k8s v1.15.x部署_在家中部署802.1X的借口

最新推荐文章于 2020-11-10 17:41:16 发布

weixin_26722031

最新推荐文章于 2020-11-10 17:41:16 发布

阅读量310

点赞数

文章标签： python

原文链接：https://medium.com/swlh/an-excuse-to-deploy-802-1x-at-home-b0ba65ff0426

版权

k8s v1.15.x部署

This week I’ve had the pleasure of dealing with lots of wireless (WLAN) de-authentication attacks on my Wireless AP’s (WAPs) with attempts to crack my WPA2 key. The reason why I found it quite enjoyable was because it gave me an excuse to implement 802.1X WLAN Security using my new toys. 802.1X authentication greatly increases your security posture over shared secrets when deployed correctly.

本周，我很高兴应对无线AP(WAP)上的许多无线(WLAN)取消身份验证攻击，并尝试破解WPA2密钥。我之所以觉得它很有趣，是因为它给了我使用新玩具来实现802.1X WLAN安全的借口。如果正确部署802.1X身份验证，则可以大大提高共享密钥的安全性。

Particularly, I purchased a Ubiquiti UDM-PRO and UAP-PRO-AC products to replace my toaster of a PFsense box and other WAP’s. There’s certainly lots of room for privacy and security improvement in the products; but the simple interfaces gave me some analytics that helped me come up with a mini A/B test troll experiment for the would be “script kiddie” knocking down my wireless network.

特别是，我购买了Ubiquiti UDM-PRO和UAP-PRO-AC产品来代替我的PFsense盒和其他WAP烤面包机。当然，产品的隐私和安全改进空间很大。但是简单的界面为我提供了一些分析功能，帮助我进行了一个迷你A / B测试巨魔实验，因为那可能是“脚本小子”破坏了我的无线网络。

This article will be broken up into the following section(s):

本文将分为以下几个部分：

My A/B testing data observing the attacker’s engagement levels
我的A / B测试数据观察了攻击者的参与程度
Vendor agnostic architecture overview and requirements to implement 802.1X
供应商不可知体系结构概述和实施802.1X的要求
Deployment of 802.1X using Ubiquiti’s stack
使用Ubiquiti的堆栈部署802.1X

This allowed me over the course of a week to capture the varying uses like a honeynet; only I was focused on how the attacker behavior changes based on dynamic restrictions. While my experiment is not considered huge by any means; it was an important learning experience to see what these up and coming hackers or cyber security professionals are interested in abusing my network for. I also got to maximize my new network setup on the UDM-Pro’s feature sets and learn some of the limitations I ran into.

这使我可以在一周的时间内捕捉到像蜜网的各种用途; 仅我专注于攻击者行为基于动态限制的变化。尽管我的实验无论如何都不算是巨大的。了解这些新兴的黑客或网络安全专业人员对滥用我的网络感兴趣的经历是一次重要的学习经历。我还必须在UDM-Pro的功能集上最大化我的新网络设置，并了解我遇到的一些限制。

不完善的A / B测试和观察 (Imperfect A/B Testing and Observations)

Disclaimer: First let me state that our mini troll of A/B testing from this security event is not empirical; and therefore don’t use the data for any serious data analysis or statistics. One issue with this data is that it is against a single target population and the control and variation of network changes can’t be concurrent with a single sample population. You can however use the same test cases over an appropriate sample size with a randomization without replacement to achieve the empirical findings you would need to take to your CISO in an enterprise.

免责声明 ：首先让我指出，我们从此安全事件中获得的A / B迷你测试并非凭经验；因此，请勿将数据用于任何严重的数据分析或统计。此数据的一个问题是，它是针对单个目标人群的，并且网络更改的控制和变化不能与单个样本人群同时进行。但是，您可以在适当的样本量上使用相同的测试用例，并进行随机分配而无需替换，以获得获得企业CISO所需的经验结果。

The short of my scenario is someone of proximity to my home network (highly likely to be a neighbor) began de-authorizing attacks against my SSID on both wireless AP’s. I spent a week serving different variations of mixed controls seeing what the individual(s) would do and what would make them engage even more to abuse the network. To keep the observed behaviors measurable against a specific control; only one control was deployed at any given time and reset to baseline the next day.

我的情况最短的情况是某个接近我的家庭网络的人(很可能是邻居)开始取消对两个无线AP上对我的SSID的攻击的授权。我花了一个星期服务于混合控件的各种变体，以了解个人将做什么以及使他们更多地参与滥用网络的事情。使观察到的行为与特定的对照相比可测量；在任何给定时间仅部署了一个控件，并在第二天重置为基准。

When it was clear that the attacker was still attempting to de-auth and perform odd WEP-like replay injections after about 4 hours; I just decided to open up the SSID and name it to something simple like “Linksys” so that that he or she would think I just did a factory reset and let it “fail open”. With no authentication I could take packet captures, put Snort in NIDS, and watch DNS logging on my Raspberry Pi-Hole setup. An interesting issue that the Ubiquiti UDM-PRO series has is no native support for DNS over HTTP/S which is why I use the Pi-Hole setup along side Cloudflare’s tunnel agent.

很明显，攻击者仍在尝试取消验证并在大约4小时后执行类似WEP的重播注入；我只是决定打开SSID，并将其命名为“ Linksys”之类的简单名称，以便他(她)认为我刚刚进行了出厂重置，并使其“无法打开”。没有身份验证，我可以捕获数据包，将Snort放在NIDS中，并在Raspberry Pi-Hole设置中观看DNS日志记录。 Ubiquiti UDM-PRO系列有一个有趣的问题，即它不支持HTTP / S上的DNS，这就是为什么我在Cloudflare的隧道代理旁边使用Pi-Hole设置的原因。

The data and my observations as prior to cutting off access for a calendar week are as follows:

在切断日历周访问之前的数据和我的观察如下：

Image for post — Table 2 of 2 of A/B Testing Observations

快速刷新802.1X组件和缺陷 (Quick Refresher on 802.1X Components and Flaws)

As we can see from our observations this wasn’t just a curious person looking for free Internet usage; they were slowly creeping towards multiple forms of abuse pending their success rate of varying enumeration and access. While we were able to detect a good portion of attacks; we can’t just leave open wireless access out forever. Time to implement 802.1X against our WLAN implementations. The structure is the same for wired implementations with only configuration differences between vendors. There are 3 primary components of an 802.1X setup:

从我们的观察中可以看出，这不只是一个好奇的人，他们正在寻找免费使用Internet的方式。他们正在缓慢地趋向于多种形式的滥用，这取决于其枚举和访问的成功率。虽然我们能够检测到很大一部分攻击；我们不能永远把开放的无线访问留在外面。是时候根据我们的WLAN实施来实施802.1X了。有线实施的结构相同，只是供应商之间的配置有所不同。 802.1X设置包含3个主要组件：

Supplicant
恳求者
Authenticator
认证者
Authentication Server
认证服务器

In the above SANS photo we see that the supplicant is pretty much the client with the authenticator performing the port level authority to join the network or not on behalf of the supplicant. This decision is based on the authentication server’s response. The supplicant authenticates either user credentials and or client certificates over the EAP (Extensible authentication protocol). While this sounds fool proof, it really isn’t. There are 2 common implementation flaws:

在上面的SANS照片中，我们可以看到，请求者几乎是具有身份验证程序的客户端，它执行端口级权限以加入或不代表请求者加入网络。该决定基于身份验证服务器的响应。请求者通过EAP(可扩展身份验证协议)对用户凭据和/或客户端证书进行身份验证。虽然这听起来很简单，但事实并非如此。有2个常见的实现缺陷：

Weak challenges and or exposed hashes in the clear for sniffing; man-in-the-middle attacks perform cracking or hash matching. EAP should always be wrapped in TLS
弱的挑战和/或裸露的散列可以进行嗅探；中间人攻击执行破解或哈希匹配。 EAP应该始终包装在TLS中
Supplicant is willing to accept any server certificate or the Authenticator is willing to accept any client. Even with MAC address filtering that is easily spoofed. Client certificates are the most preferable but at minimum validation of server certificate fingerprints and to refuse non-trusted connections are key
请求者愿意接受任何服务器证书，或者身份验证者愿意接受任何客户端。即使使用MAC地址过滤也很容易被欺骗。客户端证书是最可取的，但至少需要验证服务器证书指纹并拒绝不信任的连接才是关键。

在Ubiquiti Stack中实现802.1X (Implementing 802.1X in Ubiquiti Stack)

One of the benefits of moving to the UDM-PRO is the integrated WAP controller that pushes policies and profiles to the WAPs. It also includes its own RADIUS hosting service and automatically has certificates generated for you in a few simple clicks. While these are specific to the UDM-PRO firmware stable release (1.71) that the principles remain the same in deployment:

迁移到UDM-PRO的好处之一是集成的WAP控制器，它将策略和配置文件推送到WAP。它还包括其自己的RADIUS托管服务，只需单击几下，即可自动为您生成证书。尽管这些特定于UDM-PRO固件稳定版本(1.71)，但其原理在部署中保持不变：

Create a compatible AAA server such as RADIUS and create users and certificates required
创建兼容的AAA服务器(例如RADIUS)并创建所需的用户和证书
Configure your WAP’s or switches in 802.1X routing mode to forward the EAP related traffic to the RADIUS server and specify any VLAN tagging to user assignment on a RADIUS profile. Set a default or ‘fail back’ VLAN so that non-auth supplicants are sent to an isolation VLAN if so desired
在802.1X路由模式下配置您的WAP或交换机，以将EAP相关流量转发到RADIUS服务器，并在RADIUS配置文件上为用户分配指定任何VLAN标记。设置默认或“故障回复” VLAN，以便将非身份验证请求方发送到隔离VLAN(如果需要)
Configure the supplicant clients like on Windows 10.x to use the connection to your local network specified with your desired settings
在Windows 10.x上配置请求方客户端，以使用与所需设置指定的本地网络连接

First thing is first. We need ensure we trust the server certificate of the RADIUS on the Ubiquiti controller. Use Putty’s PSCP to accomplish this and force the “ — scp” option or you will get a default SFTP failure when using something like WinSCP or FileZilla. In windows you have to unfortunately specify the entire destination file path as well or it will fail. The syntax to use PSCP is below:

第一件事是第一。我们需要确保我们信任Ubiquiti控制器上RADIUS的服务器证书。使用Putty的PSCP完成此操作并强制执行“ — scp”选项，否则在使用WinSCP或FileZilla之类的文件时会出现默认的SFTP失败。在Windows中，很遗憾，您还必须指定整个目标文件路径，否则它将失败。使用PSCP的语法如下：

pscp -v -scp root@<your radius server controller ip>:/config/raddb/certs/ca.pem <your\full\destination\ca.pem>

A successful transfer is shown below:

传输成功如下所示：

Notice that we want the CA to import, not the server certificate or keys. Next enable your RADIUS service and create a nice and long secret pass phrase which is inside the “classic” web interface under settings > services > radius > server. This step is not required if you’re providing your own RADIUS server such as Microsoft NPS and plan to hook it with Active Directory.

请注意，我们要导入CA，而不是服务器证书或密钥。接下来，启用您的RADIUS服务，并在“经典” Web界面内的设置>服务>半径>服务器下创建一个不错的，较长的秘密密码。如果要提供自己的RADIUS服务器(例如Microsoft NPS)并计划将其与Active Directory挂钩，则不需要此步骤。

Next you will need to create your RADIUS users for authentication under the same drop down menu, just switch to the “Users” sub menu:

接下来，您将需要在相同的下拉菜单下创建RADIUS用户以进行身份验证，只需切换到“用户”子菜单即可：

Set our appropriate VLAN if applicable and the tunnel type to L2TP over IPv4. Don’t worry, you’re still using EAP-TLS. This is just for things like the VPN if you’ve set one up.

如果适用，设置适当的VLAN，并将隧道类型设置为基于IPv4的L2TP。不用担心，您仍在使用EAP-TLS。如果您已经设置了VPN，这仅适用于VPN之类的事情。

Now create a RADIUS profile so we can apply it to a specific network. Label it something appropriate and fill out the auth server to be your inside interface IP address of your UDM-PRO controller. Enter the shared secret you made earlier and save. You can find this under the classic menu > Settings > Profiles > RADIUS.

现在创建RADIUS配置文件，以便我们可以将其应用于特定的网络。给它贴上适当的标签，然后填写身份验证服务器，作为您UDM-PRO控制器的内部接口IP地址。输入您之前创建的共享密钥并保存。您可以在经典菜单>设置>配置文件> RADIUS下找到此文件。

Now it’s time to create network objects to apply the profiles to. Head over to the Classic Menu > Settings > Wireless Networks and add a new WLAN network using the WPA Enterprise (WPA-2-Enterprise) security type. Now set the RADIUS Profile by selecting what you crated early. Set any other applicable settings as you wish and save. Note: As soon as you click save, you may be booted from your WAP as the controller is pushing new configurations. You may also have to disable and re-enable your adapter to refresh the SSID listings.

现在是时候创建将配置文件应用到的网络对象了。转到经典菜单>设置>无线网络，并使用WPA Enterprise(WPA-2-Enterprise)安全类型添加新的WLAN网络。现在，通过选择您早期创建的内容来设置RADIUS配置文件。根据需要设置其他适用的设置并保存。注意：单击保存后，随着控制器推送新配置，您可能会从WAP启动。您可能还必须禁用并重新启用适配器以刷新SSID列表。

If attempt to create a connection to the PEAP WLAN site in your system tray, you will be prompted with the certificate. Ensure this certificate fingerprint matches the one you just SCP downloaded to yourself:

如果尝试在系统托盘中创建与PEAP WLAN站点的连接，则将提示您输入证书。确保此证书指纹与您刚刚SCP自己下载的指纹相同：

If it does not match, you have the wrong certificate or RADIUS server as shown above. DO NOT ‘connect’ as you need to setup the connection manually later in a secure method so that you do not automatically accept any certificate without importing into your certificate store.

如果不匹配，则您具有错误的证书或RADIUS服务器，如上所示。 不要“连接”，因为您以后需要以一种安全的方式手动设置连接，以免您不导入任何证书而不导入证书存储。

We now need to import “CA.pem” into our trusted root CA store. Do a start > run > mmc.exe > open the application and add snap in called “certificate manager”. Drill down to the Trusted Root CA’s store for your local computer:

现在，我们需要将“ CA.pem”导入到我们受信任的根CA存储中。开始>运行> mmc.exe>打开应用程序，然后在“证书管理器”中添加快照。深入到本地计算机的“受信任的根CA”存储：

Right click on the certificates folder of the trusted Root CA’s and then click all tasks > import. Follow the steps to import your certificate and it should look like this afterwards in your list:

右键单击受信任的根CA的证书文件夹，然后单击所有任务>导入。请按照以下步骤导入证书，之后列表中的证书应如下所示：

Now to *securely* configure the Windows 10 supplicant. To do so, do not click on you wireless connection and blindly enter in your user name and password followed by a request to accept a certificate. This is the exact problem we highlighted earlier in 802.1X implementations that may be subject to Evil Twin equivalents. In desktop mode, go to control panel > network and sharing center > setup a new connection > manually connect to a wireless profile:

现在要“安全地”配置Windows 10请求者。要做到这一点，不要点击你的无线连接，并且盲目地在你的用户名和密码，然后接受证书的请求进入。这是我们之前在802.1X实施中强调的确切问题，可能会受到Evil Twin等效项的约束。在桌面模式下，转到控制面板>网络和共享中心>设置新连接>手动连接到无线配置文件：

In the next screen mimic what you did in the WLAN network profile for WPA2 Enterprise along with the SSID you decided to use. Start connection automatically if you wish:

在下一个屏幕中，模拟您在WPA2 Enterprise的WLAN网络配置文件中所做的操作以及您决定使用的SSID。如果您希望自动启动连接：

Click on the “Change connection settings” to open the advanced security tabs for authentication. Now click on ‘Advanced’ settings > 802.1X settings and setup your authentication to be ‘user’ authentication. At the time of this writing the UDM-PRO does not have native client certificate generations for you to use computer based authentication.

单击“更改连接设置”以打开用于身份验证的高级安全选项卡。现在，单击“高级”设置> 802.1X设置，并将身份验证设置为“用户”身份验证。在撰写本文时，UDM-PRO没有生成用于使用基于计算机的身份验证的本机客户端证书的版本。

Next open your protected EAP properties and setup the following:

接下来打开受保护的EAP属性并设置以下内容：

Ensure that “Verify the server’s identity by validating the certificate” is checked.

确保选中 “通过验证证书来验证服务器的身份”。

Scroll down to the Ubiquiti RADIUS CA element and ensure that it is checked.

向下滚动到Ubiquiti RADIUS CA元素，并确保已选中它。

Set the “Notifications before connecting:” section to “Don’t ask user to authorize new servers or trusted CA’s”:

将“连接之前的通知：”部分设置为“不要要求用户授权新服务器或受信任的CA”：

Ensure that the default value “EAP-MSCHAP-v2” with fast reconnect is left intact. *Don’t worry* this setting is ignored when you have the UDM-PRO certificate as a preference. See the diagram below to see the different phases of the Microsoft PEAP implementation of TLS with MS-CHAPv2:

确保具有快速重新连接的默认值“ EAP-MSCHAP-v2”保持不变。 *不用担心*当您将UDM-PRO证书作为首选项时，此设置将被忽略。请参见下图，以了解Microsoft PEAP TLS与MS-CHAPv2的不同实施阶段：

If you successfully connected, you should be returned to your control panel networking screen with the option to edit this wireless profile manually with the same menus. All menus expanded below for your final reference for the supplicant:

如果成功连接，则应返回到控制面板联网屏幕，并可以选择使用相同的菜单手动编辑此无线配置文件。所有菜单均在下面展开，以供最终用户参考：

闭幕 (Closing)

There you have it. In Ubiquiti world; the deployment of 802.1X over PEAP is less than a 15-minute deployment and would require more active man-in-the-middle based attacks to work. This would be mitigated somewhat at layer 2 by ensuring that your WLAN network in the Ubiquiti interface enforces “Isolate Layer 2 Hosts” options in the advanced drill down. I hope you enjoyed my short adventure into 802.1X and how I performed a series of observations and controls to finally lead up to adding the prevention layer to help reduce my risk footprint. As always, if you’re ever in need of cyber security services, you can find me at www.scissecurity.com

你有它。在Ubiquiti世界中；通过PEAP进行802.1X的部署需要不到15分钟的部署，并且需要更多主动的基于中间人的攻击才能起作用。通过确保Ubiquiti界面中的WLAN网络在高级向下钻取中强制执行“隔离第2层主机”选项，可以在第2层上有所缓解。我希望您喜欢我对802.1X的短暂冒险，以及我如何执行一系列观察和控制以最终导致增加防护层以帮助减少风险足迹。与往常一样，如果您需要网络安全服务，可以在www.scissecurity.com上找到我。

Dennis Chow, CISO of SCIS Security

SCIS Security的CISO Dennis Chow