IS MAC Address Restriction Absolutely Effective?

IS MAC Address Restriction Absolutely Effective? Review the security of corporate wireless LAN with NetAttest EPS Soliton Systems K.K. SMKT1510-A

Table of Contents Chapter 1 Is MAC Address Restriction Absolutely Effective?... 3 MAC address filtering is actually dangerous... 3 Obviously delayed wireless LAN security measures... 4 IEEE 802.1X authentication is required... 5 Chapter 2 IEEE802.1X Authentication Is Straightforward... 7 Risk of information leakage from brought-in smartphones... 7 EAP-TLS with high authentication strength should be used... 8 Expertise from system integrators and network integrators is brought together to easily build EAP-TLS... 9 Chapter 3 Security Holes Are Hidden during Distribution of Electronic Certificates... 12 The private key is like your signature and the public key is like the certificate of signature... 12 Hidden security holes of certificate distribution... 13 Consider a system free from security holes... 14 NetAttest EPS saves work for the administrator and enhances the network security without sacrificing convenience... 16 2

Is MAC Address Restriction Absolutely Effective? Chapter 1 Is MAC Address Restriction Absolutely Effective? Security measures for corporate wireless LAN environment are urgently required due to development of smartphones and cloud computing. A risk of continuing to use vulnerable technologies such as MAC address filtering or PSK authentication is a particular concern. What security measures for wireless LAN are truly required? This white paper proposes a concept of required wireless LAN security, while introducing the functions of NetAttest EPS, an authentication server appliance provided from Soliton Systems. MAC address filtering is actually dangerous MAC address filtering uses MAC addresses allocated to network equipment to restrict network access. MAC address filtering is regarded as a wireless LAN security function in home routers and other devices and is sometimes called MAC address authentication as if it was an authentication method. So, many people might believe that MAC address filtering is a security function that is not complete but has some effect. However, it has been revealed that MAC address filtering has almost no effect in terms of security against recent cyberattacks targeting companies. This does not mean that MAC address filtering has a limited effect or is better than nothing. In some cases, users have a false sense of security by setting up MAC address filtering and this allows attackers to know that the network security is not strictly managed. One of the reasons why MAC address filtering is dangerous is ease of impersonation. Because MAC addresses are not encrypted on the network, outsiders can clearly identify them by capturing packets from the wireless LAN. Tools to change MAC addresses are distributed on the Internet and easily available. In other words, malicious attackers can effortlessly get past the security system just by using these tools to spoof the MAC address. Figure 1 MAC Addresses Are Not Encrypted on the Network Capture tool Mac address filtering 3

As a matter of course, attackers must decrypt encrypted communication or perform other tasks after getting past the security system. However, other security measures are probably insufficient if you feel safe by implementing MAC address filtering as part of security measures. The attackers catch you unguarded and find out whether WEP or another encryption method that can be easily decrypted is used or whether a simple password is repeatedly used. As recent targeted cyberattacks suggest, attacking their M.O. is increasingly sophisticated. Now is the time you must implement truly effective security measures for corporate wireless LAN rather than measures that attackers can exploit. Obviously delayed security measures for wireless LAN What security measures are essentially required for corporate wireless LAN? Let's look back current corporate wireless LAN in terms of changes in the surrounding environment, risks, required measures, and other aspects. Figure 2 Environmental and Technological Changes in Current Corporate Wireless LAN Environmental change Explosive spread of smartphones and tablet PCs Technological changes The security of wireless LAN that was trusted in the past is outdated. Mac address filtering Not encrypted on the network. Information can be easily acquired by capturing packets. Exposed risk Using your personal smartphone or tablet in the office poses the same risk as when inserting a USB thumb drive into the PC and bringing it out. In office Explosive spread of smartphones and tablet PCs allows employees to use their personal devices in the company. Stealth SSID Analyzed by capturing wireless packets. The WEP key may be acquired to get transmitted data. The SSID may be acquired from the client to obtain the SSID of the access point. When the PSK is acquired, information can be easily acquired. If this happens, the PSK registered in all the devices must be changed. One of the most significant environmental changes is the rapid spread of smartphones and tablet PCs. Although the danger of bringing in personal PCs and of copying data to USB thumb drives has been pointed out for a long time, the number of companies that prohibit these actions has at last started to increase. However, employees can still use their personal smartphones in the office without any restrictions. While people warn their coworkers not to insert a USB thumb drive into a corporate PC, almost nobody pays attention to the use of personal smartphones. Even though smartphones are exposed to the same risk of information leakage, in-house system or policies have not yet been established. Likewise, technological risks have also been significantly changing. Although use of 4

Is MAC Address Restriction Absolutely Effective? MAC address filtering, WEP encryption, stealth SSID (SSID broadcast OFF, rejection of "any connection"), or WPA2-PSK for communication was a typical security measures for wireless LAN in the past, they can no longer ensure sufficient security. While WEP is now beside the question, anyone can acquire SSID information from wireless clients even if stealth SSIDs are used. Even WPA2-PSK, which is generally believed to be more robust, has a security hole. Being a shared key, the PSK (preshared key) can be easily redisplayed and checked on the device where it is set. Once attackers acquire the PSK, they can decrypt information in real time by capturing wireless communication. WPA2-PSK also has an operational problem. That is, WPA2-PSK does not support so-called blacklist registration. Letting out the PSK is like losing your house key. It would be necessary to change the PSK in all the devices where it is registered. This would be also a huge operational load if your company has more than 100 employees. These are certainly a fatal vulnerability for every company. In this way, security measures for corporate wireless LAN are obviously delayed both systematically and technologically while the environment for using smartphones and the cloud is being established. IEEE 802.1X authentication is required Then, what measures should we specifically take? The answer is that security measures based on IEEE 802.1X authentication are required for corporate wireless LAN. In fact, IEEE 802.1X authentication has started spreading due to concerns over the above-mentioned MAC address and shared key authentication. IEEE 802.1X authentication is a method to block all communication from unauthenticated clients and only allow authenticated users to establish communication. The components include the 802.1X-enabled LAN switch and RADIUS authentication server and an authentication protocol called EAP (Extended Authentication Protocol) is employed. There is EAP-PEAP authentication using ID and password and EAP-TLS using electronic certificates, for instance. Specific authentication methods and their characteristics are shown in the table below. In this table, EAP-TLS is desirable for corporate wireless LAN as it supports user and device authentication and can control connection from unauthorized devices. Because PEAP authentication cannot control personal smartphones, certificates are gaining attention. In fact, TLS authentication is being adopted in more and more cases. The encryption method used is WPA or WPA2. 5

Figure 3 Comparison between Wireless LAN Authentication Methods Authentication 認 証 方 method 式 Shared 共 通 のWPA encryption 暗 号 化 キー key + +MACアドレスフィルタ address filter ID ID パスワード and password (EAP-PEAP (EAP-PEAP authentication) 認 証 ) Digital デジタル certificate 証 明 書 (EAP-TLS (EAP-TLS authentication) 認 証 ) 強 度 Extremely 極 めて 弱 weak Weak 弱 to ~ medium 中 Strong 強 Authentication 認 証 strength Advantages 長 所 and disadvantages 短 所 - The MACアドレスはパケットから address can be 盗 み 見 れ stolen 偽 装 も from 容 易 ( the 不 正 packet アクセスに and 気 づけ easily spoofed. (Unauthorized access ない) will not be noticed.) - The MACアドレス address 収 集 削 must 除 運 用 be が collected 必 要 and deleted. - If パスワードを you know 知 the っていれば password, 私 物 you 端 末 can でもネットワーク connect to 接 the 続 ができてしまう network from your personal device. - Setup that the user must perform ユーザー 側 is の easy. 設 定 が 簡 単 Legitimate ID and password Legitimate device - User ユーザー and 認 device 証 + 端 authentication 末 認 証 が 可 能 (control ( 不 許 可 of 端 connection 末 の 接 続 制 from 御 ) unauthorized devices) is supported. - Digital デジタル certificates 証 明 書 の 配 布 must が 必 be 要 distributed. Reject Legitimate user Personal device Cannot be controled Can be controlled. 適 Suitable してい environment る 環 境 Home 家 庭 用 wireless 無 線 ルータ router Single 単 一 拠 base 点 小 and 規 模 small オフィス office Conventional IT environment where 従 来 の スマホを smartphones 考 慮 are しない not taken IT 環 境 into consideration LAN 企 業 in / company 官 公 庁 のLAN or public office LAN that contains personal data such 医 療 as NWなど medical 個 network 人 情 報 をもつLAN IEEE 802.1X authentication does not seem to be widely spread. However, as use of wireless LAN has spread among companies, the guidebook published by the Ministry of Internal Affairs and Communications of Japan on January 30, 2013, "For Companies and Other Organizations to Safely Implement and Operate Wireless LAN," describes the disadvantages of PSK authentication and the advantages of IEEE 802.1X authentication in terms of the authentication methods as follows. "PSK authentication can be easily adopted because an authentication server is not required and for other reasons. However, because the devices that connect to the same access point share a passphrase, the attacker may connect to the network through impersonation if the passphrase leaks. In addition, since PSK authentication does not provide a system to automatically distribute the passphrase to individual devices, management and operation such as specification or update of passphrase becomes cumbersome if the number of connected devices increases." (pg. 12 in the guidebook) "Although IEEE 802.1X authentication requires an authentication server, you can prevent unauthorized devices from connecting to the wireless LAN because network connection is permitted after the device is authenticated. It is basically desirable to use IEEE 802.1X authentication, which supports device authentication, though the authentication method must be considered, taking the number of devices that use the wireless LAN, the characteristics of operation, and other factors into consideration." (pg. 12 in the guidebook) Given the current situation, it is certainly required to implement security measures using IEEE 802.1X authentication for corporate wireless LAN. 6

Is MAC Address Restriction Absolutely Effective? Chapter 2 IEEE802.1X Authentication Is Straightforward Security measures for the corporate wireless LAN environment are urgently required. Some technologies such as MAC address filtering are almost wholly ineffective in protecting corporate information. However, they are mistaken as effective security measures and continuously adopted in the wireless LAN environment in small and medium-sized enterprises, branch offices, local bases, and other locations. It is now required to build an IEEE 802.1X authentication server. How should companies address this challenge? Risk of information leakage from brought-in smartphones As described in the previous chapter, MAC address filtering on wireless LAN is wholly insufficient as a security measure to protect corporate information. MAC address filtering is almost no deterrent to attackers who try to launch a cyberattack. What is even worse is that using MAC address filtering may reveal that the company is careless. Furthermore, as anyone can obtain tools for attack these days, even stealth SSID and WPA2-PSK cannot provide sufficient protection against malicious attacks. In this context, it is strongly required to implement security measures for wireless LAN based on IEEE 802.1X authentication. Let's look at the importance of building an IEEE 802.1X authentication system, the required functions, and how to build it, using NetAttest EPS from Soliton Systems as an example. First, let's review IEEE 802.1X authentication a little bit. IEEE 802.1X authentication is a so-called client authentication method. This method blocks all communication from unauthenticated clients and only allows authenticated users and devices to establish communication. Figure 4 IEEE802.1X Authentication Configuration IEEE802.1X authentication server Impregnable wireless LAN client IEEE802.1X supplicant Wireless LAN AP IEEE802.1X authenticator PC for management The components of IEEE 802.1X authentication are the following three: authentication software on the client (device), the access point that supports IEEE 802.1X authentication, and the RADIUS (Remote Authentication Dial-In User Service) authentication server. The authentication protocol is EAP (Extended Authentication Protocol) and the main 7

authentication methods are the following two: EAP-PEAP authentication that uses an ID and password and EAP-TLS authentication that uses an electronic certificate. A major difference between them is whether the electronic certificate is installed on the client. (The electronic certificate is used on the server with both authentication methods.) For example, with EAP-PEAP, an ID and password are used for authentication on the client. An advantage is easy setup as each user shares the ID and password and an electronic certificate is not required on the client. However, there is a disadvantage that anyone who knows the password can connect to the network from office PCs or even from his/her personal device. Information leakage risk caused by connecting a personal smartphone... This does not cause a big problem in an environment where the internal network can be connected to only from office PCs. However, recently, there is a higher risk that internal information can be brought out by connecting a personal smartphone to the wireless LAN. If the ID and password are leaked, they could be used for unauthorized access from a device other than office PCs. EAP-TLS with high authentication strength should be used In this context, EAP-TLS is required to avoid the information leakage risk. With EAP-TLS, an electronic certificate is installed on the client to reject connection from unauthorized devices. Access from a PC or smartphone on which an electronic certificate is not installed is rejected in the first place. Therefore, EAP-TLS realizes stronger authentication than EAP-PEAP. However, EAP-TLS has management issues such as the distribution of an electronic certificate to each client. The time and effort for building and operation is one of the reasons why companies have not widely adopted EAP-TLS although the authentication method ensures robust security. [Seven elements required to build and operate an EAP-TLS system] (1) LAN switch and access point that support IEEE 802.1X (2) RADIUS authentication server (3) CA (certificate authority) server (4) DHCP server to issue correct IP addresses (5) System to distribute the certificates and link with the user database 8

Is MAC Address Restriction Absolutely Effective? (6) System to back up information on each server (7) Procedures and expertise for designing, operating, and troubleshooting these systems It is perhaps not extremely cumbersome to just establish an authentication infrastructure for client authentication. However, it is necessary to set up a private CA, link with the internal Active Directory (AD) or LDAP, and build the system to distribute the certificates to clients and other systems in order to properly operate the authentication infrastructure. In some cases, you must consider whether the AD link is allowed, fault tolerant design, management tools, and other matters. Considerations about the authentication server in the corporate system are summarized as below. [Consideration of scalability] (1) Can the server be used for SSL-VPN authentication, authentication in the browser dedicated to business operations, web single sign on authentication, remote desktop authentication, and other authentications as well? (2) Can the authentication method be easily modified? (For example, can one-time password be easily applied in addition to the certificate?) [Consideration of multi-functional device support] (1) Can the digital certificates be distributed to multiple OSs? [Consideration of operation workload] (1) Can the digital certificates be easily and safely distributed according to your environment? (2) Can users who have not used the system for a certain period be easily organized? (3) Can the server be easily linked with the internal AD or ID management system? [Consideration of reliability] (1) Can safe operation be realized? (2) How about the domestic support system? NetAttest EPS can easily realize EAP-TLS and address these various challenges that companies face by itself. Expertise from system integrators and network integrators is brought together to easily build EAP-TLS NetAttest EPS is an all-in-one authentication appliance product that is equipped with the RADIUS authentication function, private CA function, certificate distribution and management function, and other features. This is the core product of the NetAttest series, which has been implemented in more than 10,000 systems in total. The main characteristic is easy implementation and operation without requiring special knowledge or technology. For example, you must perform the following six steps to build an EAP-TLS-enabled authentication infrastructure. 9

[Normal procedure for building an EAP-TLS-enabled authentication infrastructure] 1. Preparation of hardware 2. Installation of OS 3. Building of private CA 4. Installation of RADIUS 5. Setup of RADIUS 6. Setup of users With NetAttest EPS, you must perform only the following three steps. The required man-hours are less than half of the above procedure. [Procedure for building an EAP-TLS-enabled authentication infrastructure using NetAttest EPS] 1. Installation of NetAttest EPS 2. Initial setup wizard 3. Setup of users How can NetAttest EPS reduce man-hours? This is largely because Soliton Systems has the skills and expertise required of system integrators (building and operation of servers) and network integrators (building and operation of network). Generally, network integrators are often in charge of building the wireless LAN environment while system integrators are in charge of AD link, RADIUS server, CA server, and other servers in many cases. This role-sharing inevitably causes delay if the skills and expertise for both tasks are required. This leads to an increase in man-hours. Therefore, Soliton Systems reflects the expertise for each task to the appliance so that both network integrators and system integrators can complete the job. NetAttest EPS, which Soliton Systems completed as a result, realizes quick implementation without requiring special knowledge. 10

Is MAC Address Restriction Absolutely Effective? Figure 5 Elements of Building and Operation of Server and Network when Building a Wireless LAN Authentication Environment Building of wireless LAN authentication environment Typical case When using NetAttest EPS Network integrator System integrator Building of wireless LAN or other network - Linkage with Active Directory - Building of RADIUS and CA servers Difficulty of linkage - Coordination among staff and verification of linkage - Separation at failure - Increase in processes and time Users without special knowledge can quickly build the environment. In addition, NetAttest EPS is an all-in-one product that provides the functions required to build an IEEE 802.1X authentication server such as abundant RADIUS authentication functions, intuitive Web UI, easy AD link, settings backup/restoration function, support for redundant configuration, and many proven records of linking with devices from Wi-Fi and VPN manufacturers. You can easily implement a safe authentication infrastructure based on IEEE 802.1X simply by implementing NetAttest EPS. 11

Chapter 3 Security Holes Are Hidden during Distribution of Electronic Certificates The electronic certificate authentication for which a different certificate is installed on each client ensures the robust security required for the corporate wireless LAN unlike PSK (preshared key) authentication, where multiple users share the same password, or MAC address authentication, the address of which can be easily spoofed. However, using certificates does not always ensure robust security. For example, a certificate can be illegally obtained to spoof a legitimate device depending on the distribution method. A certificate itself could be stolen and exploited as an outsider finds out and exploits the password. So, what should we be careful about in order to fundamentally raise the security level using certificates? This chapter describes how to identify and avoid hidden security holes when using certificates, introducing the functions of NetAttest EPS, an authentication server appliance provided from Soliton Systems. The private key is like your signature and the public key is like the certificate of signature First, let's quickly review electronic certificates. Quite a few people might think that an electronic certificate is difficult to manage and takes time and cost. However, electronic certificates are not very complicated once you understand the mechanism. Rather, it is essential to understand what the certificate is to properly handle it. [What is an electronic certificate?] An electronic certificate is a data set to prove the identity and other properties of a user by applying public key encryption. Public key encryption needs a private key and a public key and uses a security infrastructure called PKI (public key infrastructure) to validate (authenticate) the identity. In a nutshell, you can think that the private key is your signature (personal signature) and the public key is the certificate of signature. Only signature does not prove you are who you claim to be in fact. You need to get the certificate of signature from notary public or other organization and pair it with your signature to truly identify yourself. Likewise, with PKI, each user has a private key (signature) to prove their identity. In addition, the user gets the public key (certificate of signature) from the certificate authority (notary public) and pairs it with the private key for identification. Figure 6 Electronic Certificates Can Be Easily Understood by Regarding the Private Key as the Signature and the Public Key as the Certificate of Signature Example ex. PKI (Public Key Infrastructure) Personal signature 印 鑑 Resident 市 民 Certificate of signature Issue 発 行 Check 確 認 Notary 市 役 public 所 User 利 用 者 Electronic certificate (public key) 秘 Private 密 鍵 key Issue 発 行 Check 確 認 Certificate 認 証 局 authority (CA) (CA) 12 Show the validity 第 of 三 identity 者 に 身 分 to の third 正 当 性 parties を 示 す Officer 職 員 Like デジタル digitized 化 した 身 分 ID 証 card 明 書 の ようなもの システム System administrator 管 理 者 (RA) (RA)

Is MAC Address Restriction Absolutely Effective? Here, "pairing the private key and the public key" means that the data encrypted by one of them can be encrypted only by using the paired key. For actual authentication, the servers that manage the user's device and certificate exchange this key pair between them. Hidden security holes of certificate distribution To use this public key encryption method, you must first install the public key (certificate) and private key in the user's device. As those who have used Internet banking or administrative services using electronic certificates probably understand, safe communication cannot be established without somehow importing the public key and private key into the client PC. The PKCS#12 file is mainly used to import the certificate into the client PC. The PKCS#12 file is a file that contains a pair of public key (certificate) and private key. The problem here is that the PKCS#12 file itself can be copied. In addition, if it is allowed to export the private key, the private key can be also copied. In other words, if the certificate is distributed via email or CD-ROM, a malicious person who obtains that email or CD-ROM can easily make an illegal copy. This situation allows anyone to impersonate other person. This is the hidden security hole of certificate distribution. Figure 7 Challenges of Digital Certificate Distribution The 証 明 PKCS#12 書 をPCに 取 り file 込 むには is mainly 公 開 used 鍵 証 to 明 書 import と 秘 密 the 鍵 がペアで certificate 格 納 されたPKCS#12ファイルが into the client PC. The PKCS#12 主 に 使 用 されています file is a file that contains a pair of public key certificate and private key. When importing this pair into the client, これをクライアントへ you can (manually) 取 り 込 む 場 合 prohibit 秘 密 鍵 export をエクスポートを of the private 禁 止 にする key. 設 However, 定 ( 手 動 )が the 可 PKCS#12 能 です しかし PKCS#12ファ file itself can be copied. イル 自 体 So, はコピー the 可 file 能 なため メールやCD can be illegally copied 等 でこれを while 送 付 it する is sent 場 合 by 不 email, 正 コピーができてしまうといった CD-ROM or other 課 means. 題 がありました + Public 公 開 key 鍵 Private 秘 密 鍵 key PKCS#12ファイル file CD-ROM 等 or other media ファイルコピー Copy the file 会 Company 社 PC PC 私 Personal 物 スマホ smartphone Challenges of digital certificate デジタル 証 distribution 明 書 配 布 方 method 法 の 課 題 Is 秘 the 密 file 鍵 付 that きファイルをメールで contains the private key 送 sent 付? by email? 現 Does 地 の the 管 理 local 者 がファイルで administrator 配 distribute 布? the file? Certificate authority (CA) iphone configuration utility Unique Overseas office Group company Equipped with wired NIC Manual 証 明 setup 書 WiFiの of certificate 手 動 設 and 定 WiFi (administrator ( 管 理 者 or or 利 user) 用 者 ) Registration method OS 毎 に 異 なる that differs depending 登 録 方 法 on the OS Consideration of how to 秘 prohibit 密 鍵 の 取 export 出 し 禁 of 止 private 方 法 の key 検 討 13

In fact, an attack exploiting this security hole was revealed in Japan in 2014 and caused a panic. In this incident, the attacker targeted an Internet banking service for corporations and stole the electronic certificate that contained the private key that was permitted to be exported. In the wake of this attack, it is recommended to prohibit export of the private key that each bank uses for Internet banking for corporations and provide high protection for the private key in principle. Consider a system free from security holes A desirable solution is adoption of a system free from these security holes. However, recent cyberattacks are sophisticated. You cannot fundamentally eliminate attacks simply by prohibiting export of private key. In fact, in a recent Internet banking fraud, the attacker acquired the private key with the following M.O. M.O. to steal electronic certificate imported with the export setting disabled - Delete the electronic certificate from the target device using a malicious program. The user asks the bank to reissue the certificate. The malicious program copies the certificate when the user imports the reissued certificate. The copied certificate is sent to the attacker's server. Reference: "Warning in August 2014," IPA Figure 8 Danger of Issuing Certificate Using a File with the Private Key 証 明 書 不 正 コピーの 手 口 M.O. to illegally copy the certificate 2. Procedure for reissuing 2. 電 子 証 the 明 書 の electronic 再 発 行 手 certificate 続 き Certificate authority 3. Send a reissued electronic 3. certificate 再 発 行 された file that 秘 contains 密 鍵 付 きthe private 電 子 証 key. 明 書 ファイルを 送 信 File that contains the private key Obtain the file and the private key. 1. The virus deletes the 1. ウイルスが 勝 手 に electronic certificate. 電 子 証 明 書 を 削 除 Illegally 端 末 内 copy に 一 次 and 保 管 send されるthe P12 file temporarily P12ファイルを stored 不 正 in コピー& the device. 送 信 When 電 子 証 明 you 書 をexchange PKCS#12ファイル electronic を 利 certificates 用 し 受 け 渡 す using 場 合 は a PKCS#12 不 正 取 得 される file, there リスクが is always 拭 えない a risk that it may be illegally acquired. This attack targeted an unguarded point while the user felt safe by prohibiting export. Reactive measures are powerless to protect against increasingly advanced cyberattacks. 14

Is MAC Address Restriction Absolutely Effective? To address this situation, NetAttest EPS from Soliton does not use the PKCS#12 file itself. Specifically, the user's client device generates the private key and the generated private key never leaves the device by any communication path. Figure 9 Issue of Certificate in NetAttest Where a File Containing the Private Key Is Not Used Log ユーザーページログイン in to the user page. ABCD Corp. certificate authority ABCD Corp. 認 証 局 秘 Automatically 密 鍵 をエクスポート generate 禁 止 certificate with export of the の private 状 態 で 自 key 動 prohibited 生 成 秘 Private 密 鍵 key The application ここまで 申 請 procedure ends here. After notification of approval 承 認 通 知 後 Login permitted ログイン 許 可 Enter application information 申 and 請 require 情 報 入 力 certificate. 証 明 書 要 求 The コンピュータ computer 名 ドメイン name, domain 名 name, Win ID Win 名 等 ID も 自 name, 動 送 付 and other properties are also automatically sent. Approval and issue notification 承 認 発 行 通 email 知 メール Check 管 理 者 who ページにて requests the certificate from which device 誰 が どの on the 端 administrator 末 から page, 要 求 しているのかを make an approval, 確 認 しand issue 承 認 the 公 開 public 鍵 発 行 key. Private 秘 密 key 鍵 Certificate 証 明 書 ( 公 (public 開 鍵 ) key) Log ユーザーページログイン in to the user page Enroll 証 明 書 the エンロール certificate. 発 Invalidation 行 済 一 覧 より from 失 効 the 処 理 issued certification list The private key never leaves the device by any communication path. You can acquire 秘 密 鍵 は 端 末 外 the 通 信 certificate 経 路 に 一 only 切 出 さない using the 申 applied 請 端 末 でのみ device. 証 明 書 取 得 が 可 能 **When KeyManager you acquire による 証 the 明 書 certificate 取 得 の 場 合 も with 秘 密 the 鍵 は Key 申 請 Manager, 時 に 端 末 内 で the 自 動 private 生 成 します key 通 is 信 automatically 経 路 に 秘 密 鍵 が 流 generated れることはありません within the device at the time of application. The private key never leaks to any communication path. The private key in the device is generated at the time of application with export prohibited to prevent physical theft. A certificate was typically abled to be generated and distributed in this way only in a closed network environment such as LAN, NetAttest EPS can safely distribute a certificate even through the Internet by linking with the proxy server that supports mobile application named NetAttest EPS-ap. Distribution of certificates and settings can be automated not only with PCs but also with multi-functional devices using ios, Android, or Mac OS. 15

NetAttest EPS saves work for the administrator and enhances the network security without sacrificing convenience Enhancing security reduces convenience and significantly increases operation man-hours, often resulting in a trade-off situation. Therefore, it is noteworthy that NetAttest EPS has a private key generation and certificate distribution system that does not sacrifice convenience at all but significantly saves a lot of work for the administrator. NetAttest EPS is also an integrated authentication infrastructure that supports a variety of functions in addition to distribution of certificates. In terms of the corporate network, not only distribution of certificates but also that of wireless client (WiFi) settings is vital. To support the enterprise environment, distributed placement across multiple offices, redundancy of equipment, backup/restoration function, and other features are also required. In addition, as workstyles are changing, it is necessary to realize remote work and mobile work. NetAttest EPS is equipped with functions to flexibly address these needs. As it is urgent to review security measures for corporate wireless LAN, it is recommended to consider NetAttest EPS as a prominent candidate in building an integrated authentication infrastructure that supports IEEE 802.1X authentication. 16

Is MAC Address Restriction Absolutely Effective? Soliton White Paper 2015 Is MAC Address Restriction Absolutely Effective? Review the security of corporate wireless LAN with NetAttest EPS SMKT1510-A Published on October 26, 2015 Published by Soliton Systems K.K. Contact wwsales@list.soliton.co.jp It is prohibited to reprint, reproduce, and enter the document in an electronic media, etc., without permission. 17