Firewall Wizards mailing list archives

RE: "802.1x"?

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Tue, 17 Dec 2002 09:41:51 +0200

From what I have read about 802.1x, it was designed to be used as both a

wired and wireless end-point authentication solution.

Essentially, the access device (WAP or switch) has a default set of filters
on every port (every MAC address for wireless, I guess) that only allow
access to the swith/AP itself, on specific ports. The end-point (client PC,
whatever) goes through a negotiation/authentication process whereby it is
given an IP address (optional, I think, to allow for fixed IP, but one of
the allowed services, IIRC), and can then perform authentication to the
switch.

The switch is set up to require a particular type of auth, within the
Extensible Authentication Protocol (EAP) e.g LEAP. The switch acts as an
intermediary, challenging the end-point, and then verifying the response
against the authentication server, e.g. RADIUS/TACACS/NT ADS, whatever (not
sure of all the permutations here), and if successful, removing the filters,
and allowing unrestricted communication.

One reason to use 802.1x internally, is to ensure that only authenticated
machines are allowed to connect to your infrastructure. Someone may gain
access to your internal environment, as a cleaner/visitor, etc, but would
not be successful in plugging into your network without appropriate
authentication. They wouldn't even be able to sniff passing traffic or spoof
MAC addresses to confuse a switch, I think.

I understand that 802.1x switches (fixed infrastructure) ARE available from
some vendors, such as Cisco.

What I was thinking about was using this basis/framework for performing
client firewalling on an enterprise wide scale.

All switches start off with the standard 802.1x negotiation. When they have
finished authenticating, rather than remove all filters, apply a set of
filters appropriate to either:

The specific user.
The user group. (Accounting, developers, etc)
The physical location (Public access terminals?, Secure rooms)
The machine role (Public workstation)
Whatever blows your hair back :-)

Obviously performance would be a critical factor in the success of such a
device, as would a usable and efficient management interface for controlling
the policies downloaded to the switch.

I have seen exactly this device requested (not in so many words, but as the
subject of a research project with Microsoft and Cisco) by a fairly large
client of ours, and if such a thing existed (at a reasonable price,
naturally) I'm almost convinced they'd buy it.

Essentially, this is an extension of a bridging firewall, with a LOT of
interfaces (24-port switch?), and dynamically loaded rules.

Probably not all that complicated to do, if one had suitably programmable
hardware. I was looking around for a device to test this with, but was
unable to find anything really suitable for a prototype. Could be done with
a PC and a few interfaces, I guess. Never got a round tuit. :-)

Rogan

-----Original Message-----
From: Mikael Olsson [mailto:mikael.olsson () clavister com] 
Sent: 14 December 2002 01:53 PM
To: fw-wiz
Subject: [fw-wiz] "802.1x"?



Hullo,

Could someone clueful please take a minute or two and give us all the
"techecutive summary" of 802.1x?  I've been trying to piece together
what exactly it's supposed to be doing, but everything I've come 
across so far has been so buzzword-laden, it's been impossible to 
glean real clue from.

All I've understood is that it uses PPP EAP for authentication
(by, for instance, talking to a radius server)
- Which box is the "EAP server"?  I would assume that it's the
  endpoing ("base station"), but docs seem to suggest that 
  it just gets passed through to some sever in the background?
- Then there's something about key exchange.... (?)
- Is there a built-in crypto layer, or is that supposed to be 
  done by something else?
- Does it rely on known-good crypto, or are they inventing 
  own algorithms again?
- Is it any good? :)

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

"802.1x"? Mikael Olsson (Dec 14)
- <Possible follow-ups>
- Re: "802.1x"? CTA (Dec 15)
- RE: "802.1x"? Dawes, Rogan (ZA - Johannesburg) (Dec 17)
  - Re: "802.1x"? Gary Flynn (Dec 17)
    - Re: "802.1x"? R. DuFresne (Dec 19)
    - VPN over Wireless (Was Re: "802.1x"?) Lorens Kockum (Dec 20)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 20)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Mikael Olsson (Dec 21)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Kevin Steves (Dec 22)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 23)