/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsJatin Sachdeva
BANGALORE, INDIA: Networks have become increasingly important for running businesses and as a result it is paramount to address the risks from unauthorized network access. Most organizations have strong authentication policies at the application level, but none at the wired network level. Ironically with all the fear around wireless hacking, wireless networks have stronger controls around authentication and encryption, as opposed to wired networks which are open for anyone with physical access to the wire.
So what are the risks? The risks for such un-authenticated wired access are plenty. Imagine all sorts of rogue devices on the network; the most dangerous being unauthorized wireless access points plugged into your wired network, potentially giving access to anyone with a wireless laptop or smartphone. Another risk could be users connecting rogue laptops (perhaps infected) to the network, smuggled in past physical security, inadvertently (or advertently) causing a Denial of Service (DOS) attack on the entire network or a specific application. No application level authentication policy can protect from a network level DOS or availability attack. DOS or resource exhaustion attacks have brought entire websites down, imagine what a disgruntled employee could do with a similar attack from inside the network.
Also read: Cyber war threat gets bigger
The solution then is to start enforcing authentication and authorization policies for network access. This is the simplest form of security, available for free on most switches, in the form of IEEE 802.1x. Most network/security teams dwell too far into nuances of identity based firewalls and IPS devices and forget to implement this most basic control available on the network. 802.1x (or dot1x) is a standards based layer 2 protocol for transporting authentication messages between a supplicant (user/PC) and an authenticator (switch or access point). This allows a network access device like a switch, to authenticate a user and then give selective network access. It is already in use in most wireless networks.
How do I implement dot1x? There are at minimum 3 key elements needed to successfully deploy a dot1x solution.
A dot1x enabled switch - most Cisco switches with the latest software release support dot1x and so do switches from other vendors. Be careful when selecting a vendor for dot1x capable switches, as the dot1x protocol is fairly vast and not all vendors’ switches implement all the functionality needed for a successful deployment.
Also read: Hot trends in Network security
A dot1x supplicant/agent on the end host - this is available on most modern operating systems like MS Windows, Apple MAC and Linux. You also have the option of using dot1x supplicants with advanced connection management capabilities, better extensible authentication protocol (EAP) support and centralized management. These are available from vendors like Cisco and Juniper to name a few.
Lastly a dot1x enabled Radius server - which can act as a policy decision point communicating with the switches as well as your authentication repositories like LDAP or Active Directory (AD). These are available from Cisco, Microsoft, and a couple of other vendors — be careful when selecting a radius server as this decides the amount of functionality you will be able to extract out of your dot1x enabled switches.
Below diagram illustrates a computer connecting to a dot1x enabled network:
{#PageBreak#}
The laptop user in this case attempts network access and the switch asks the laptop’s supplicant to authenticate over 802.1x. The supplicant responds with the user’s credentials and the switch then sends the same to the Radius Authentication Server, which verifies the same with the Identity store (like AD). If successfully authenticated, the Radius Authentication Server sends back a ‘success’ message with an ‘authorization’ (access control in the form of vlan or firewall rule) back to the switch. The laptop user is now completely authenticated and authorized and gets an ip address and selective network access based on identity.
Also read: Who started Stuxnet?
The fact that firewall rules are applied in the form of an authorization right at the switch port based on the user’s identity, brings an element of identity based firewalling into the network at no cost.
To summarize, identity based network access control is now available in most network switches. The 802.1x protocol allows you to implement an identity based firewall right on the network switch, at a point which is nearest to the user accessing the network. This approach helps get great return on investments made on basic network infrastructure by utilizing network switches for security function. This can augment or eliminate your existing firewall by depending on the exact level of security needed. It is recommended that you work with your network infrastructure vendor to understand how this feature can be implemented in your environment.
Over the next few articles, we will cover more details on 802.1x and similar technologies to make your network more identity aware.
(The author is Information Security Advisor, Cisco Asia Pacific)