AAA - 802.1X

Even with the proper configurations, you want to make sure only those with legitimate, authorized credentials gain access to the network. Conventional access control, authentication and authorization will work with network and point security solutions to guard against unauthorized intrusions. Protocols such as 802.1X bolster authentication on a port level.

802.1X

An IEEE standard, 802.1X allows network switches and wireless access points to authenticate hosts at the port level.

In brief a 802.1X provides a layer 2 authentication framework for both wireless and wired LANs through the Extensible Authentication Protocol (EAP).

The 802.1X protocol is designed to close a security gap, particularly for wireless traffic. But it also provides added security for your wired networks. Strong passwords, two-factor tokens or digital certificates notwithstanding, your data in transit is vulnerable, and your network is open to unauthorized access before higher-level authentication takes place.

802.1X provides the framework for challenging access at your network's front door--the switch or access point--as well as dynamic key delivery to protect wireless traffic. Despite all the buzz and strong support from heavyweight hardware and software vendors like Juniper, Cisco Systems and Microsoft.

Is 802.1X right for your organization? Has the technology matured to the point that you can move forward with confidence? We'll tell you what you need to know about 802.1X, and the factors you should consider before committing your company's time and money.
802.1X:

Here's the problem:

Data can be copied and observed in transit without detection. On a wired network without Layer 2 access control, anyone can get on the network. True, they may not be able to get on a protected server and could be limited to passive observation of broadcast data, but the traffic itself contains a mother lode of valuable information.

On a wireless network, information is literally being broadcast in the air. So, even with access control at the access point (AP), a sniffer can read unencrypted data sent from any client. Observable data ranges from passwords and proprietary intellectual property to session control information and MAC addresses. It's all valuable to an attacker. Every minute, passwords and the contents of e-mails are flying across the wires or through the air.

Combined with various Extensible Authentication Protocol (EAP) types, which carry authentication information, 802.1X is a quantum leap over the current Layer 2 access control method, MAC ACLs, and for wireless, shared key authentication.

802.1X is generally a good fit for larger, security-conscious organizations. While MAC ACLs allow a switch or AP to check MAC addresses before allowing traffic to pass, there's no provision for individual station or user authentication. MAC addresses can be sniffed off wired or wireless transmissions, and the address can then be applied to any NIC that supports configurable MAC addresses. Also, keeping complex MAC ACL tables up to date can be too time consuming for most larger enterprises.

So, despite the cost and planning considerations, 802.1X may be your best bet to enhance enterprise-level security for both wired and wireless LANs. If your environment already has the basic components for 802.1X support in place, such as 802.1X-compliant APs and switches, and a user base with built-in client software (e.g., Windows XP), deployment can be quick and cost effective.

But it's not for everyone. With added security comes added complexity. 802.1X deployment can be expensive, and vendor support is still far from universal. SOHO networks and companies with older equipment and limited or no wireless deployment may conclude it's simply too costly and complicated. In that case, you may be better served by sticking to MAC ACLs and using encryption for sensitive data. Keep in mind, however, that this solution doesn't scale well.

You should consider 802.1X if: 

• Your network carries any high-value data.
• Your company is regulated by HIPAA, GLBA, Sarbanes-Oxley, etc.
• Untrusted parties have physical access to your wired network.
• Your company provides wireless connectivity.

In other words, if your organization is concerned about infosecurity to any significant degree, you should at least investigate the risk/value proposition of implementing 802.1X.

The Basics:

802.1X has two main functions. The first is to stop wired network traffic behind the switch (and wireless network traffic behind the AP) from being viewed until the user or machine has been authenticated. Note that in wireless, the network traffic that is passed from clients to the AP is always visible unless encrypted. The second function is to support a wide variety of authentication and key management/exchange methods to provide a flexible yet standardized way to deliver authentication.

Specifically, 802.1X provides a transport mechanism for passing authentication information over both wired and wireless networks. EAP works in conjunction with 802.1X to support authentication methods such as passwords, digital certificates and smart cards. There are a number of EAP flavors--a single EAP couldn't encapsulate all authentication methods or approaches, so vendors and standards bodies are defining EAPs in an ongoing process.

Despite the cost and planning considerations, 802.1X may be your best bet to enhance enterprise-level security, for both wired and wireless LANs.

802.1X and EAP are designed to evolve with an enterprise. Specific authentication methods go in and out of favor. It may be passwords today and PKI tomorrow. The 802.1X framework allows for these methods to be easily swapped or used together as needed.

New authentication methods can be implemented as EAP types emerge, yet continue to work with existing 802.1X APs and switches without requiring a hardware upgrade.

Here's how 802.1X works: The "authenticator"--the AP or switch that controls network access--stops the user or system, known as the "supplicant," from getting on the network. The authenticator serves as a proxy client to a RADIUS authentication server and controls whether the supplicant is allowed to access the network. Prior to successful 802.1X authentication, no DHCP IP address is distributed, no HTTP or POP3 or SMTP traffic can pass, and no passive observation of information being transferred behind the switch or access point can occur.

802.1X also provides key management. This is particularly critical for wireless networks, which are protected by the notoriously weak Wired Equivalent Privacy (WEP) protocol. One of WEP?s weaknesses is its use of shared, static keys, which can be cracked relatively easily by a determined war driver.

When 802.1X is used on a WLAN with the Temporal Key Integrity Protocol (TKIP)--part of the 802.11i wireless security standard and currently available in WPA-certified products--it provides support for dynamic keying. This allows stronger encryption of wireless traffic, protecting it from sniffers.

Integrating Authentication

For integration planning, most authenticators and authentication servers that support 802.1X support all the major EAP types as well.

802.1X and various EAPs generally work nicely in parallel. This means organizations can support two types of EAP on their LAN, which is especially useful when companies merge. However, while mixing EAP types on an authenticator and authentication server is fairly simple, mixing them on a client can lead to conflicts, so careful planning and testing is critical.

The cost and effort required to deploy 802.1X depends to a large extent on your existing authentication infrastructure. On the one hand, you may be able to efficiently leverage your existing authentication method(s). Or, you may decide that an 802.1X implementation is an ideal time to strengthen authentication, especially if you're currently relying on passwords on your wired network. For wireless, shared passwords are the only thing available without 802.1X.

Deploying enterprise-wide strong and multifactor authentication, however, is no small matter. Plan on increases in user training and support.

To save money and ease implementation headaches, explore opportunities for reuse wherever possible. If your company has already made the investment in strong authentication, it makes sense to extend it to the 802.1X environment. EAP and 802.1X can support most existing strong and multifactor authentication options, including one-time passwords, tokens and PKI/digital certificate credentials.

If you've limited these authentication methods to remote access or for select, high-value applications, you can now drive this strong security down to the data link layer for all users. Generally, the up-front investment in strong authentication, such as PKI or tokens, doesn't increase exponentially when adding more systems and users. However, you'll have to factor in expansion costs if your current rollout has a very limited user base.

If you're already using an 802.1X-compliant RADIUS server for authentication--for VPN access, for example--you can deploy 802.1X without adding an authentication server.

Another way to keep down 802.1X deployment costs is to link into existing stores of user credentials. If you have an LDAP directory, like eDirectory or Active Directory, you can often link it to your 802.1X RADIUS authentication server. Make sure, however, that you use one of the secure tunneling EAPs, such as EAP-TTLS or PEAP, to prevent LDAP authentication information from being transmitted in the clear.

Some additional support factors to consider:

When selecting an EAP client and type, remember that logging in via 802.1X isn't the same as logging into an NT Domain or other servers.  What most of us think of as a "network login" occurs after a certain amount of network access, as well as assignment of an IP address,  has taken place. That's why passive sniffers can eavesdrop on traffic without having a network login. Many supplicants don't support   reuse, and users may need to be made aware that they will be logging in twice, once to the authenticator and again to the network NT  Domain or other server.

If your company is using a single sign-on (SSO) product, proceed with caution. SSO vendors haven't entirely caught up with the 802.1X  revolution, and you may need to invest in costly and time-consuming integration if you want all of them to seamlessly work together.

For companies that are looking into the newly available Wi-Fi gateways and wireless switches, there's good news. Most of the vendors,  like Bluesocket, Symbol Technologies and ReefEdge, have 802.1X-compliant products. Investigate whether the gateway supports simple  passing of the 802.1X information or if it actively gets involved in the process. Also, keep in mind that not all gateways support  transparent login for all EAP-types.

Strong, But Not Invulnerable

Basic 802.1X is vulnerable to identity theft of unprotected user credentials, denial-of-service, session hijacking and man-in-the-middle attacks, because it's an asymmetric protocol. Although the client authenticates to the network, the network does not authenticate to the client.

Vendors try to address these vulnerabilities through their EAP offerings. Man-in-the-middle attacks can be mitigated by implementing mutual client/server authentication, reducing the risk of rogue servers getting on the network. Attackers can also exploit the lack of message integrity checking in EAP-formatted wireless (EAPoW) traffic by spoofing authentication approvals passed through the AP. Certain EAP-types, like EAP-TTLS, EAP-TLS and PEAP, can address this through TLS encryption and message integrity checking. Also, tunneled EAP types (TTLS and PEAP) can be employed to protect user credentials.

One more word of advice: Appliances, servers and other devices that can't authenticate via user interaction are often allowed authentication-free network access. For wired networks, consider locking up the physical access to ports on these devices, or for both wired and wireless, VLANing them with tight access control.

A Smart Choice

For WLANs, 802.1X provides a level of security most enterprises should consider. For wired LANs, basic perimeter security is no longer sufficient, and MAC ACLs aren't robust. 802.1X, when joined with EAP, delivers a stronger mechanism for controlling network access on a port-by-port basis throughout the enterprise.

With growing support among vendors, including major hardware and software companies, 802.1X is now a viable security choice. The available EAP options support a wide range of environments and authentication methods, and additional EAPs will only increase 802.1X flexibility.

802.1X is a sensible choice if you are heavily invested in 802.1X-supported hardware, especially if you also use strong authentication methods. If you're deploying wireless, or if you are in a highly sensitive and/or regulated sector, such as finance, you can't afford not to consider it.

So plan and budget carefully: Inventory clients, switches, routers and access points for 802.1X support. Try to reuse existing authentication stores, and select an EAP type that mitigates risks and fits in with your existing authentication components. Architect control solutions, such as VLANs, for clients and portions of the network that can't be covered.

And don't forget, it's about managing and reducing risk, not about perfect security. Most attackers go for the easy pickings. A well-deployed 802.1X authentication scheme may be an added expense, but it will make your network and data less vulnerable.