Avatar of hypercube
hypercube
Flag for United States of America asked on

How to do 2FA for network devices?

I have an insurance company, providing cyber insurance, with a stated requirement for the following:

MFA authentication for all internal and remote admin access to network infrastructure: firewalls, routers, switches, etc.

I presume that having 2FA on workstation Windows logons (which *we* would use to access those network devices) doesn't satisfy this.  How does one provide 2FA for things like Cisco Small Business Switches?
How would you deal with this question/requirement?

NetworkingRouters* multi-factor authentication* 2fa

Avatar of undefined
Last Comment
hypercube

8/22/2022 - Mon
Philip Elder

We have a client that went through this.

The requirement was settled by setting up DUO 2FA on their Remote Desktop Gateway and Web site along with the Windows authentication component on the servers so that 2FA is needed to log on to the desktop/console.

Essentially, no one could get in to the network without a DUO prompt.

SSL VPN was disabled to also comply with the requirement.
Kimputer

Firewalls, routers, and switches, usually have no way to do 2FA protection, because it has to be built-in already, or make use of RADIUS authentication. You getting them all 2FA'd, is extremely slim.
The insurance company probably built-in their own protection system, so they can deny you the claim / coverage when the time comes you really need it. They have the most outrageous exclusions in the small letters, and when you need them, they'll say, "oh you didn't read the small print"? What else is new?
For firewalls, routers, switches, the best you can do is disable remote access, and allow them to be physically (LAN/serial/MGMT port etc connection) configured. Or setup IP restrictions. That's the best you can do. You can't expect any network device to have the 2FA infrastructure behind it, ready for you to use (unless the price is double or triple). Think about the operational costs to maintain a 2FA infrastructure and then also have to support all the users and their problems.

ASKER CERTIFIED SOLUTION
noci

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
hypercube

ASKER
Noci:  Thank you.  I don't allow any external access to equipment - strictly VPN access to workstations.  The issue of "internal access to network devices" remains an issue. .

Philip Elder:  The attack vectors might include a device that someone has successfully plugged into the network.
It doesn't have to log in to anything to have network access, just a properly-configured NIC.  We had one of our auditors do that.  But maybe I don't understand....
Anyway, this would seem to be the first step to gaining access to the network devices without 2FA.



Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Kimputer

We had one of our auditors do that.  But maybe I don't understand....

You could easily MAC address protect each network port in the building.
hypercube

ASKER
Kimputer:
You could easily MAC address protect each network port in the building.
I presume you mean typical wall jack "ports" which would translate into switch ports.
How?
Kimputer

Assign every wall jack port (which translates to a  switch port) to only one device. Then enable MAC address filtering on the smart switch, and start filling in the MAC addresses per port, or use the firewall feature. Will be a chore for sure, but at least you'll get a hardened network safety in return.

Ex. Juniper: https://www.juniper.net/documentation/en_US/release-independent/solutions/topics/task/configuration/cloud-dca-layer2-port-security.html

Ex. Cisco: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4-2/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4-2_chapter15.html
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
hypercube

ASKER
Kimputer:  OK.  Thank you.
noci

If you need to secure endpoint access to switches the only way to use is 802.1x   (equivalent to the way Wifi authenticates).
Philip Elder

Yup. Empty switch ports should be dead out of the gate as well.

Someone plugs in it's a dead end.
Your help has saved me hundreds of hours of internet surfing.
fblack61
hypercube

ASKER
Thanks all!