13.3. IEEE Standards
IEEE creates some popular standards for networking.
13.3.1. The 411 on 802.1X
The IEEE standard for port-based network access control, the 802.1X standard, is part of IEEE's 802.1 group of networking protocols. Originally designed for use in wired networks, but adapted to address WLAN security concerns, 802.1X delivers a robust, extensible security framework, as well as powerful authentication and data privacy capabilities.
NOTE
The 802.1X standard securely exchanges user or device credentials and prevents virtually any unauthorized network access because it completes authentication before it assigns a network IP address.
The 802.1X standard provides a sturdy foundation for many NAC solutions because of its strong, durable security and authentication. The fact that the 802.1X standard has been in the field, and market-tested and deployed in many 802.1X wireless networks, has helped speed NAC adoption and ensure stable interoperability.
A secure 802.1X network needs only three components:
Supplicant: A software client loaded on an endpoint device that supplies the client side of the 802.1X standard. The supplicant can be part of a wired or wireless environment, and it requests network access.
Authenticator: A device, which sits between the endpoint device and the network infrastructure, that performs user or device authentication. Authenticators can include devices such as network switches and wireless access points.
Authentication server: These servers can receive RADIUS messages and use the information from a RADIUS message to check user or device authentication credentials against a data store, database, or other data receptacle that contains authentication data. Some examples of data stores or databases that store authentication information include Microsoft Active Directory, LDAP, vendor-specific data stores, other directory stores or databases, or even RADIUS or a RADIUS proxy.
13.3.2. EAP — we've been framed
To support and ensure the secure passing and validation of user or device credentials, it needs a secure, flexible authentication framework. This framework needs to simplify the creation and maintenance of additional authentication methods. So, IETF developed the Extensible Authentication Protocol (EAP) standard. The EAP standard allows it to create and use extensible access protocols on a framework that enables flexible, expandable network access and authorization.
You can choose from many EAP types, but typically the authentication, or back-end data store or database, dictate the EAP type that you need to deploy and use.
NOTE
The 802.1X standard works with powerful, robust EAP types, including tunneled types such as EAP-Tunneled Transport Layer Security (EAP-TTLS) or EAP-Protected Extensible Authentication Protocol (EAP-PEAP). Both EAP-TTLS and EAP-PEAP can provide a secure EAP overlay, which you can wrap around other, non-tunneled EAP types or other authentication protocols to it. The non-tunneled EAP types that communicate through the EAP tunnel (provided by EAP-TTLS, EAP-PEAP, or another tunneled EAP type) may be carrying user or device credentials, or other relevant user or device data (such as device security state information). Tunneled EAP types, when it uses them to communicate user or device credentials and other data between a device and a network, add insurance that the data they're carrying is protected and private, and that security is maintained.
13.3.3. EAP-speak
After you implement an EAP type, both the supplicant and the authentication server need to communicate in that chosen EAP type if you want to make a connection. They need to talk the same language to communicate effectively, and a dialect of EAP is the language.
An IEEE 802.1X standard network works pretty much the same way, regardless of whether you deploy it over a wireless or wired LAN, or in a NAC solution. An 802.1X-compliant network requires
A supplicant and an authenticator that both support the IEEE 802.1X standard
An authentication server in the environment, which completes the network connection
|
The supplicant, authenticator, and authentication server follow this process:
A supplicant passes the credentials that the user enters, or that it collects from the device, to an authenticator on the edge of the network.
The supplicant and authenticator communicate by using an EAP type that's on the Layer 2 of the Open Systems Interconnection (OSI) model, and is specified by the IEEE 802.1X standard EAP over LAN (EAPoL).
The authenticator (in the 802.1X compliant network) first verifies the network connection, and then passes the user or device credentials on to the authentication server.
That communication uses EAP in RADIUS, a Layer 3 (OSI model) communications means that allows an authenticator and authentication server to securely pass authentication messages.
After the authentication server validates the user or device credentials against a database or a data store, a network port on an Ethernet switch or a wireless access point (serving as the authenticator) opens (or, in engineering parlance, the switch port closes, creating an open connection and allowing information to flow), allowing the user or device to access the network.
If the authentication server doesn't find the credentials or those credentials aren't correct, the server can't validate the credentials for whatever reason, or it doesn't have credential verification available, it may deny the user network access.
NOTE
If your organization wants to allow only limited network access to users or devices that have inappropriate, invalid, or unchecked network credentials, you can accomplish this quarantine by using VLAN tagging or routing, which the authentication server, such as a network switch or access point (see IETF RFC 3580), must support.
13.3.4. Putting it all together in 802.1X
NAC requires a secure, flexible framework for authentication, access management, network security, and data privacy — and the IEEE 802.1X standard can deliver. A typical IEEE 802.1X wireless network typology is shown in Figure 13-4.
The IEEE 802.1X standard allows you to create a powerful network perimeter defense through robust admission controls that refuse users or devices network access unless they comply with specific policies defined by your organization. The 802.1X standard also gives NAC solutions a durable, easily applied and integrated authentication process, guarding a network against improper access and use. Completing user or device authentication before a network IP address is assigned ensures that it can stop unauthenticated or unauthorized devices (which may carry malware or other threats) before those devices can spread their malicious payload to a network.
When you use the IEEE 802.1X standard as part of a NAC solution, it also
Empowers the NAC solution to interoperate with new or existing standards-based network components. This interoperability can help your organization leverage your existing network environment, helping to hold costs down.
Enables a NAC solution to work with and oversee a number of different network components, protocols, and methods. This can assure access control in heterogeneous networks, independent of vendor or environment.
Simplifies the deployment and integration of other 802.1X-based components into an existing network that has a diverse platform environment.
Figure 13.4. A standard IEEE 802.1X wireless network environment.
|
Each individual organization needs to decide which standard to use in their NAC solution, based on what they have currently deployed in their network environment and what they want to achieve — and protect their organization from.
In addition to industry standards, such as RADIUS, DHCP, SNMP, and 802.1X, you also can find open standards that like-minded groups interested in securing and controlling network access wrote and ratified, building them to control network access.