Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

How to do 2FA for network devices?

I have an insurance company, providing cyber insurance, with a stated requirement for the following:

MFA authentication for all internal and remote admin access to network infrastructure: firewalls, routers, switches, etc.

I presume that having 2FA on workstation Windows logons (which *we* would use to access those network devices) doesn't satisfy this.  How does one provide 2FA for things like Cisco Small Business Switches?
How would you deal with this question/requirement?

Avatar of Philip Elder
Philip Elder
Flag of Canada image

We have a client that went through this.

The requirement was settled by setting up DUO 2FA on their Remote Desktop Gateway and Web site along with the Windows authentication component on the servers so that 2FA is needed to log on to the desktop/console.

Essentially, no one could get in to the network without a DUO prompt.

SSL VPN was disabled to also comply with the requirement.
Avatar of Kimputer
Kimputer

Firewalls, routers, and switches, usually have no way to do 2FA protection, because it has to be built-in already, or make use of RADIUS authentication. You getting them all 2FA'd, is extremely slim.
The insurance company probably built-in their own protection system, so they can deny you the claim / coverage when the time comes you really need it. They have the most outrageous exclusions in the small letters, and when you need them, they'll say, "oh you didn't read the small print"? What else is new?
For firewalls, routers, switches, the best you can do is disable remote access, and allow them to be physically (LAN/serial/MGMT port etc connection) configured. Or setup IP restrictions. That's the best you can do. You can't expect any network device to have the 2FA infrastructure behind it, ready for you to use (unless the price is double or triple). Think about the operational costs to maintain a 2FA infrastructure and then also have to support all the users and their problems.

ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hypercube

ASKER

Noci:  Thank you.  I don't allow any external access to equipment - strictly VPN access to workstations.  The issue of "internal access to network devices" remains an issue. .

Philip Elder:  The attack vectors might include a device that someone has successfully plugged into the network.
It doesn't have to log in to anything to have network access, just a properly-configured NIC.  We had one of our auditors do that.  But maybe I don't understand....
Anyway, this would seem to be the first step to gaining access to the network devices without 2FA.



We had one of our auditors do that.  But maybe I don't understand....

You could easily MAC address protect each network port in the building.
Kimputer:
You could easily MAC address protect each network port in the building.
I presume you mean typical wall jack "ports" which would translate into switch ports.
How?
Assign every wall jack port (which translates to a  switch port) to only one device. Then enable MAC address filtering on the smart switch, and start filling in the MAC addresses per port, or use the firewall feature. Will be a chore for sure, but at least you'll get a hardened network safety in return.

Ex. Juniper: https://www.juniper.net/documentation/en_US/release-independent/solutions/topics/task/configuration/cloud-dca-layer2-port-security.html

Ex. Cisco: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4-2/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4-2_chapter15.html
Kimputer:  OK.  Thank you.
If you need to secure endpoint access to switches the only way to use is 802.1x   (equivalent to the way Wifi authenticates).
Yup. Empty switch ports should be dead out of the gate as well.

Someone plugs in it's a dead end.
Thanks all!