One of the biggest threats facing enterprises are outsiders plugging directly into an Ethernet port and being granted instant, unauthenticated access to the network. This threat is especially common in hospitals where there is heavy use of computer systems mixed with untrusted outsiders roaming the halls.
Shutting down unused ports is the traditional mitigation. Still this technique does not prevent plugging into an active used port (for example, a copy machine). 802.1X can mitigate this vulnerability.
What is 802.1X?
802.1X allows for authentication of a system/user at Layer 2 of the OSI model. This means authentication happens earlier in the protocol stack than typical. Users and systems authentication generally happen at Layer 3 over TCP/IP (the protocol at the heart of the public internet).
802.1X leverages a protocol called Extensible Authentication Protocol (EAP) to allow for authentication over Ethernet (the protocol that controls how data is transmitted as electricity over networking cabling and Wi-Fi).
802.1X will work on both physical and wireless networks but be sure not tp mistake 802.1X for 802.11, the wireless networking standard.
How Authentication Works Typically:
- Once plugging into an open port, the laptop requests a DHCP address. The system is then leased an IP address, DNS settings, and the default gateway. The user and system are not authenticated.
- Lack of authentication on the switch (Ethernet over Layer 2) allows any malware on the laptop to spreading on the network, and the user is free to probe or passively monitor network traffic.
How Authentication Works with 802.1X:
- The authenticator (i.e. network switch) requests authentication information from the supplicant (i.e. software agent on the system). The authentication server verifies if the system should be granted access. If so, an IP addresses is leased using TCP/IP over Layer 3.
- Unauthorized/unauthenticated users are not leased an IP address.
- Thanks to no connectivity on the unknown system, malware cannot spread and the user cannot probe the network.
Understanding 802.1X in More Depth
802.1X is one of the best network security measures an organization can implement. It is important for the security professional to understand the technology before auditing it or recommending it.
An 802.1X implementation is comprised of three components:
- Supplicant: The supplicant is typically client software on the endpoint that understand the 802.1X protocol and one of the EAP types used in communicating with the authentication server. Supplicants forward credentials (username/password or digital certificate).
- Authenticator: The authenticator is usually a piece of networking equipment like a wireless access point or network switch. The authenticator opens the access on the port so the supplicant can communicate with the DHCP server and be leased an IP address if it successfully authenticates.
- Authentication Server: The authentication server checks the credentials supplied by the supplicant and either grants or denies access to the endpoint device. Most authentication servers use Remote Authentication Dial-In User Service (RADIUS) protocol, which might connect back to an LDAP server (e.g. Active Directory).
802.1X is one of many networking protocols that mitigate some of the most severe vulnerabilities found in enterprise networks.
Other concepts related to 802.1X include:
- Extensible Authentication Protocol (EAP)
- Network Access Control (NAC)
- Centralized Authentication Control Protocols (such as RADIUS, DIAMETER, and TACACS)
Earn Your CISSP
Interested in obtaining your CISSP and live in the Atlanta area? Risk3sixty is hosting a CISSP bootcamp, based on SANS world class information security training curriculum. Visit our events page to learn more!