Firewall Wizards mailing list archives
RE: "802.1x"?
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Tue, 17 Dec 2002 09:41:51 +0200
From what I have read about 802.1x, it was designed to be used as both a
wired and wireless end-point authentication solution. Essentially, the access device (WAP or switch) has a default set of filters on every port (every MAC address for wireless, I guess) that only allow access to the swith/AP itself, on specific ports. The end-point (client PC, whatever) goes through a negotiation/authentication process whereby it is given an IP address (optional, I think, to allow for fixed IP, but one of the allowed services, IIRC), and can then perform authentication to the switch. The switch is set up to require a particular type of auth, within the Extensible Authentication Protocol (EAP) e.g LEAP. The switch acts as an intermediary, challenging the end-point, and then verifying the response against the authentication server, e.g. RADIUS/TACACS/NT ADS, whatever (not sure of all the permutations here), and if successful, removing the filters, and allowing unrestricted communication. One reason to use 802.1x internally, is to ensure that only authenticated machines are allowed to connect to your infrastructure. Someone may gain access to your internal environment, as a cleaner/visitor, etc, but would not be successful in plugging into your network without appropriate authentication. They wouldn't even be able to sniff passing traffic or spoof MAC addresses to confuse a switch, I think. I understand that 802.1x switches (fixed infrastructure) ARE available from some vendors, such as Cisco. What I was thinking about was using this basis/framework for performing client firewalling on an enterprise wide scale. All switches start off with the standard 802.1x negotiation. When they have finished authenticating, rather than remove all filters, apply a set of filters appropriate to either: The specific user. The user group. (Accounting, developers, etc) The physical location (Public access terminals?, Secure rooms) The machine role (Public workstation) Whatever blows your hair back :-) Obviously performance would be a critical factor in the success of such a device, as would a usable and efficient management interface for controlling the policies downloaded to the switch. I have seen exactly this device requested (not in so many words, but as the subject of a research project with Microsoft and Cisco) by a fairly large client of ours, and if such a thing existed (at a reasonable price, naturally) I'm almost convinced they'd buy it. Essentially, this is an extension of a bridging firewall, with a LOT of interfaces (24-port switch?), and dynamically loaded rules. Probably not all that complicated to do, if one had suitably programmable hardware. I was looking around for a device to test this with, but was unable to find anything really suitable for a prototype. Could be done with a PC and a few interfaces, I guess. Never got a round tuit. :-) Rogan -----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () clavister com] Sent: 14 December 2002 01:53 PM To: fw-wiz Subject: [fw-wiz] "802.1x"? Hullo, Could someone clueful please take a minute or two and give us all the "techecutive summary" of 802.1x? I've been trying to piece together what exactly it's supposed to be doing, but everything I've come across so far has been so buzzword-laden, it's been impossible to glean real clue from. All I've understood is that it uses PPP EAP for authentication (by, for instance, talking to a radius server) - Which box is the "EAP server"? I would assume that it's the endpoing ("base station"), but docs seem to suggest that it just gets passed through to some sever in the background? - Then there's something about key exchange.... (?) - Is there a built-in crypto layer, or is that supposed to be done by something else? - Does it rely on known-good crypto, or are they inventing own algorithms again? - Is it any good? :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- "802.1x"? Mikael Olsson (Dec 14)
- <Possible follow-ups>
- Re: "802.1x"? CTA (Dec 15)
- RE: "802.1x"? Dawes, Rogan (ZA - Johannesburg) (Dec 17)
- Re: "802.1x"? Gary Flynn (Dec 17)
- Re: "802.1x"? R. DuFresne (Dec 19)
- VPN over Wireless (Was Re: "802.1x"?) Lorens Kockum (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Mikael Olsson (Dec 21)
- Re: VPN over Wireless (Was Re: "802.1x"?) Kevin Steves (Dec 22)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 23)
- Re: "802.1x"? Gary Flynn (Dec 17)