RE: 802.1x Design Questions.



TWO important points: First, 802.1x isn't a viable model if you don't have
authentication and PKI solutions available. Second, when we have complex
trust dependencies it's often hard to see the weakest link but we've argued
for years that certs are certainly easy to attack on most desktops today.


You have a verity of ways to manage your certs so it's often easiest to
remember a cert is just a structured container for a public key. The
question is how do you manage access to your public keys. The general PKI
model is to have them digitally signed by a "trusted" authority - this means
a public key (or cert) that is in the possession of the client and was
delivered out-0f-band. Your cert can then be downloaded whenever it's needed
and it's trusted because it's digitally signed. The digital signature relies
on the public key that is already present.

We recommend short lives on your certs which forces regular reviews and
updates.

Right now, most certs are managed in browsers and are extremely vulnerable
to exploits but I'm not aware of any such attacks. Why do something
complicated when there are much easier attacks.

Typically, the cert you use can be downloaded to ANY machine that can
authenticate it through a chain-of-trust which means the cert you distribute
is signed by the trusted authority we just mentioned.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Nick Vaernhoej
Sent: Tuesday, April 28, 2009 12:16 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: 802.1x Design Questions.

Good morning,

After looking at deploying a Windows Server 2008 based PKI in order for
us to implement 802.1x based network access control I have some
questions.
I feel they are overall pretty basic, but I have not succeeded in
locating any documentation that really deals with the basics other than
the usual "This is a certificate".

1. What is a proper certificate validity period for user/computer
certificates issued by the issuing certificate authority?
My thought initially was that a certificate was valid for the duration
of "user being logged into active directory". I don't think I was
correct.

2. If a certificate has a validity period of one year and users sit at
multiple PCs in that one year. Is the user certificate stored on all PCs
when the user isn't logged in? If so, is this a concern?

3. Do I need to revoke certificates as users leave the domain? Or is
this automated due to the user being removed from active directory?

4. How do you manage endpoints (PCs) for patch deployments etc. when
there is no user logged in?

Thank you very much
Nick

This electronic transmission is intended for the addressee (s) named above.
It contains information that is privileged, confidential, or otherwise
protected from use and disclosure. If you are not the intended recipient you
are hereby notified that any review, disclosure, copy, or dissemination of
this transmission or the taking of any action in reliance on its contents,
or other use is strictly prohibited. If you have received this transmission
in error, please notify the sender that this message was received in error
and then delete this message.
Thank you.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught by
an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------


__________ NOD32 4048 (20090501) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------