When did you wake up and realize that not only do you no longer know what components are connected to your network, but no matter how hard you try you might never know. Perhaps you've invested in extensive network-discovery and -mapping tools that provide partial snapshots of your network. But would you know if a manager installed a wireless hub to gain mobility, and if other wireless users were on your network? And exactly how are the network drops in your conference rooms used? Is anyone swamping your VLANs (virtual LANs) with bad MAC (Media Access Control) addresses, turning them into simple bridges just for the fun of it?
The IEEE has a proposal for controlling your network: total network component authentication via 802.1x, or Port-Based Network Access Control. Get with the program and you'll know about every component on your network and be able to control which components have access to which services. The components will be able to send datagrams appropriate only for the authenticated MAC address. 802.1x comes at a steep price and its full potential may never be achieved, but it offers much promise. And for certain parts of your network, 802.1x's value is real and attainable.
802.1x is nothing more than a mechanism to transport EAP (Extensible Authentication Protocol, RFC 2284) packets over an 802 link layer. 802.1x defines a supplicant system connected to the network, an authenticator connected to the network to facilitate the supplicant's access to the network, and an authentication server that authenticates the supplicant and grants it access to the authenticator. RADIUS is typically the authentication server, while the authenticator plays the role of the RADIUS client. 802.1x evokes an image of waves of authentication spreading out from your secure data center to the edges of your organization. In this model, each component moving out from the authentication server acts first as a supplicant and then as an authenticator. A hub is authenticated to a router, then some routers are authenticated to that hub, a switch is authenticated to the second tier of routers, and finally a server or workstation is authenticated to that switch.
The Downside
Unfortunately, the deficiencies of EAP and RADIUS limit the use of 802.1x to the extent that significant risk mitigation does exist. As the tools function today, total deployment is hardly practical. Although the 802.1x model of a network component acting first as a supplicant and then as an authenticator is powerful, RADIUS supports only a static key between the authenticator (RADIUS client) and the authentication server. This has always been an operational deterrent to deploying many RADIUS clients, which is exactly what 802.1x requires. It would take a special RADIUS implementation to use a session key generated through the supplicant authentication as the client RADIUS key. Then there's the bootstrap issue: What is the first authenticator and how is it configured? Perhaps an even more serious roadblock to 802.1x deployment is the choice of EAP types. The TLS (Transport Layer Security) EAP is the most talked about but requires a PKI (public key infrastructure) and certificates in every authenticated networking component, which won't make deployment any easier for most companies. Other EAP types are needed, such as the proposed SRP (Secure Remote Password, RFC 2945). SRP provides the ease-of-deployment of user ID and password with the exchange strength of Diffie-Hellman public keys.
None of this will happen if price is a barrier. For wireless, at least, the cost of not securing the network will exceed the cost of adding 802.1x. Other networking components, such as VLAN, will be more cost-sensitive. But if 802.1x support comes free with your next switch and NIC software upgrades, we'll all win.
Robert Moskowitz is a senior technical director at TruSecure Corp. Send your comments on this column to him at rgm@htt-consult.com.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
The IEEE has a proposal for controlling your network: total network component authentication via 802.1x, or Port-Based Network Access Control. Get with the program and you'll know about every component on your network and be able to control which components have access to which services. The components will be able to send datagrams appropriate only for the authenticated MAC address. 802.1x comes at a steep price and its full potential may never be achieved, but it offers much promise. And for certain parts of your network, 802.1x's value is real and attainable.
REPORTS
ANALYTICS
Follow 
