Download Edge Port Security using IEEE 802.1x

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

AppleTalk wikipedia , lookup

Server Message Block wikipedia , lookup

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Airborne Networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

TV Everywhere wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Authentication wikipedia , lookup

Transcript 
Implementing Network-Edge
Security with 802.1x
Enhancements to all areas of
Organizational Security
Michael Votaw
RCC-E Network Monitoring Team Lead
[email protected]
1
Overview
 Network based Authentication
 IEEE 802.1X Authentication
 RFC 3580 and Enhancements
 Network Access Control
 Security Tools Enhancements
Network Based Authentication
 What are we really talking about?
 Types of authentication
- MAC Authentication (MAB)
- IEEE 802.1X
 Who, Where, When? – What is the value
 History and forensics
 Authentication sources - RADIUS
- Microsoft 2003 IAS / Microsoft 2008 NPS
- FreeRADIUS
- Steel-belted RADIUS
- Many, Many, others
 The benefits of Automation with this new
information
IEEE 802.1X Authentication
 History
- Authored by Members from Microsoft, Cisco, Enterasys, HP
- Ratified in late 2001
 What need did it fill? How it is used?
- Centralized command and control
- Port control without the tedious work
- DHCP Phobias
 Who supports it?
- Switch Vendors – Extreme/Enterasys, Cisco,
Brocade/Foundry, HP, many others
- Operating systems – Microsoft XP, Vista, 7&8, Mac OS X,
Linux, others
- Devices – IP phones from Avaya, Seimens, Cisco, and many
more
- Devices – Print Servers from HP, Lexmark, Xerox
 How does it work?
802.1X Basic Components
User
•Valid user
(AD/RADIUS)
•Printer
•Phone
•Certificate-Based
Supplicant
•Microsoft XP,
Vista, 7 & 8
•Mac OS X
•Linux
•Open1X
•Printers
•Phones
Network Device
•Enterasys
•Cisco
•Foundry
•Extreme
•HP
•Many others
Authentication
Server (RADIUS)
•Windows AD
•FreeRADIUS
•OpenRADIUS
•Steel-Belted
RADIUS
•Many others
802.1X Basic Flow
Username/Password
RADIUS Attributes
-Filter-Id
-Tunnel-Priv-Grp-ID
RADIUS Attributes
-User-Name
-NAS-IP-Address
-NAS-Port
-NAS-Port-Type
Basic 802.1X Port Control
Before Authentication
After Authentication
802.1X Message Exchange
 All messages on client
side are ethertype 888E
(EAPOL/PAE)
 All messages between
switch and server are
RADIUS packets
 Most switch vendors
enhance this with
multi-method and
multi-user
authentication
802.1X Continued
 Support for periodic re-auth, and manual re-auth
 EAP Types - Industry Standard
- MD5 – basic
- PEAP – Microsoft & Cisco
- Protected EAP, Now dominate in the industry
- EAP-TLS (Transparent LAN Service)
- Requires a digital certificate on each supplicant (see RFC 2716)
 EAP Types – Proprietary
- EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software
- TTLS does not require digital cert (see Internet Draft)
- LEAP – Cisco
- Lightweight EAP (proprietary); Cisco moving to PEAP
 802.1X on wireless
- Encryption, Rotating keys, Integration of Users and Enterprise Authentication
 The Future – 802.1AE
- Key exchange and encryption between clients, switches, and routers
Enhancing 802.1X
 Dynamic VLAN support (RFC 3580)
- Dynamically assign a user, phone, or device to a VLAN based on RADIUS response
- Can allow for user mobility throughout the enterprise
 Dynamic ACL support
- Restrict unauthorized protocols
- Enhance others with QoS(phone, critical applications)
 Multi-User
- Most enterprise-class switches today support multiple users authenticating per port
 Multi-Method
- Many vendors support MAC+802.1X to help with supplicant support
 PAE Mib
- SNMP access, control, and statistics over the 802.1X experience
 Guest Access
- Many vendors support an auth-fail VLAN, or provide alternate access support
Basic Steps for Implementation in a Lab
 Setup NPS on Microsoft AD
- Simple configuration
- No Certificates
 Enable 8021.X on your network device
- Setup your RADIUS server
- Turn on 802.1X with “dot1x” commands
 Setup Windows 7
- Go with Protected EAP
- Don’t validate server certs
- Deselect “Automatically use my windows logon name”
 Once tested, move to more secure model using host and server certificates
(strong, mutual authentication)
 A phased approach can be used, enabling only some users and network
devices.
 Group policy can be employed for configuration of end-systems
Basic NPS Setup
Configuration of RADIUS Clients
NPS Can Permit/Deny Based on Groups
EAP Methods Configured
Adding RADIUS Attributes
Basic Switch Config (Cisco)
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
ip radius source-interface Vlan99
radius-server attribute nas-port format c
radius-server host 192.168.99.4 auth-port 1812 acct-port 1813 key #$TR3g42f34yytV3r4f
radius-server vsa send accounting
radius-server vsa send authentication
interface FastEthernet0/17
switchport mode access
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
Basic Switch Configuration (Brocade/Foundry)
dot1x-enable
re-authentication
timeout quiet-period 30
timeout re-authperiod 2000
timeout tx-period 3
auth-fail-vlanid 10
enable ethe 1 to 16
aaa authentication dot1x default radius
hostname fesx448
radius-server host 192.168.5.6 auth-port 1812 acct-port 1813 default key 1 $fl%}lq9}%0qPf:}%fBPfl dot1x
interface ethernet 1
dot1x port-control auto
dot1x disable-filter-strict-security
port-name rm101-sw1-e1
MAC Authentication
 Authenticates a device using the source
MAC address of received packets
 Overview of Authentication Process
- The authenticator (switch) sends the following as
credentials for authentication:
- Username: Source MAC of end system
- Format of MAC address is XX-XX-XX-XX-XX-XX
- Password: Locally configured password on the switch
- Username and password sent to backend RADIUS server for authentication
- If credentials are valid, RADIUS Access-Accept message (possibly with Filter-ID or Tunnel
attributes) is returned to switch
 MAC authentication enables switches to authenticate end systems that do not
support an 802.1X supplicant or web browser (e.g. printers) to the network
- No special software is required for an end system to MAC authenticate
Client Configuration
Network Access Control – The Next Step
 NAC and 802.1X are not the same
 The 5 functions of NAC
- Detection
- Authentication
- Authorization
- Assessment
- Remediation
 802.1X provides a foundation by filling
the first three phases of NAC
 Using RFC 3580, control can be exercised
over the VLAN or ACL
 Log data can be sent to log servers,
historical and forensic information
Network Access Control – The Next Step
 Information now available to NAC solutions…
- MAC address of client
- The Username
- Exact port where request came from
- The IP of the switch
- The method of authentication (MAC, 802.1X)
- The IP address (through DHCP snooping)
- The time of Login
- The time of Logout
- Any VLAN or ACL that was applied
NAC Dashboard – End Systems View
How Network-Auth Enhances Security Tools
Integrate Network Authentication User tracking with Security Information Management capabilities.
Result: Track down systems that cause security breaches with new levels of speed and accuracy.
IEEE 802.1X Conclusion
 The primary reason for using 802.1X authentication in your network
is security, protecting against:
- Unauthorized access to a network
- Denial of Service (DoS) attacks
- Theft of services
 Support:
- Most all enterprise class switches support 802.1X authentication
- More and more operating systems and network attached devices
25
Reference Information
 IEEE 802.1X - Port Based Network Access Control
- http://www.ieee802.org/1/pages/802.1x.html
 IEEE 802.1X - Overview
- http://www.ieee802.org/1/files/public/docs2000/P8021XOverview.PDF
 RFC 3580 Information
- http://www.ietf.org/rfc/rfc3580.txt
 Using 802.1X Port Auth To Control Who Can Connect To Your
Network
- http://www.itdojo.com/synner/pdf/synner2.pdf
 802.1X Port-Based Authentication HOWTO. Setting up XSupplicant.
- http://www.linux.org/docs/ldp/howto/8021X-HOWTO/index.html
 Configuring IEEE 802.1X for Mac OS X
- http://docs.info.apple.com/article.html?path=Mac/10.5/en/8640.html
Related documents
Panel: Security and the World Wide Web
Panel: Security and the World Wide Web
“Stronger” Web Authentication: A Security Review
“Stronger” Web Authentication: A Security Review
Course Learning Objectives:
Course Learning Objectives:
Introduction to network security
Introduction to network security
User Authentication Techniques
User Authentication Techniques
Database Account/Privileges Request Form
Database Account/Privileges Request Form
notesfunctions1
notesfunctions1
Operating System Security Fundamentals
Operating System Security Fundamentals
PHYS 196 Class Problem 1
PHYS 196 Class Problem 1
A jewelry maker has total revenue for her necklaces given by R(x
A jewelry maker has total revenue for her necklaces given by R(x
Solutions to Graded Problems Math 200 Homework 1 September 10
Solutions to Graded Problems Math 200 Homework 1 September 10
Chapter 4
Chapter 4