A tool for nearly real-time management of clients like desktops, laptops and Windows tablets is now set to take on massive organizations that have millions of endpoints.
Tanium Platformã¯ããªã¢ã«ã¿ã¤ã ã«ç«¯æ«ã®æ
å ±ãåéããä¸æ£ãªå¤é¨æ¥ç¶ããã«ã¦ã§ã¢ã®çè·¡ãèªãããã¦ããªãã¢ããªã±ã¼ã·ã§ã³ã®å©ç¨ãèå¼±æ§ã®ããã·ã¹ãã ã®å©ç¨ãªã©ã15ç§ã§å¯è¦åãã¾ã ãã¯ãã«ãããã¯ã¼ã¯ã¹ã¯Tanium社ã®ä¸æ¬¡è²©å£²ä»£çåºã§ãã. TaniumClient.exe file information TaniumClient.exe process in Windows Task Manager. The process known as Tanium Client belongs to software HPE Security Policy Tool (version 2) or Tanium or Tanium Client by Tanium. Description: TaniumClient.exe is not essential for Windows and will often cause problems. TaniumClient.exe is located in a subfolder of 'C: Program Files'. Google sends you to the Tanium website, where you will find Tanium is a systems management tool for enterprises. If you want to disable it, you'll probably need to contact the IT department that put it on the machine in the first place.
Tanium is software that can examine and modify all such clients across an enterprise within 15 seconds, according to the company. It's already being used by customers with more than 500,000 endpoints, and the newly released Version 6.5 is designed to serve some of the world's largest organizations, especially in the public sector, Tanium says.
At the heart of Tanium's software is the ability to rapidly reach all endpoints throughout an organization, which can speed up both security and IT management tasks. Tanium makes this work by organizing endpoints into linear chains in which they communicate peer to peer.
Tanium Client Deployment Tool
It's more efficient than hierarchical systems that require servers to check in with multiple clients out at the edge of the network, said Joe Lea, senior director of product management. How Tanium organizes its linear chains of devices to deliver data as quickly as possible is part of the core technology that the company set out to create when it was founded in 2007.
The ability to rapidly poll and modify end systems can pay dividends in security, helping enterprises detect and eliminate threats without having to wade through lengthy investigations of all their clients, Tanium says. It can also make software updates easier by showing what version each system is running and then quickly apply updates or patches.
Tanium can give enterprises extra speed to help them keep up with attackers, according to Gartner analyst Lawrence Pingree.
![]()
'Getting data back from a wide array of different endpoints rapidly is very important, especially given the speed at which some attacks are perpetrated,' Pingree said. Once malware gets into a network, it can spread and do damage quickly.
There are other endpoint security companies that advertise real-time monitoring and response, including CrowdStrike and Bit9. Tanium sets itself apart by also handling a broad range of endpoint management tasks such as software updates, Pingree said.
![]()
Tanium doesn't reach smartphones or most tablets. It's been compiled for Android but isn't designed to be a mobile device management platform, Lea said.
A way to understand what Tanium does is to look at its natural-language query feature, a Google Search-like interface for finding out about endpoints. An administrator can type, for example, 'show all running processes' and get back a list of all the current processes on all the clients in the enterprise.
The results can show how many employees are using Outlook and how many are on Facebook, but more importantly, it can display which systems have outdated and vulnerable versions of software or are running processes associated with known malware. From there, Tanium lets managers take steps like killing processes, quarantining machines or applying patches.
Typing queries isn't the only way IT departments can track down security problems with Tanium. Among other things, they can use IOCs (indicators of compromise), which are collections of malware information compiled by security companies and other sources. Tanium's software already can read IOCs and use them as a basis for queries. Version 6.5 automates that process and builds it into the product so it's less work for enterprises to use it.
The latest update also integrates Tanium with some commonly used tools for monitoring and managing IT infrastructure. Enterprises can feed the product's real-time information into software that uses SIEM (security information and event management) and CMDB (configuration management database), as well as help desk systems, Tanium says.
The new version also gets a dedicated tool for managing software updates and licenses across an enterprise, with enhancements including more flexible scheduling for patches and better reporting, Lea said.
Tanium has been available for about two years but saw an upsurge in popularity last year, Lea said. The company says it's now in use in half of the Fortune 100 enterprises, including half of the world's top 10 banks. On Tuesday, it announced $52 million in new funding from venture firm Andreessen Horowitz.
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802,[1][2] which is known as 'EAP over LAN' or EAPOL.[3] EAPOL was originally designed for IEEE 802.3 Ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as IEEE 802.11 wireless and Fiber Distributed Data Interface (ISO 9314-2) in 802.1X-2004.[4] The EAPOL protocol was also modified for use with IEEE 802.1AE ('MACsec') and IEEE 802.1AR (Secure Device Identity, DevID) in 802.1X-2010[5][6] to support service identification and optional point to point encryption over the local LAN segment.
Overview[edit]
EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter.
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device which provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point; and the authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client's connection or setting. Authentication servers typically run software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware.
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the supplicant must initially provide the required credentials to the authenticator - these will have been specified in advance by the network administrator, and could include a user name/password or a permitted digital certificate. The authenticator forwards these credentials to the authentication server to decide whether access is to be granted. If the authentication server determines the credentials are valid, it informs the authenticator, which in turn allows the supplicant (client device) to access resources located on the protected side of the network.[7]
Protocol operation[edit]
EAPOL operates over the data link layer, and in Ethernet II framing protocol has an EtherType value of 0x888E.
Port entities[edit]
802.1X-2001 defines two logical port entities for an authenticated portâthe 'controlled port' and the 'uncontrolled port'. The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingress and egress to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.
802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher level protocols being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing mutual authentication is used, as the supplicant can prevent data leakage when connected to an unauthorized network.
Typical authentication progression[edit]
The typical authentication procedure consists of:
Sequence diagram of the 802.1X progression
Implementations[edit]Supplicants[edit]
Windows XP, Windows Vista and Windows 7 support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack (SP4) for wired connections. Windows Mobile 2003 and later operating systems also come with a native 802.1X client.
An open source project known as Open1X produces a client, Xsupplicant. This client is currently available for both Linux and Windows. The main drawbacks of the Open1X client are that it does not provide comprehensible and extensive user documentation and the fact that most Linux vendors do not provide a package for it. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types.[8]
The iPhone and iPod Touch support 802.1X as of the release of iOS 2.0.Android has support for 802.1X since the release of 1.6 Donut.Chrome OS has supported 802.1X since mid-2011.[9]
Tanium Client Is A Trojan
Mac OS X has offered native support since 10.3.[10]
Avenda Systems provides a supplicant for Windows, Linux and Mac OS X. They also have a plugin for the Microsoft NAP framework.[11] Avenda also offers health checking agents.
Windows[edit]
Windows defaults to not responding to 802.1X authentication requests for 20 minutes after a failed authentication. This can cause significant disruption to clients.
The block period can be configured using the HKEY_LOCAL_MACHINESOFTWAREMicrosoftdot3svcBlockTime[12] DWORD value (HKEY_LOCAL_MACHINESOFTWAREMicrosoftwlansvcBlockTime for wireless networks) in the registry (entered in minutes). A hotfix is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable.[13]
Wildcard server certificates are not supported by EAPHost, the Windows component that provides EAP support in the operating system.[14] The implication of this is that when using a commercial certification authority, individual certificates must be purchased.
Windows XP[edit]
Windows XP has major issues with its handling of IP address changes that result from user-based 802.1X authentication that changes the VLAN and thus subnet of clients.[15] Microsoft has stated that it will not back port the SSO feature from Vista that resolves these issues.[16]
If users are not logging in with roaming profiles, a hotfix must be downloaded and installed if authenticating via PEAP with PEAP-MSCHAPv2.[17]
Windows Vista[edit]
Windows Vista based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN. A hotfix is available to correct this.[18]
Windows 7[edit]
Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN. A hotfix is available to correct this.[18]
Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails. This can cause significant disruption to clients. A hotfix is available to correct this.[19]
Windows PE[edit]
For most enterprises deploying and rolling out operating systems remotely, it is worth noting that Windows PE does not have native support for 802.1X. However, support can be added to WinPE 2.1[20] and WinPE 3.0[21] through hotfixes that are available from Microsoft. Although full documentation is not yet available, preliminary documentation for the use of these hotfixes is available via a Microsoft blog.[22]
OS X Mojave[23][edit]GNU/Linux[edit]
Most Linux distributions support 802.1x via wpa_supplicant and desktop integration like NetworkManager.
Federations[edit]
eduroam (the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam enabled institutions.[24]
BT (British Telecom, PLC) employs Identity Federation for authentication in services delivered to a wide variety of industries and governments.[25]
Proprietary extensions[edit]MAB (MAC Authentication Bypass)[edit]
Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them.
One option would be to disable 802.1X on that port, but that leaves that port unprotected and open for abuse. Another, slightly more reliable option is to use the MAB option. When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no reaction is received from the connected device, it will try to authenticate with the AAA server using the connected device's MAC address as username and password. The network administrator then must make provisions on the RADIUS server to authenticate those MAC-addresses, either by adding them as regular users, or implementing additional logic to resolve them in a network inventory database.
Many managed Ethernet switches[26][27] offer options for this.
Vulnerabilities in 802.1X-2001 and 802.1X-2004[edit]Curse Client For MacShared media[edit]
In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw stems from the fact that 802.1X authenticates only at the beginning of the connection, but after that authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley suggests that for wired networks the use of IPsec or a combination of IPsec and 802.1X would be more secure.[28]
EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client.[29] They are therefore trivially easy to spoof on shared media, and can be used as part of a targeted DoS on both wired and wireless LANs. In an EAPOL-Logoff attack a malicious third party, with access to the medium the authenticator is attached to, repeatedly sends forged EAPOL-Logoff frames from the target device's MAC Address. The authenticator (believing that the targeted device wishes to end its authentication session) closes the target's authentication session, blocking traffic ingressing from the target, denying it access to the network.
The 802.1X-2010 specification, which began as 802.1af, addresses vulnerabilities in previous 802.1X specifications, by using MACSec IEEE 802.1AE to encrypt data between logical ports (running on top of a physical port) and IEEE 802.1AR (Secure Device Identity / DevID) authenticated devices.[5][6][30][31]
As a stopgap until these enhancements are widely implemented, some vendors have extended the 802.1X-2001 and 802.1X-2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port. While this prevents traffic from devices with unauthenticated MAC addresses ingressing on an 802.1X authenticated port, it will not stop a malicious device snooping on traffic from an authenticated device and provides no protection against MAC spoofing, or EAPOL-Logoff attacks.
Alternatives[edit]
The IETF-backed alternative is the Protocol for Carrying Authentication for Network Access (PANA), which also carries EAP, although it works at layer 3, using UDP, thus not being tied to the 802 infrastructure.[32]
See also[edit]References[edit]Ftp Client For Mac
Tanium CompanyExternal links[edit]
Badlion Client For Mac
Retrieved from 'https://en.wikipedia.org/w/index.php?title=IEEE_802.1X&oldid=912687267'
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |