topic Re: IP to user mapping unreliable in General Topics

IP to user mapping unreliable

dieter_b — Mon, 14 Feb 2011 12:36:38 GMT

Situation: PC connected to our domain. Domain users log on to it. Domain users have internet access.

The same PC is used for assessments. These (external) users log on with a local user account (not known as a domain user). These users are not allowed to have internet access.

If a domain user has logged on to the PC, the IP is mapped to the user. If the domain user logs off, the IP mapping remains (until timeout). If in the meantime a local user logs on, he/she has full internet access.

This posed two severe problems:

1. Traffic coming from that PC is mistakenly logged as coming from that user.

2. Policies for denying applications based on user don't work.

How can I make the device reliably identify users and allow/deny applications ?

Re: IP to user mapping unreliable

johnnywong — Mon, 14 Feb 2011 15:51:42 GMT

Hi Dieter,

Just suggest some settings:

1. Disable local users for your end user access

2. Change the default time of Age-out timeout in UIA as small as possible

3. If using NetBIOS Probing, you may consider to shorten that but it will affect your network performance

Hope it help.

Re: IP to user mapping unreliable

dieter_b — Mon, 14 Feb 2011 15:59:22 GMT

1. What exactly do you mean with disabling local users ?

2. Lowering the timeout only has effect on the PAN agent. Users are cached on the device with a fixed timeout of 3600 s. That's just too long.

3. no NetBIOS

Instead of using an agent, is there any way I can do realtime LDAP checking ? Instead of having policies look at IP addresses (even if you specify users, it comes down to IP's only), have the policies look at the user who's requesting access ? Similar to proxy authentication...

Re: IP to user mapping unreliable

rapoint_person — Mon, 14 Feb 2011 20:14:00 GMT

Well, then Captive Portal might do the trick. In captive portal you can set idle timeout and maximum session length. On the other hand there is no "logoff" or client probing. Using Captive Portal with NTLM-auth is "fairly" transparent to the user.

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 08:27:18 GMT

Can I have a first CP policy do NTLM auth and if it fails use a second CP policy asking the user for credentials ?

Are CP policies evaluated in a specific order (like security rules) ?

Re: IP to user mapping unreliable

rapoint_person — Tue, 15 Feb 2011 08:38:06 GMT

When you define your Captive Portal you specify both an agent for NTLM authentication and an authentication profile for form-based authentication.

This means (and might not be well documented by Palo) that if you choose method NTLM in the CP-policy it will first try NTLM-authentication and then use form-based authentication as a fall back mechanism. You don't need a second policy with method captive-portal.

Rules are read from the top to bottom. This in turn means you can make exceptions above a general policy with method NTLM or captive-portal if you want.

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 08:41:01 GMT

Thank you, I will try that.

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 12:34:18 GMT

Update on the original situation:

There's a serious flaw in using the PAN agent:

- domain user logs on, ip is mapped to user

- domain user logs off

- local user logs on before the domain user-to-ip mapping times out on the device (3600s)

- as long as no other domain user logs on to the same pc, the PAN agent sees the ip active, but doesn't even check if it's still the same user

Proof of this is in the PAN agent log, fragment of the log at the time a local user was logged on (local username is completely different from domain username):

2011 02 15 13:14:04, PAN_AGENT_GET_NEW_IP: Number of IPs received from device (127.0.0.1): 1
2011 02 15 13:14:04, QueryIP 10.39.1.98 (mengrp\dieter) done
2011 02 15 13:14:04, Sending 1 IP(s) to device (127.0.0.1)
2011 02 15 13:14:04, [1] 10.39.1.98 : mengrp\dieter to device (127.0.0.1)

This gets logged every other minute or so. Doesn't even matter if the local user logs of or not.

The mapping never times out. You'd expect it to time out, what else is the age-out timeout setting in the PAN agent for ?

How can I ever be 100% certain that logged traffic is from a specific user ?

Re: IP to user mapping unreliable

bpappas — Tue, 15 Feb 2011 13:05:34 GMT

@dietr:

the QueryIP looks like a Netbios/WMI probe. Is Netbios/WMI probing enabled? If so what is the timer setting for the probe interval?

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 13:37:51 GMT

You are correct. I was testing to see if it made any difference. It doesn't.

Log fragment with NetBIOS disabled:

2011 02 15 14:33:55, Sending 5 IP(s) to device (127.0.0.1)
2011 02 15 14:33:55,     [1] 10.39.1.62 : mengrp\geoffrey.beulque to device (127.0.0.1)
2011 02 15 14:33:55,     [2] 10.39.1.98 : mengrp\dieter to device (127.0.0.1)
2011 02 15 14:33:55,     [3] 10.39.0.106 : mengrp\geoffrey.beulque to device (127.0.0.1)
2011 02 15 14:33:55,     [4] 10.39.0.199 : mengrp\dieter.bulcke to device (127.0.0.1)
2011 02 15 14:33:55,     [5] 10.39.0.17 : mengrp\paul.gijswijt to device (127.0.0.1)

Note that the pc has been physically disconnected from the network over half an hour ago. But the PAN agent still thinks it is mapped to the domain user. Age-out timeout is set to 5 min.

Re: IP to user mapping unreliable

bpappas — Tue, 15 Feb 2011 13:53:59 GMT

@dieter:

in your pan agent config file what is the setting for <enable_full_expire>? if it is 0 change it to 1

is there a user_ip_map.txt file in the Pan Agent folder? If so delete it.

restart the PanAgent service.

do you still see the problem?

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 14:02:45 GMT

enable_full_expire was indeed set to 0 (why is that option not on the configure dialog ?!)

The file user_ip_map.txt gets recreated shortly after restarting the panagentservice.

I will test timeout expiration now...

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 14:22:02 GMT

Ok, the user now times out on the PAN agent.

But on the device the timeout is fixed at 3600 seconds. This means the local user who has logged on shortly after the domain user can still access the internet. And that traffic is mistakenly logged as coming from the domain user.

Re: IP to user mapping unreliable

rapoint_person — Tue, 15 Feb 2011 14:26:44 GMT

See you got some help regarding your idle/expire timers.

I agree that monitoring security logs solely never will identify users 100% correctly. You might get close to 100% depending on your network and you configuration. The main reasons for this being:

A) PAN-agent does not monitor logoff events. I’m not even sure DC’s default log those types of events.

B) PAN-devices rely on timers and/or wmi/nebios probing to speed up expiration of old ip-user mappings.

C) Palo doesn’t have an agent solution that can be installed on the client to pickup logon/logoff events and report these events on the fly to a “PAN-client-service” or whatever you want to call it.

Picking up client local logon events on the other hand would only be interesting if those types of logons resulted in the user was re-labeled as “unknown”. That way we can choose to deal with them as unknown users, have them logon in the domain again or use captive portal. Then again, this would require some sort of agent on the client.

Re: IP to user mapping unreliable

dieter_b — Tue, 15 Feb 2011 14:38:03 GMT

This undermines one of the most important features PaloAlto advertises: http://www.paloaltonetworks.com/technology/user-id.html

Re: IP to user mapping unreliable

rapoint_person — Tue, 15 Feb 2011 18:21:25 GMT

Well, that is one way to look at it. As I mentioned before it is likley we don't know 100% of the users 100% of the time. In a Windows environment local client users are a bit of a hazzle. Then again, how many of us allow "avarage Joe" to logon locally? In most cases nearly all users are in our directory.

I don't know how the LDAP-agent works with e-Directory as Novell saves both logon/logoff events in the directory as well as the client IP. In theory it would be easier to keep track of these users... but.....

...users were born to make our lives a living hell They shut off the PC's without logging off, hibernate the PC, etc.

100% correct 100% of the time is tough, but there is room for improvement no doubt.

Good Luck!

Re: IP to user mapping unreliable

James — Tue, 15 Feb 2011 18:34:46 GMT

If you require absolute to the second 100% information on a user - this will need s/w on the client. For this you have a couple of options:

1. Use a combination of 802.1x supplicants and 802.1x Network. Then use RADIUS messages from 802.1x over EAP, for example, to hook into our User-ID XML-API. You'll get log on and off here.

2. PAN-OS 4.0 will give you client s/w that can be distributed to get to the desired results for User-ID.

Best Regards

James

Re: IP to user mapping unreliable

dieter_b — Wed, 16 Feb 2011 07:38:05 GMT

Like you said: most users are in our active directory. That's because we want to make sure the user is allowed/forbidden access to certain resources. I consider AD authentication very reliable. The only time it fails is when users give their passwords to others, but that is not my responsability anymore.

Until further notice I consider User ID not reliable, but it is my responsability to make sure unauthenticated user can't browse the internet.

I'm having my reseller escalate the issue to the local PA office.

Re: IP to user mapping unreliable

npiagentini — Thu, 17 Feb 2011 17:20:21 GMT

Hi Dieter,

The real problem we are hitting here is that you have non domain users as well as domain users and our current design has no real support for local users. If you were having multiple domain users use the sytem, the new log in events would update and all would be well. Instead what happens is there is no event that we track occuring when the local user loggs on. You can define log out scripts in your AD to remove the user from User ID using the API. This would serve to make the local user unknown, which seems to be the result that you want. Does this make sence?

Nick

Re: IP to user mapping unreliable

dieter_b — Thu, 17 Feb 2011 17:23:51 GMT

Does make sense, but as far as I know, the PAN agents don't collect log out events.