Secure imaging over the network

Shifting work patterns mean that organizations need to provision new machines remotely without undermining security protocols.

Overview

Customers that have highly secure internal networks may enforce enhanced security protocols like 802.1x or IPSec for machines on the corporate network.

However, this presents challenges when trying to boot a machine using PXE or iPXE for re-imaging.

If your organization is attempting to allow re-imaging throughout the enterprise (at every user’s desk) – not just in protected imaging labs – 2Pint Software can help you navigate the challenges.

Employees working on computers
Network switch

802.1x Background

The goal of 802.1x is to keep critical network resources on protected (or “Authorized”) networks, and unknown devices in isolated (or “Un-Authorized”) networks, even when the authorized and un-authorized computers are connected to the same switch. 802.1x allows for encrypted communications between authorized network devices.

Authorization happens when the machine first connects to the network, either by passing a certificate, or with user credentials.

It may be possible to identify when endpoint computers are in a non-compliant state, and to block authorization. For example, if the machine hasn’t been patched in a long time, has active anti-virus or anti-malware alerts, or any other reason, the 802.1x authorization server could deny a machine access to the protected internal corporate network.

For machines that have fallen behind in patching, or that are under security review the un-authorized network could be used to for patching, or incident response. Once secured, the device could have access to the authorized network restored.

Alert circle icon

The challenge

The challenge is that iPXE cannot be protected or encapsulated with other security protocols. The network must allow access to:

  • DHCP – For an IP address.
  • BootP – to get the network boot protocol file (NBP).
  • HTTP(s) - to download the iPXE binary from the iPXE Server.
  • ConfigMgr - (if applicable) a CM distribution point.
  • WinPE – Any additional servers the WinPE client will connect to.
    • File server for downloading the Install.wim.
    • File access to any server to initiate network level security.
    • Optionally, access to the domain controller if a domain join is necessary.

Enter iPXE

If your 802.1x solution allows for connectivity using client-side certificates, it may be possible to incorporate the client side certificates into the WinPE image for imaging. Please consult your security software for instructions on how to do this.

Otherwise, new machines connecting to the network for the first time won’t have certificates or other methods to become authorized. In this scenario, we will need to place some basic server resources on the unauthorized network via an access control group if PXE or iPXE is to be successful:

  • DHCP – The DHCP Server must be available to get an IP Address, and options for PXE.
  • PXE or iPXE Server – Must be enabled to download iPXE file over TFTP and other automation (Ports 69, 8050, and 8051).

Network load balancers

If you have multiple iPXE servers in your environment, it may be possible to place the servers behind a network load balancer. In this case only the load balancer needs to have an 802.1x exception.

This should be enough for basic PXE/iPXE operations, but at some point, they may need to communicate with other devices like ConfigMgr distribution points, domain controllers, and other file shares. You may need to work with your security team to determine if placing these servers in the unauthorized network is allowed.

However, it’s possible that your security team may wish to limit access to only DHCP and PXE, and not to ConfigMgr distribution points, domain controllers, etc. In this case the preferred method is to acquire an 802.1x MAB (MAC address bypass) exception for our new computer.

Network cables connected to a server rack

MAB Exceptions using iPXE

MAB (MAC address bypass) exceptions are a way to temporarily add an unauthorized machine to the authorized network without a certificate. We do this by adding the specific MAC address of the machine in question to the 802.1x authentication server through some kind of REST API call.

iPXE Anywhere helps facilitate getting an MAB exception with the following:

  • iPXE can be used to prompt the user for credentials, authenticated with Active Directory.
  • We can then use the iPXE Anywhere Web Service to run custom PowerShell scripts to make REST API calls.
  • After the API call has been made, we can re-authenticate against the local switch, with a EAPoL request.

The code to call REST APIs may need to be customized for each site and solution. Pease contact 2Pint Software [email protected] for assistance.

Now the new machine should have full access to the internal corporate authenticated network, allowing us to perform a full OS install from scratch.

Partially opened laptop computer

2Pint Software technology used:

  • iPXE
  • iPXE Anywhere 2PXE Server – for remote operating system deployment
  • iPXE Anywhere Web Service – for custom scenarios

Works with the following Microsoft technology:

  • DHCP
  • Microsoft Intune
  • PSD – PowerShell Deployment
  • Any other systems management technology for Windows management – Contact Us!

Learn more

Like to know more about our iPXE and network encryption?

We can help you to get things going in your own environment, just drop us a line using this handy form and we will get back to you! (* indicates required field)