NAP and Virtual Machines

[Dale.Meredith]

I had a student ask a question I can't answer....

If you deploy NAP can't it be circumvented by bring up a Virtual Machine?
IE If a user fired up a virtual machine and and uses NAT from the host PC to
gain access to the network...wouldn't the NAP environment think that the file
is being requested by host OS?....Yet actually it's the virtual machine
getting the file?

-SuperDale

 

[S. Pidgorny]

That is a legitimate concern. Yes, in this scenario NAP will be
circumvented. Which is the reason to consider NAP management and not
security feature.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dale.Meredith" <DaleMeredith@discussions.microsoft.com> wrote in message
news:E8F127D4-560B-406D-85A9-1381B3A82B93@microsoft.com...
>I had a student ask a question I can't answer....
>
> If you deploy NAP can't it be circumvented by bring up a Virtual Machine?
> IE If a user fired up a virtual machine and and uses NAT from the host PC
> to
> gain access to the network...wouldn't the NAP environment think that the
> file
> is being requested by host OS?....Yet actually it's the virtual machine
> getting the file?
>
> -SuperDale

 

[secure-gear.com]

secure-gear.com had written this in response to
http://www.secure-gear.com/microsoft.public.security/7/NAP-and-Virtual-Machines-article24680-.htm
:
NAP cannot be circumvented this way, because the virtual machine will have
a unique MAC and IP address. From the perspective of the Windows Server
2008/NPS, the host system will remain undiagnosed. Only the VM will be
seen as having passed the NAP health check.

The details differ depending on what transport you are using for NAP
(DHCP, 802.1x, VPN etc) but ultimately if you really want to bypass it
you'd need to write a custom TCP/IP stack extension. And even that isn't
going to get past 802.1x because you still need to authenticate.


##-----------------------------------------------##
Delivered via http://www.secure-gear.com
The Internet Knowledge Base for the security industry
no-spam access to your favorite newsgroup -
microsoft.public.security - 24381 messages and counting!
##-----------------------------------------------##

 

[S. Pidgorny]

G'day:

"secure-gear.com" <info_at_1-script_dot_com@foo.com> wrote in message
news:4893d483$0$3510$a82e2bb9@reader.athenanews.com...
> secure-gear.com had written this in response to
> http://www.secure-gear.com/microsoft.public.security/7/NAP-and-Virtual-Machines-article24680-.htm
> :
> NAP cannot be circumvented this way, because the virtual machine will have
> a unique MAC and IP address.

Not necessarily.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

 

[Dan]

True, but we cannot say too much in a public newsgroup. Sorry, it will have
to be part of responsible reporting. see us-cert.gov if you live in the
States.

 

[Paul Adare - MVP]

On Sun, 3 Aug 2008 02:22:01 -0700, Dan wrote:

> True, but we cannot say too much in a public newsgroup. Sorry, it will have
> to be part of responsible reporting. see us-cert.gov if you live in the
> States.

This has nothing at all to do with responsible reporting. There's simply
nothing to report. Slav's comment was referring to the fact that depending
on how one configures networking in the application, a virtual machine may
not have a unique MAC address or IP address presented on the network. Such
is the case in VPC when using NAT.
To state that nothing can be said about this in a public news group
demonstrates a lack of understanding of both the reporting process and the
issue at hand.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
A CONS is an object which cares. -- Bernie Greenberg

 

[Dan]

Okay, so sometimes I fall on being less public about disclosure than more
public about disclosure but this is my own choice.

"Paul Adare - MVP" wrote:

> On Sun, 3 Aug 2008 02:22:01 -0700, Dan wrote:
>
> > True, but we cannot say too much in a public newsgroup. Sorry, it will have
> > to be part of responsible reporting. see us-cert.gov if you live in the
> > States.
>
> This has nothing at all to do with responsible reporting. There's simply
> nothing to report. Slav's comment was referring to the fact that depending
> on how one configures networking in the application, a virtual machine may
> not have a unique MAC address or IP address presented on the network. Such
> is the case in VPC when using NAT.
> To state that nothing can be said about this in a public news group
> demonstrates a lack of understanding of both the reporting process and the
> issue at hand.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> A CONS is an object which cares. -- Bernie Greenberg
>

 

[Steve Riley [MSFT]]

Dan, the way you phrase your opinions makes it sound like you think hiding
information, or knowing something unknown by others, is something to be
proud of. In actually, this is rarely the right stance. Responsible full
disclosure is far more valuable for everyone. The bad guys will _always_
discover vulnerabilities eventually, because it's pretty much their
full-time job. So keeping such knowledge hidden benefits no one. On the
other hand, responsible disclosure benefits everyone because then vendors
can rapidly work up fixes (whether they be patches or configuration changes)
and customers can rapidly deploy them. This makes everyone safer.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
newsDAC58B8-E29A-494D-B172-394CAB63FECA@microsoft.com...
> Okay, so sometimes I fall on being less public about disclosure than more
> public about disclosure but this is my own choice.
>
> "Paul Adare - MVP" wrote:
>
>> On Sun, 3 Aug 2008 02:22:01 -0700, Dan wrote:
>>
>> > True, but we cannot say too much in a public newsgroup. Sorry, it will
>> > have
>> > to be part of responsible reporting. see us-cert.gov if you live in
>> > the
>> > States.
>>
>> This has nothing at all to do with responsible reporting. There's simply
>> nothing to report. Slav's comment was referring to the fact that
>> depending
>> on how one configures networking in the application, a virtual machine
>> may
>> not have a unique MAC address or IP address presented on the network.
>> Such
>> is the case in VPC when using NAT.
>> To state that nothing can be said about this in a public news group
>> demonstrates a lack of understanding of both the reporting process and
>> the
>> issue at hand.
>>
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>> http://www.identit.ca
>> A CONS is an object which cares. -- Bernie Greenberg
>>

 

[Dan]

Steve Riley, MSFT --- Reply by email. Sorry, it involves my own personnel
information which I do not choose to disclose publicly as of yet due to my
volunteer work with US-Cert and DOD. The Military and Department of Homeland
Security is Priority Number 1 in my book. Thank you for your reply and have
a nice day.

 

[Paul Adare - MVP]

On Thu, 7 Aug 2008 23:01:01 -0700, Dan wrote:

> Steve Riley, MSFT --- Reply by email. Sorry, it involves my own personnel
> information which I do not choose to disclose publicly as of yet due to my
> volunteer work with US-Cert and DOD. The Military and Department of Homeland
> Security is Priority Number 1 in my book. Thank you for your reply and have
> a nice day.

With your insistence that Win 9x is more secure than XP, Vista or Server
2008 coupled with your long rambling posts here that really don't contain
much in the way of useful advice, I'd caution the average home user to be
wary of accepting security advice from you. If the DOD and US-Cert are
relying on you for security assistance then we're in more trouble than
anyone had thought.
This may sound blunt, but computer security is too important a topic to
spare someone's feelings or to stroke someone's ego.
Just review this one thread as an example. The issue in this thread is
widely known and is how the product is designed to work. Disclosure,
responsible or otherwise simply is not even a remote factor in this issue,
regardless of what you may think.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
My girlfriend always laughs during sex - no matter what she's reading.
- Steve Jobs (Founder: Apple Computers)