Download Edge Port Security using IEEE 802.1x

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

AppleTalk wikipedia , lookup

Server Message Block wikipedia , lookup

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Airborne Networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

TV Everywhere wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Authentication wikipedia , lookup

Transcript
Implementing Network-Edge
Security with 802.1x
Enhancements to all areas of
Organizational Security
Michael Votaw
RCC-E Network Monitoring Team Lead
[email protected]
1
Overview
 Network based Authentication
 IEEE 802.1X Authentication
 RFC 3580 and Enhancements
 Network Access Control
 Security Tools Enhancements
Network Based Authentication
 What are we really talking about?
 Types of authentication
- MAC Authentication (MAB)
- IEEE 802.1X
 Who, Where, When? – What is the value
 History and forensics
 Authentication sources - RADIUS
- Microsoft 2003 IAS / Microsoft 2008 NPS
- FreeRADIUS
- Steel-belted RADIUS
- Many, Many, others
 The benefits of Automation with this new
information
IEEE 802.1X Authentication
 History
- Authored by Members from Microsoft, Cisco, Enterasys, HP
- Ratified in late 2001
 What need did it fill? How it is used?
- Centralized command and control
- Port control without the tedious work
- DHCP Phobias
 Who supports it?
- Switch Vendors – Extreme/Enterasys, Cisco,
Brocade/Foundry, HP, many others
- Operating systems – Microsoft XP, Vista, 7&8, Mac OS X,
Linux, others
- Devices – IP phones from Avaya, Seimens, Cisco, and many
more
- Devices – Print Servers from HP, Lexmark, Xerox
 How does it work?
802.1X Basic Components
User
•Valid user
(AD/RADIUS)
•Printer
•Phone
•Certificate-Based
Supplicant
•Microsoft XP,
Vista, 7 & 8
•Mac OS X
•Linux
•Open1X
•Printers
•Phones
Network Device
•Enterasys
•Cisco
•Foundry
•Extreme
•HP
•Many others
Authentication
Server (RADIUS)
•Windows AD
•FreeRADIUS
•OpenRADIUS
•Steel-Belted
RADIUS
•Many others
802.1X Basic Flow
Username/Password
RADIUS Attributes
-Filter-Id
-Tunnel-Priv-Grp-ID
RADIUS Attributes
-User-Name
-NAS-IP-Address
-NAS-Port
-NAS-Port-Type
Basic 802.1X Port Control
Before Authentication
After Authentication
802.1X Message Exchange
 All messages on client
side are ethertype 888E
(EAPOL/PAE)
 All messages between
switch and server are
RADIUS packets
 Most switch vendors
enhance this with
multi-method and
multi-user
authentication
802.1X Continued
 Support for periodic re-auth, and manual re-auth
 EAP Types - Industry Standard
- MD5 – basic
- PEAP – Microsoft & Cisco
- Protected EAP, Now dominate in the industry
- EAP-TLS (Transparent LAN Service)
- Requires a digital certificate on each supplicant (see RFC 2716)
 EAP Types – Proprietary
- EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software
- TTLS does not require digital cert (see Internet Draft)
- LEAP – Cisco
- Lightweight EAP (proprietary); Cisco moving to PEAP
 802.1X on wireless
- Encryption, Rotating keys, Integration of Users and Enterprise Authentication
 The Future – 802.1AE
- Key exchange and encryption between clients, switches, and routers
Enhancing 802.1X
 Dynamic VLAN support (RFC 3580)
- Dynamically assign a user, phone, or device to a VLAN based on RADIUS response
- Can allow for user mobility throughout the enterprise
 Dynamic ACL support
- Restrict unauthorized protocols
- Enhance others with QoS(phone, critical applications)
 Multi-User
- Most enterprise-class switches today support multiple users authenticating per port
 Multi-Method
- Many vendors support MAC+802.1X to help with supplicant support
 PAE Mib
- SNMP access, control, and statistics over the 802.1X experience
 Guest Access
- Many vendors support an auth-fail VLAN, or provide alternate access support
Basic Steps for Implementation in a Lab
 Setup NPS on Microsoft AD
- Simple configuration
- No Certificates
 Enable 8021.X on your network device
- Setup your RADIUS server
- Turn on 802.1X with “dot1x” commands
 Setup Windows 7
- Go with Protected EAP
- Don’t validate server certs
- Deselect “Automatically use my windows logon name”
 Once tested, move to more secure model using host and server certificates
(strong, mutual authentication)
 A phased approach can be used, enabling only some users and network
devices.
 Group policy can be employed for configuration of end-systems
Basic NPS Setup
Configuration of RADIUS Clients
NPS Can Permit/Deny Based on Groups
EAP Methods Configured
Adding RADIUS Attributes
Basic Switch Config (Cisco)
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
ip radius source-interface Vlan99
radius-server attribute nas-port format c
radius-server host 192.168.99.4 auth-port 1812 acct-port 1813 key #$TR3g42f34yytV3r4f
radius-server vsa send accounting
radius-server vsa send authentication
interface FastEthernet0/17
switchport mode access
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
Basic Switch Configuration (Brocade/Foundry)
dot1x-enable
re-authentication
timeout quiet-period 30
timeout re-authperiod 2000
timeout tx-period 3
auth-fail-vlanid 10
enable ethe 1 to 16
aaa authentication dot1x default radius
hostname fesx448
radius-server host 192.168.5.6 auth-port 1812 acct-port 1813 default key 1 $fl%}lq9}%0qPf:}%fBPfl dot1x
interface ethernet 1
dot1x port-control auto
dot1x disable-filter-strict-security
port-name rm101-sw1-e1
MAC Authentication
 Authenticates a device using the source
MAC address of received packets
 Overview of Authentication Process
- The authenticator (switch) sends the following as
credentials for authentication:
- Username: Source MAC of end system
- Format of MAC address is XX-XX-XX-XX-XX-XX
- Password: Locally configured password on the switch
- Username and password sent to backend RADIUS server for authentication
- If credentials are valid, RADIUS Access-Accept message (possibly with Filter-ID or Tunnel
attributes) is returned to switch
 MAC authentication enables switches to authenticate end systems that do not
support an 802.1X supplicant or web browser (e.g. printers) to the network
- No special software is required for an end system to MAC authenticate
Client Configuration
Network Access Control – The Next Step
 NAC and 802.1X are not the same
 The 5 functions of NAC
- Detection
- Authentication
- Authorization
- Assessment
- Remediation
 802.1X provides a foundation by filling
the first three phases of NAC
 Using RFC 3580, control can be exercised
over the VLAN or ACL
 Log data can be sent to log servers,
historical and forensic information
Network Access Control – The Next Step
 Information now available to NAC solutions…
- MAC address of client
- The Username
- Exact port where request came from
- The IP of the switch
- The method of authentication (MAC, 802.1X)
- The IP address (through DHCP snooping)
- The time of Login
- The time of Logout
- Any VLAN or ACL that was applied
NAC Dashboard – End Systems View
How Network-Auth Enhances Security Tools
Integrate Network Authentication User tracking with Security Information Management capabilities.
Result: Track down systems that cause security breaches with new levels of speed and accuracy.
IEEE 802.1X Conclusion
 The primary reason for using 802.1X authentication in your network
is security, protecting against:
- Unauthorized access to a network
- Denial of Service (DoS) attacks
- Theft of services
 Support:
- Most all enterprise class switches support 802.1X authentication
- More and more operating systems and network attached devices
25
Reference Information
 IEEE 802.1X - Port Based Network Access Control
- http://www.ieee802.org/1/pages/802.1x.html
 IEEE 802.1X - Overview
- http://www.ieee802.org/1/files/public/docs2000/P8021XOverview.PDF
 RFC 3580 Information
- http://www.ietf.org/rfc/rfc3580.txt
 Using 802.1X Port Auth To Control Who Can Connect To Your
Network
- http://www.itdojo.com/synner/pdf/synner2.pdf
 802.1X Port-Based Authentication HOWTO. Setting up XSupplicant.
- http://www.linux.org/docs/ldp/howto/8021X-HOWTO/index.html
 Configuring IEEE 802.1X for Mac OS X
- http://docs.info.apple.com/article.html?path=Mac/10.5/en/8640.html