Re: UAC & VMware , how does it Work ...

sylvain_ · ‎01-24-2008

Hi all,

I have a question regarding uac and the conformity's end-point . What happen if i m able to pass host checker & authentication with my workstation and then run a vmware on the same machine ( with nat option ). Does the vmware host will be able to use the same connection and so go over all the security mechanisms( .1X , host checker , authentication ... ) or not ?

I ve done this test with the Odyssey ( and .1X ) client and the response seems to be no , as if this soft is able to notice the source interface ( virtual or physical ). What happen in other case ( source ip enforcement for example ) ?

If someone has done all this tests yet , i would be very interest to have a deep explanation :-)

Regards,

Sylvain

Message Edited by sylvain on 01-24-2008 07:29 AM

aronow_ · ‎01-24-2008

Sylvain,

I'm actually surprised that with 802.1x you are not able to get the NAT feature of VMWARE to work.

So let me explain.

With UAC you get two different types of enforcement.

1) L2 (802.1x) enforcement

2) L3 (source ip/IPsec) enforcement

With L2 enforcement, all that is required is that you have supplicant software on your workstation. You can use OAC or you can use the Microsoft Supplication software (wireless zero config). Once you have completed the L2 authentication, the switch will open the switch port.

So if you've authenticated with the host system, I would imagine that any of the VM's using NAT should be able to connect through the now open port. OAC, for L2 enforcement, is only active during authentication.

L3 works a bit different. L3 enforcement is done by an Infranet Enforcer. If you are using Source IP enforcer, then you should be find connecting from NAT clients on the source workstation. If you are using IPSec enforcement I would bet that it may work since the VMware network stuff should just follow the Windows routing table.

I've not tested IPSec but I've had no issue with L2 or L3 (source-ip) enforcement.

Thanks

sylvain_ · ‎01-28-2008

Hi aronow,

Thank for your time and your response. So it seems VMWare is a real problem because a user will be able to run a non compliant host on the network. Actually the only workaround i ve found is to check vmware process ( via host checker ) and switch the user in a LAB or REMEDIATION vlan. If there are other method to go over this i would be very interest.

Thank

Sylvain

tawollen_ · ‎05-16-2008

We have found this loophole as well. I hadn't thought about looking for VMware processes, that is an interesting idea. We have also found this problem with mac users using emulation software or other software such as microsoft virtual PC.

jpayne_ · ‎02-10-2010

I'm hoping that by replying this gets a few more people to look at it.

This is a gaping hole here. Has anyone had any breakthroughs in the last 18 months? If not, should we start compiling a list of all emulation and VM process names?