Mornin’, biomed! It’s Bob in IT. I was just on my way to a meeting next door, and I thought I’d drop by to say hello. I wanted to follow-up with you about my request to have you start collecting MAC addresses as part of your staging process.
Here’s the thing: MAC addresses are what we call burnt-in addresses. They’re assigned to the hardware during manufacture. The good part is they’re inherently unique to each and every Ethernet device regardless of whether the device is wired or wireless. The problem is that there is no way to ensure a MAC’s privacy or integrity.
When a device communicates, it includes its MAC address into every Ethernet frame’s header as the source address. Whatever it happens to be speaking with, uses this to direct its response back to the device as the destination address. The header, unfortunately, is unencrypted. Anyone who happens to be watching can see it. And even though the device’s MAC is unique, there’s no mechanism to validate the address is being used by the device claiming to own it. It’s very easy for hackers to study the traffic of a legitimate device and then use its address for their machine’s MAC. Voila! Now they’re on the network.
What about using a machine’s IP address you ask? Yeah, that’s not a good identifier. I realize some of your equipment, especially the big stuff like your CT scanners, doesn’t move around and has assigned addresses, but this isn’t how we’d like them attached to the network. Ideally, everything should have its IP address dynamically assigned using DHCP, the dynamic host configuration protocol. This allows us to support moving equipment around or even to redesign the network without impacting your machine’s ability to communicate regardless of where it connects. But back to MACs.
So I was talking with Infosec about this. We both agree that using MACs to authenticate your equipment isn’t ideal. We’re not comfortable at all with this process, but it’s unfortunately the best we’ve got at the moment. What we need is help convincing your equipment manufacturers to start adding supplicants to their machines.
What’s a supplicant? It’s an agent that supports network authentication. It speaks a protocol called 802.1X with a switch or a wireless access point, and then within that exchange, it runs one of several EAP, or extensible authentication protocol, types where the actual authentication occurs. Sorry I’m getting a little into the weeds here, but it’s important for you to know these terms so you can help precisely relay our request.
Anyway, there are a number of different EAP types. One of the most common is PEAP or EAP-TTLS. It sets up an encrypted connection in which someone like you can safely enter a username and password. You’re using this when you log in to your PC. But PEAP isn’t very good for machines because there isn’t necessarily anyone sitting at the device entering credentials. Or, the end-point interface is simply too clumsy or non-existent to even support this process. Instead, we’d prefer using EAP-TLS, which uses digital certificates for authentication and is considered a very strong authentication method.
Shoot. I’m late to my meeting. Are you going to be around for a while? Cool. I’ll swing by again after my meeting and we can talk about certificates.
Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force.