional IT devices,” including laptops, desktops and servers, which run a mainstream operating system such as Windows, Mac or Linux. 802.1x doesn’t natively offer an opportunity to inspect these devices for their security or configuration status before connection, so inspection after connection was managed by third-party products that utilize security agents. An agent is a little piece of software downloaded onto a device that communicates with a server and allows for device inspection and can initiate certain remediations such as patching and configuration management.
Relying on a combination of 802.1x and agent-based security tools worked fairly well for DOD until the mid-2000s when we began to see networks explode with “non-traditional devices,” specifically, OT and IOT devices. Within the DOD, this includes things like building automation and environmental systems, mission-supporting IOT devices like audio-visual equipment, security cameras, IP-enabled door locks and even weapons systems. Most of these types of devices do not have traditional operating systems, do not support a security agent and are not 802.1x-compatible. These devices cannot be authenticated with 802.1x. So what regulates these devices’ network access? The scary answer to this is nothing.
The way 802.1x handles OT and IOT devices lies at the heart of one of DOD’s most concerning cybersecurity gaps. The 802.1x system will identify the non-802.1x-ready systems and automatically add them to a list of “permitted devices” called a Media Access Control (MAC) Authorization Bypass, or “MAC Auth Bypass,” or sometimes just “MAB.” Let me repeat that: any device that cannot be authenticated by 802.1x by default gets added to a bypass list and is granted network privileges anyway. We know from experience that MABs are not very well-maintained and not updated frequently. We also know that being included in the MAB often grants devices virtually unrestricted access to network resources. Finally, we know that device identifiers like MAC addresses can be impersonated, or “spoofed,” by attackers. Forescout often sees examples of devices that were retired from service only to see these MAC addresses show back up on the network, this time associated with different devices, and engaging in malicious behavior. Recalling our earlier analogy about the doorman: The MAB is the equivalent of your doorman waiving through any person who isn’t on his list and has no ID. Herein perhaps lies 802.1x’s biggest flaw: It creates the false sense of security that all devices are being screened, even if minimally, for security when in fact they are not.
Why, then, hasn’t the government—especially the military—moved toward more secure methods for conducting NAC for this growing component of today’s network? Why has the DOD, in particular, held fast to this outdated protocol? Like many organizations, DOD took a very long time to decide who owned the security of networked systems that weren’t originally under the purview of the IT security teams. For example, until recently, facilities engineers were responsible for securing heating, ventilation and air conditioning systems, even after those systems began to run in whole or part on computer networks. This phenomenon, referred to it as the “IT/OT Convergence,” is not unique to the DOD; we observe it in the private sector as well. Yet within the DOD, organization charts and lines of reporting are slow to evolve, so the security of networked equipment and systems was left to the owners of those systems who were not particularly well equipped to manage cyber risks to these systems—if they were even aware of them in the first place.
The inability of the DOD to address the security of OT and IOT devices (both organizationally and technically) was bound to result in a security tidal wave. Some within the DOD foresaw this and tried to address it. In February 2017, the Commanders of U.S. Northern Command and U.S. Pacific Command issued the “Eight Star Memo,” which implored the Secretary of Defense to assist them in protecting industrial control systems and devices on their networks. In 2018, JFHQ-DODIN and U.S. Cyber Command created strong definitions of “devices,” creating six categories of endpoints that will continue to guide DOD and shape the direction of future cybersecurity objectives and programs. These categories include: mobile devices (e.g., phones, handhelds, tablets); workstations and servers; network user support devices (e.g., printers, smart boards, VoIP phones); network infrastructure (e.g., switches, routers); internet of things (e.g., refrigerators, coffee machines, thermostats); and platform information technology (e.g., weapons systems, medical systems, industrial control systems, vehicles).
The absence of any NAC protocol or technology for nontraditional devices connecting is the precise gap C2C seeks to close. C2C effectively ends the policy of relying on 802.1x for NAC because the entire program is premised on the need for DOD to identify, assess and secure all assets, not just computers. Unlike 802.1x, C2C relies on cybersecurity best practices to identify, authenticate, and assess a device for compliance before it is admitted to the network. This includes profiling all traffic emanating from a device, querying a device using standard protocols to assess its posture, and checking a device against Active Directory resources to ensure it is safe and compliant for access. C2C allows DOD to determine, at a very granular level, the specific authorizations and compliance levels for every single device individually, in real time, and enforces what network resources each device may access. This approach is the complete opposite of 802.1x.
Today, networks are exploding in size not because people are adding Windows workstations to them, but because they are connecting all manner of smart technology, IOT and OT for improved efficiency, security, safety and convenience. Yet we are still regulating how these devices access the network with a 20th-century protocol that offers no way to address the fastest-growing threat to networks. The official launch of C2C signals a major pivot away from outdated methods of monitoring and controlling networks. We have a tremendous amount of work ahead of us, first deploying the C2C toolset and then, as soon as possible, using it to identify and inventory all of the connecting assets so there is an accurate, complete and continuous picture of what DOD networks really are, and important decisions about mitigating cyber risk on these networks can be made.
Katherine Gronberg is vice president for government affairs at Forescout.