DEFCON 19: PacketFence, The Open Source Nac: What We've Done In The Last Two Years

so I’m really glad that you are all here today this morning what they are going to talk about is Pakistan’s we’ve been working I’ve been working there for two years and it’s the first time we unveil we talk about packet friends at such large Evan we’ve mostly done stuff locally in Montreal so I’m really glad to be able to talk to you about it and I hope I’ll share my excitement so what we’ll see today is what’s network access control we briefly will talk about the secret sauce so how we do stuff and how it works will we’ll talk about why open source has been very helpful for us the good and bad of the two years as a lead developer and some lessons learned and some ran thing and then the future of Pakistan so a bullet list of stuff we want to look at in the future and some community begging for help and stuff so who am i i’m olivia Bilodeau working as a system architect for inverse since 2001 lead developer of pakistan’s I’m also teaching information security at 200 graduate students in Montreal I’m really into open source I’m also a new father I brought my baby here at Def Con for the first she’s 7 months old so it’s been quite something the airport and all that I’m also enjoying CTF salaat so we’re with the Amish security team doing CTF and also the CISSP groupies and we did the DEF CON qualification two years in a row with mitigated success I’m a developing Tom droid which is an Android application too and so if you want to be interested in what I do and follow me here are the social stuff links this talk will implement you drink me drink protocol so if I see something stupid you can interrupt me and force me to have a sip of a good beer the beer I chosen was I need to talk about it was the IPA California IPA it’s really good so I hope I’ll make some mistakes and there’ll be some some beers I only have these left but for the debriefing so people that come to the debriefing after the talk and have good questions have a beer alright so network access control this is like you guys this is the elevator pitch let’s not focus them on that you guys are smart and you know what like what most of it means so we’ll go fast authentication basically authentication is map user name to IP IP addresses or MAC addresses so the the firewall doesn’t discriminate between you know users and IP addresses where nak it’s the core focus is to be able to know this device is owned by this person and it’s really the the binding of the two that is important for neck there’s a mission and mission is allow partially allow or deny users and there’s control so control here is to watch for unauthorized stuff including outdated antivirus patch level someone scanning corporate servers spreading malware etc so network access control has the goal to do all of that there’s the usual sales pitch stuff that you see which involves a loop between detecting a device isolating a device notification administrators about the the states of these devices and remediation which is a key point that we’ll talk about several times which is how to help the user to remediate problems including updating as systems and stuff so basically it’s know who is using your network and making sure they behave and we’re not talking who an IP address we’re talking who user name so it’s really important and not an authenticated user name so that’s with time what nack has become well remediation of users as I just mentioned yes management so a lot of people want to handle guest put them on the internet only no access to the internal servers so it started to do that asset an inventory management so it’s there it saw the devices and so it categorized them for you and you you see it and also it simplifies the access layer configuration so the more technical people come to packet fans the they are tired of doing purport configuration manually switching VLANs to on ports and so with an axe the v9 management is all done in the in the server and more transparently and it simplifies the the access layer configuration so the secret sauce the technology mostly pearl some PHP were do a leveraging open source the the Asterix means that I’ll be talking about it in

the future I did that a couple places so this is the concept and it’s designed with high availability in mind so everything we do we always think about we use active passive clusters and so it’s really a core focus because network access control if it’s down no one accesses the network which is really bad so it’s from the ground up thinking in clustering in mind key design decision that we’ve made with pakistan’s we’re out of BAM so this is the bio position to be in inline which means that it’s really the infrastructure that takes a decision we’re not in the flow to the packet flow out to the network so if the server fails it most likely fail in a sane state so it’s really by a position to in line where you see that there’s a firewall doing the decisions and the path the packet group goes through the nack device so we’re out of band so no packet is going through the server we’re doing edge enforcement so this means that the decision for access are done the closest possible to the endpoint that the client computer so there’s no it minimizes the attack surface by a lot client who who has not been allowed in the network cannot scan servers and do anything he’s like the switch decided that it couldn’t get access so really the edge kicked them out if you want we use no agent so this is a lot of the proprietary terry knack are using an agent based system and so we decided that it was error-prone and buggy and in a world where there are several devices coming out all the time we cannot cope with developing agents for all of these so we decided let’s let’s not do that and focus on a web-based captive portal instead and so that’s what we do listen to everything is also a big thing that we wanted to do is we see everything that’s out there so we sniff the ARP we sniff the MAC address when there are security violation done by the switches when we see IP is DHCP we we gather all that information all the time if a user hit the captive portal we record the user agent so we’re really about identifying everything that’s on your network and a lot of people are amazed when we first plug packet fence even if it’s not doing enforcement they will see a lot of devices that they weren’t aware about so out-of-band how we do the out-of-band stuff is we rely on SNMP traps this was the the first technique that we developed in 2007 which was the first step that we forked out of the the original pakistan’s project which was based only on the ACP so the SNMP traps we have several implementation one is for link up link down evidence one is for magnification event with our to my knowledge a Cisco specific trap and then there’s port security which was at first Cisco specific but then got picked up by a lot of vendors the port security the advantage of course kivett II is that you get the MAC address in that the SNMP trap that gets sent to pakistan’s which means we don’t need to go and spoil a thread going to the the port and waiting to see the MAC address show up on the port so it’s it’s really more performant you have common oh yeah that’s right do it that’s good okay so then we got radius based technique that emerged which is 802 dot 1 X or Mac identification we will talk about these in a sec so we first implemented Wireless Mac a transition because the customer demand was for Wireless to manage the wireless and the wired side with the same software same solution which has been great for us then we implemented Wireless 802 that 1x which is what most people know as w PA enterprise and then we implemented lately the wired Mac 10 station and 802 that 1x pieces so let’s go into a little bit more detail the the SNMP trap enforcement works by event on the hardware that generates traps we react to the trap and then we use SNMP client to to connect to the to the switch and then perform a port authorization so MAC address at the reception on the port and change VLAN if it’s with what is required to do the proper enforcement so it’s it’s an a synchronous process if

you want and for most of the vendor it works really well for some of them we need to rely on telnet or SSH because their SNMP interface is not good which we don’t really like yeah so one of the advantage of the the authorization and the edge enforcement by SNMP traps is that the because of the a secure aeneas named nature of the the authentication is if let’s say the system would fail the system would fail in the last state that was established so the port security trap is sent to packet fans packet fans saw the trap saw the MAC address decided that it should have been in the VLAN 100 it will go and put the user in the Deline 100 then there will be no security notification that will be done by the switch because we authorized the MAC address on the port so as long as not another device which has another MAC address which will generate a security violation and then the other cycle again then as long as you don’t have new security evidence the system will stay in the good State no matter if the Pakistan server is up or not running or not so it’s really a great advantage for this technique now digging into the radius based approach let’s have a few reminder about the protocols related to that radius is a key value based protocol for a a a a a stands for authentication man how can I put authorization thank you I guess I’ll drink again authorization and then audit so it’s a very infrastructure type like accounting or audit all right and what are you you guys are right smarter than me twice okay so it’s an infrastructure protocol there’s nothing like the switch speaks with the server and there’s nothing that the client needs to implement let’s not get into 802 the clinic’s so far so if you look on yet this piece it’s really infrastructure based now let’s build on top of radius and see 802 that one X then what says it is extensible authentication protocol over radius so eat and all that nasty peep mschap b 2 and then encapsulation over encapsulation and stuff so it’s it’s adding a lot of new components to the pure radius that we just saw so the actor enable to that one X are the supplicant the event skater and the authentication server I’ve never saw any authentication server besides radius but I’m pretty sure you can do it with diameter so it’s options the supplicant is actually the client and you need something on the operating system to support it all to the 1x so it’s not as transparent as mac identification is and the client-side software has been integrated and windows in Linux in OS X for a couple versions now so it’s very stable but we’ll see problems with that later and authentication most people know a Penn Stater sorry most people know it as the Nast so the network access server all right the protocol even allows you to send stuff to the client so this is how doable upa enterprises set up is that it as far as the authorization and authentication it will send the keys in this encrypted tunnel this is all if you see the little diagram this is all pre dhcp so pre IP and this is what it why it’s called the port access control port Bayes network access control Mac identification is simply taking a step back for a table at 1x when the device doesn’t support it we do a simple radius at an authentication authorization with the knack as the username of the in the radius system so it’s really similar to the 802 at 1x but there is no strong authentication there is no end to end with the client so it’s it’s more of a the infrastructure is taking care of all the boilerplate if you want also in the new coding quote techniques related to radius is a radius CoA which I’ll talk about a bit later which means change the batteries ation which is RFC 3560 60s anyway you guys saw it with this so the COA answers the problem of doing because radius is initiated by Lepidus the switch and the client they coa takes care of the server says to the switch

please rethink the security posture of this device and so it’s it’s kind of adding a new a synchronous nature to the usually really synchronous nature of radius never bring your friends to your talk alright so what do we do for the the enforcement then we accept access access accept sorry most requests and then based on that acceptance we return the proper VLAN attribute on clients when someone is not known to the system or is not authenticated we return a registration via an so a benign where we present a captive portal or if the user in should be an isolation stage we we return at the isolation VLAN and so that’s how the magic so we do access acts at most requests otherwise the user will not have a network access which is kind of defeats the purpose we use few ideas to do the radius and that 1x pieces and it’s great complicated to configure but it’s great it works well now what we added is a perl module to the few radius fridges has this area and Perl facility which allow us to use Perl code directly into the few radius it’s very performant and we with that we do a salt request to the package fence demon if you want to the Apache of pakistan’s and and the decision is taken server-side so this allows for a nice architecture that I’ll talk about later now moving on to the captive portal ok various attempts keishon mechanism so we support LDAP ad radius Kerberos and guests we use the portal to do the authentication if a user did 802 that one X then the authentication is already went to the ad server so we don’t need to present a captive portal so it’s there’s a lot of options there actually if you want to automatically register devices and stuff what does the captive portal do after someone’s attended over HTTP strongly as we ready redirect them to the Internet and we can also provide remediation information which we’ll see later in order to reach the captive portal on the VLANs we present the captive portal we provide DHCP and then in DHCP we provide the DNS server and we do a DNS black hole so any requests will get the same answer which is the packets and server it’s really simple cheap technique that we do and then with the first hit on the browser we use mud we write to rewrite the URL for example Google Chrome will be rewritten to PS dot ini’ techcom slash captive portal which allow us to have a valid certificate because we have a domain name there so it’s not like other solutions which are doing reverse proxying which then you have SSL problems with that so it’s kind of I’m kind of glad we did that so how do we do our voice over IP now our old technique because we’re kind of changing this right now is we rely on CDP and voice design features of the switches which is actually easy to attack if you want so now what we do is we handle them as regular devices and we try to automatically register them if the user wants that but so there’s still the older technique and CDP is so transparent that a lot of people prefer that even if it’s insecure over radius we do macadam station and then your phone doesn’t really matter what more matters more more is your network device so the switch in question and with arrow tool at 1x there are some vendor specific attributes in radius to control the behavior of the of the void stuff but we’ve never saw a lot of 802 1x cap capable phones so it’s really a tricky business and we’re not we we’ve done it over wireless and wired but it’s not I think we only got it with Avaya so far and there’s no not a lot of customer demand for it and because there’s no other phone who does able to go to our necks so it’s getting there maybe I’ll have another presentation on that the the PC behind the phone a voice over IP yeah this is exactly what I mean by voice over IP is that if it’s only a phone then I don’t really care I am handling it like a normal device but if it’s there’s a PC behind then there are problems with that especially regard because we provide the HCP you know I’m

seeing the timing and I really want a question about it and in the debriefing and I’ll give you all the details it is tricky business when it’s over radius based technique it’s easier and it works better than when it’s over SNMP based techniques because of the the influence of changing the primary beam an ID on the port and stuff like that you really need to be careful and tag the proper voice VLAN and stuff so yeah I want to talk about this later so so for the voice over IP and a little note to pentesters most one auto registration of the phones they don’t the phone doesn’t have a browser so you cannot you know ask your user to go on the phone and register it so either they they have a list of all the MAC addresses and they automatically register them or they they do it through several technique which is Mac vendor prefix I saw that I think that shriek um switches do that which is really this cuttable which is a really tricky or I think an unsecure technique if you want others do it through CDP we pakistan’s do it a lot with DHCP fingerprints which are something I talked about yesterday about the finger bank project which is really rarely spoofed so far but as more people will gain awareness that we were doing the ACP fingerprints I’m very sure it will get spoofed and then people will get access to the the lam by spoofing a DHCP fingerprint of a phone and also the some phones that are 802 NX capable are doing md5 authentication which is a flawed eeep technique for 802 that one X so it’s not it’s not great and so the note is here spoof any of these technique and you’ll get access to the voice jinan and then from that scan and try to pivot maybe if you can on the media server so pen testers should really look into the voice VLAN stuff so quarantine is the capture portal sorry feature where we present remediation information to the user here is a screenshot of how it’s done now I made that up it’s not a real technique that we have it’s written here you have been detected using Windows 95 please PLEASE install a decent operating system download OpenBSD that will probably not work on a desktop computer but I don’t want to get a flame started so the triggers we have for quarantine is up operating system based on our DHCP fingerprint browser Mac vendor necess IDs which is snort based which I’m talking I’m going to talk about in the next slides and so the captive portal provides instruction it’s really helpful to reduce helpdesk pressure when you implement nak and so we we’ve been really enjoying doing stuff with that and it’s the customer who come up with their greatest stuff to do with with the the quarantines and we really like that so the policy checking and monitoring how the necess ID is a client-side scanning upon authentication its I say somewhat limited because if you don’t provide a domain for example domain credential on the nester scanner then you can only see the surface exposed on the on the client so you can prevent them from running a web server for instance but you cannot do more but if you do provide domain admin credentials then you can you know hit on the device and then list the patches and stuff like that it’s not free and also more the more tests you have the more the longer it will take to attend scape to authorize the device on the network and it’s something that a lot of people what it takes two minutes to do an SS scan on a client is too long so let’s forget about that so it’s been mixed love-hate relationship with the are necessary limitation then the snort a piece is more yeah most of you guys know snort I’m very sure and so it’s an intrusion detection system you clone your traffic that is going to the Internet to the Pakistan server you run a local snort instance there and you enable the rules you are interested in to and the devices violating the rules will be isolated it works really really great and we’ve been doing a lot of BitTorrent blocking Skype locking malware detection preventing users from n mapping the servers and stuff like that and it’s it’s it’s great and with the the quarantine captive portal we’ve been we are able to provide a couple of like you can do BitTorrent three times after that you are completely locked out of the network so each time we present with the captive portal but you have a button to re-enable your access to the network so you can do stuff to annoy

your users if you want like allow them to re-enable their internet access a hundred time or a thousand time and see how how long they will you know try again and try again and try again to do peer to peer before they are getting tired and just calling helpdesk what’s going on no we don’t do that and it’s probably because we were never asked this come up come up over for a beer so I again being open source we’re really and having running a business on open source we’re really really tied to what’s going on on the here we go-oh I’m sorry so yeah we’re always interested and the syslog stuff there are new switches that can sense the slog Evans and I’m never I saw the features and I never looked into it but it would be something really really interesting we do support that we have a remote mode for snort which we use our own daemon we tail the the alert alert file and then we do a soap request so then you avoid crashing your whole you know pakistan’s because there’s a gigabit of traffic per second to analyze for snort but snort with his single traded approach has been quite good because it cannot crush the rest of the system because it’s only using one core one thread so it’s it’s it’s it’s still interesting and we have a really big big enterprise customer running snort and packet fans on the same server and it’s it’s doing great so how do we support network access I see that I run out of time I need to move faster so adding a new supported switch for the radius base technique is really really great all we need to do is because all the legwork is done by three radius always we say is we support wire dot 1x and if the the nasa port that is sent by the the switch is the same as the EF and x there’s nothing else to do and then we implement the authentication which is again very standardized there’s the PA Iria 10 scale SNMP mid that works in like 99% of the cases and so for us adding new radius based supported device is really easy SNMP is more challenging because it’s not standardized as as much especially regarding port security a lot of the hardware do it per switch port VLAN and some of them do it per switch port and so because of that there are different tricks that we need to do especially with voice over IP again so it’s it’s it’s a love-hate relationship and it’s one of the things that us customers and you know we work on supporting new hardware and they pay us to do so so it’s it’s been good for the business but for your mental health it’s not that great it’s like there’s nasty bugs in there I am going to talk about it earlier later little later but it’s mostly read the switch documentation try to configure it figure out that there are mismatch between the documentation how you do actually do configure it and then you snmpwalk and you try to find the the sexy stuff you’re looking for the MAC addresses port security information and then you do your SNMP step and then as when you got it working with SNMP set then you port it into your Perl code and then rinse repeat and you have a switch working with SNMP yes we are but this is a net SNMP library which encapsulates all of that but we’ve got I don’t know if I don’t want to name any names but they are implementation of SNMP v3 which are really really buggy and it’s not our fault it’s the switches fault and so sometimes you know we face problems and we need to pull in other modules and stuff and it’s a love-hate relationship with SNMP v3 I really prefer when a customer has a management VLAN which is guaranteed to be isolated and so I’m telling them you know what snmpv2 is fine by me if you’re you’re sure that no one can sniff on your management VLAN but again it’s all arguable so the packet fans then is the zero effort nack which is a VMware appliance which we have version for the desktop suite and also the ASX ESX s stuff so it’s pre-installed pre-configured and people can really try pakistan’s quickly with a VM instance so

just wanted to let let that al he’s glad I’m glad you’re glad ok so open source for the win what has been great for we’re doing open source for us is the vendor independence a lot of the the network access our competitors if you want they really flew in into the the vendor or they do not and then do art poisoning or other inline techniques which are in my opinion less secure and so because of being open source we kind of you know poke at the firmware and try to make it work and when one want a device implemented we work on it and a lot of the let’s say mostly universities they they actually develop their own module and they send it to us and then we support new hardware and that’s just been great the proprietary pricing is questionable there is per IP per concurrent connection per ap access point per switch license fees so it’s really kind of odd and and for a lot of people migrating over to pakistan’s they tell me like we place so much for our next solution it just doesn’t make any sense and it’s because they charge per IP and people are using Wireless and every device that you have like five of them on yourself and you just cost them five licenses because they all wanted to hook on the network and so sometimes they really like we need to move away from the proprietary stuff also because we can stay focused and we build on top of Apache bind DHCP net SNMP free radius snort iptables nesters 70-plus Sipan modules that we pull in when you install Pakistan so like we’re really into reuse I guess we use Linux and it’s been really great so this is an also an advantage because the stack is familiar so you guys all know the the tools and when you really need to tweak the things you can do it yourself and when you need to troubleshoot it’s not dark arcane magic that you cannot understand or can or or you need to call support for it’s stuff that you actually can see and that you can Google on on Google so so it’s great because okay I have this radius problem I google it and then Oh everyone has a similar or twist different problem and you can help troubleshoot yourself by doing that which is not something we can save their proprietary offerings and so it’s been also good security is not necessarily solely based on security and obscurity sorry so what I mean by that is that this is network access control there are some things that we kind of lift the carpet and push the dust under the carpet because we are doing questionable things because we want you know the customer to be able to deploy easily and you know an ACK is better than no nak so we still need to have them at all boils down to user friendliness versus security and you guys all know about that so other solutions can be all about obscurity but we since it’s open source people can look at it and say hey you guys are doing like funky stuff over there and maybe you should not do that and so it’s an advantage because you can look at it poke at it and find problems so what I’ve been learned and what I’ve been we doing bad and doing good for the last two years so let’s go most snacks are easy to bypass this is something I learned by while working at inverse because of network and straighten friendliness so per port exceptions for printers voice over IP up links you find them you can leverage them CDP is being enabled on access port which is in my opinion a problem real DNS is exposed so if your neck solution is based on offering the internet DNS there are a lot of tools to be able to tunnel a TCP into DNS so you can turn out and because there is no identification built-in and two layer two or layer three if you’re not doing arrow to that one x everything can be hack or spoofed so you can change your IP address you can change your MAC address you can change your your DHCP client to be able to spoof the fingerprints I was talking about earlier you can spoof your viewers user agent and you will user a transport thing has been known to get you out of Cisco’s I don’t Mac profiler anyway the the see if it’s an iPod or iPhone or iPad user agent then they let you true because they don’t have any agents for this OS and so because of that again it’s because there’s no authentication and and you

can spoof this stuff client side and there’s the the trust which is fake then is easy to bypass and so again coming to MAC address spoofing printers don’t have browsers so they will they will often be pre pre registered into the neck devices and so printer is so easy to find an academic printer you go there do your physical pen test you pop the the printer on the side you look at the MAC address you put it on your back track five client and then boom you’re all out in the printer VLAN and you can start scanning the the print servers which are windows which are not patched cetera so another thing I learned is that you can bypass it’ll to at 1x but there’s a talk actually right after this which is focused only on that a two-hour talk on how to bypass knack a torrent 1x but let me and still tell you what’s the technique so you put a hub between the victim and the switch the goal is to prevent the port from going down so if there is no link down then the the stack is not reset because it’s a port base network access control and once the access has been granted there is no a continuous monitoring of what you have been doing with the access so you wait for the victim to successfully item I attend skate because you put a hub in between you spoof your MAC address with the victims Mac and then you plug into the up and bam you bypassed 802 One X completely this was a ID I discovered this by a kind of a mistake when I was working on my necks capable phones and I kind of couldn’t believe it and I googled it and then I found on Wikipedia and on Microsoft they are there is an article from 2005 talking about this problem but now the bad thing is that they’re doing appliances like the Tony Express which is doing math 802 that when is bypass it’s really interesting to see that it’s gaining traction after all that time so the attack scenario is you have two things you can do you keep the legitimate client connected which is bad because you have duplicated MAC addresses on the same segment but which is good because the client can be a 10 state if they switch asked to or you replace that legitimate client which is bad because you won’t pass a real education request because you’re not able to provide a strong authentication but what is good about it is that you will not have network problems because there are no a duplicated Mac on the segment it works and see the bridge too far taught by skip which is after this talk in a track 1 and I’m pretty sure that because he’s doing bridging he’ll be able to to circumvent that problem I’m I’m mentioning here the attack scenario because he’ll be able to firewall in between let the EEP over LAN go through the client but still intercept the the good stuff that he is want to do in the monitor middle getting it to a total 1x is tricky business I’ll just keep that it’s it’s buggy the support varies and stuff another thing the 802 that 1x wired on Mac OS X is buggy I haven’t tried to reproduce it on in Lion but it’s it’s definitely buggy we open a ticket with Apple and they said send us a ton of logging and we did and we never hear back from them but we’ll revalidate again on 10.7 but still the the point is it’s just that we’re always finding problems and every you know pieces where we need to interact with and it’s it’s not an easy game to be a network access control software what I learned also is the network vendor fragmentation so an assignment to SNMP is done in like I don’t know maybe 25 different ways there are port lists they are really straight one assignment so a lot of different weird stuff that you can see port security is named differently implemented differently SNMP access is inconsistent if you go into the radio space enforcement then wirele wired makinen station has many many names I think I have a few here where is it so cisco calls it mecha-tanks station bypass or mad HP calls it Mac based authentication Nortel calls it neat which is not know EEP extreme networks calls it net login Juniper calls it Mac radius so there’s a lot of different stuff going on in that space and it’s it’s not making the anything easy for us there are gray areas and that one X where you don’t really have guarantees about what will go with the DHCP on the client and trust the problems probably with Mac OS X the radius change of atomization is not

supported everywhere which makes it a little bit harder to so really hard but the situation on the wireless side is better I guess they learn formed the wired side of things and they avoided a lot of mistakes so Mac identification and a 1x wireless is really great and we’ve been implementing really more easily the the APS and the controller usually I don’t know like one day to figure out how it works and make it work and another day to document the for our network administration guide and make additional tests to make sure that it will scale and everything so two days and we support a new controller brand so which is pretty good learn network vendors firmware quality so there are so many regressions and we like get client they update an i/o web did I say iOS they upgrade the switch firmware and then BOOM something that used to work before stuffs working now and so it’s really really painful weird coincidences I’ve saw the same exact bug implemented in like four different brands and I couldn’t believe it I was like it’s the same bug and it’s obscure bug and and so you see that there is probably a lot of you know people buying code out of other vendors and stuff and a lot of reuse of the same code which unfortunately I guess is handled very differently because the bugs are fixed in one vendor but not the other one but it’s obviously the same bug also something that happened with us is oh I think there’s a bug in there and the vendor says all right it doesn’t work using the command line interface but it does work in the web GUI but who manages hundreds of devices using a web GUI aside from controllers which do a pretty good job but for switches come on this is really and scale issues I just wanted to to hint on a issue I face where the people were handling in the SNMP they were handling the MAC addresses saw on the layer two in the same table as the MAC addresses secured on ports so one when you want to list the secure MAC address on the switch if the layer 2 network is really hot large then you start to snmpwalk tens of thousands of devices and it makes the whole thing completely slower so we often faced problems like that and that we just don’t know what to do with that and then we ran on the network vendor and they say come on it’s not us so it’s been working fine for most people but then you ask them do you have nak implemented with one of the nak providers and they say no what snack so it’s problem I know some people aren’t going to agree with this but all vendors hold tight on their issue trackers Molla I’m talking network vendors again most they are all tight on their firmware so we have you the customer pays us to implement nak on their switch and we’re having a hard time downloading their firmware this is not like we need to escalate and send a lot of email the some of them even hold tight on their documentation so we got a physical switch that they sent us but we are having a hard time download a PDF to configure the set switch it’s really really a problem and can it just stop you know opening your documentation opening your firmware has proven to be a good thing for like let’s compare this world a zip with PHP in the 95 days PHP all documentation was open so it got picked up by search engines and people who had problems had really really easy way to find solution but with the network control stuff the network vendors you Google and you get almost never good answers and you you get a lot of open-ended questions that are not answered so please come on they should get wiki’s and they should do it the open-source way it will make everyone’s life easier and right now I think it’s it’s more penalizing their their customer who paid for their hardware the way they are working right now so I’m a little distressed by that okay okay again learn nobody does infrastructure authentication which is a big security problem let’s skip to that okay the bad thing we do with packet fans first installation step disable SC Linux yeah that’s right we suck at SC Linux we tried we just couldn’t figure it out if someone want to help it will be really appreciated we have to shortly cycle for a core piece of infrastructure we like released 11 releases in the last year or so maybe and so it’s really fast for

most people we don’t have a map integration I really I I soft your door speak at Def Con last year and I really am into an map but we still couldn’t get help or a time or you know customer mindshare to implement and map so we’ve done not done it and I think it’s bad external code contributions are scarce we’re having a problem creating a good community probably because it’s not sexy doing that work access control it’s really enterprise the infrastructure stuff which is really really not attracting a lot of developers and we’re pretty much simple as rail for now but we’re we want to fix that so what we’ve done that is good we improved a lot on the last two years the development process in the infrastructure fully automated smoke test we’re packaging every night the the software builds there are new packages out and you can hook on a young repository on the latest software our branches are stable so we have a stable branch everything is public there is no like big code dumps like Android where all every commit is public and on the Internet so it’s really a true open source project all a GPL by the way I don’t think I I have this anywhere in my slide so it’s all GPL based license the code is usability plus plus we really work hard on simplifying the installation the upgrades if you’ve tried packet fans like two years ago give it another try because it really really changed a lot we got Enterprise new feature so you can have users right for people using the web admin this way your helpdesk cannot screw up the whole system we support router environments out of the box so this we inject automatically static routes and do the DHCP config and all that stuff so we’ve been deploying a lot in campus based environment where you know you need to route between the buildings and it works really really well and it was a appreciated feature 64-bit support we now have a fancy guest workflow support we’ve been working on that branch for a year and now we’re about to merge it with with the upcoming 3.0 release we’re going to do we improve performance in several occasions I skip that technology we support web services to manage hardware we’ve been doing our so web services for the radius access control so people could technically decouple the free radius let’s say you keep your free radius on your camp per campus and you do a soap request so Web Services request to the Pakistan server so you could have technically a distributed architecture like three layer architecture but based on radius we also did package vents and a cloud on ec2 the only thing you need locally is an Open VPN and everything is tunneled so this was more as a fun hacking project we did no one really wants to pay for that we realized because it’s too scary you know to have network access in the cloud making in line and out-of-band work at the same time on the same server this is really new and we’re releasing this with 3.0 so we’ll be able to support old ancient hardware at the same time as v9e solution and strong good technique this is really I think some interesting feature how long do I have left two minutes okay I need to bypass that I’m sorry so we did a proxy bypass client-side proxy bypass really interesting with the size if you want to see what I mean JavaScript network access detection we’ve worked on that too which is kind of a hack because I’m trying to avoid the cross domain origin policy stuff and it’s it’s kind of neat that’s why I include it here but let’s skip that so short term we’re going to do in line mode to support easier legacy Network hardware now in beta so it’s public already we want to do radius accounting bandwidth monitoring with the proper alarms for it so we could be more a hotel-style network access control I guess we’re looking into nap and statement of health client time checking radius change of a terrorization which we haven’t done yet ACL and QoS assignment with radius a lot of my colleagues have been working on that we’re now kind of unsure how we will present the interface to the user but we’ve got the basic technology and technique working it’s just more of how we will we will present the feature to the user we would like to support VPNs so then we will be really covering every access control techniques that we know about Debian Ubuntu support of course longer term we kind of hate the active passive approach for doing AI availability we would prefer a simpler active active clustering approach so we were working on that and map open bas

integration and making this stuff click next next next easy to install we’re making progress with this with the 3.0 beta will be able to for the pakistan’s n solution it will be DHCP base nak you plug-in in the trunk port and it will mostly work for most people so we’re really making progress with that and trying to make it easier all the time research topics so if people are really interested into more advanced stuff we want to implement AF map we’re looking at doing client-side agent but we will like a multi-platform like Python base maybe approach and stuff so yeah that’s pretty much it we beg for help we want everyone to use pakistan’s if they can conclusion I hope I do mr. fine knack for you guys and you should give pakistan’s a try if you manage the network because I think you’ll see value quite quickly thank you very much see you in the briefing room