RE: [fw-wiz] "802.1x"?
From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 12/17/02
- Next message: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Previous message: Reckhard, Tobias: "RE: [fw-wiz] recent disclosure debates"
- Maybe in reply to: Mikael Olsson: "[fw-wiz] "802.1x"?"
- Next in thread: Gary Flynn: "Re: [fw-wiz] "802.1x"?"
- Reply: Gary Flynn: "Re: [fw-wiz] "802.1x"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za> To: 'Mikael Olsson' <mikael.olsson@clavister.com>, fw-wiz <firewall-wizards@honor.icsalabs.com> Date: Tue Dec 17 08:17:29 2002
From what I have read about 802.1x, it was designed to be used as both a
wired and wireless end-point authentication solution.
Essentially, the access device (WAP or switch) has a default set of filters
on every port (every MAC address for wireless, I guess) that only allow
access to the swith/AP itself, on specific ports. The end-point (client PC,
whatever) goes through a negotiation/authentication process whereby it is
given an IP address (optional, I think, to allow for fixed IP, but one of
the allowed services, IIRC), and can then perform authentication to the
switch.
The switch is set up to require a particular type of auth, within the
Extensible Authentication Protocol (EAP) e.g LEAP. The switch acts as an
intermediary, challenging the end-point, and then verifying the response
against the authentication server, e.g. RADIUS/TACACS/NT ADS, whatever (not
sure of all the permutations here), and if successful, removing the filters,
and allowing unrestricted communication.
One reason to use 802.1x internally, is to ensure that only authenticated
machines are allowed to connect to your infrastructure. Someone may gain
access to your internal environment, as a cleaner/visitor, etc, but would
not be successful in plugging into your network without appropriate
authentication. They wouldn't even be able to sniff passing traffic or spoof
MAC addresses to confuse a switch, I think.
I understand that 802.1x switches (fixed infrastructure) ARE available from
some vendors, such as Cisco.
What I was thinking about was using this basis/framework for performing
client firewalling on an enterprise wide scale.
All switches start off with the standard 802.1x negotiation. When they have
finished authenticating, rather than remove all filters, apply a set of
filters appropriate to either:
The specific user.
The user group. (Accounting, developers, etc)
The physical location (Public access terminals?, Secure rooms)
The machine role (Public workstation)
Whatever blows your hair back :-)
Obviously performance would be a critical factor in the success of such a
device, as would a usable and efficient management interface for controlling
the policies downloaded to the switch.
I have seen exactly this device requested (not in so many words, but as the
subject of a research project with Microsoft and Cisco) by a fairly large
client of ours, and if such a thing existed (at a reasonable price,
naturally) I'm almost convinced they'd buy it.
Essentially, this is an extension of a bridging firewall, with a LOT of
interfaces (24-port switch?), and dynamically loaded rules.
Probably not all that complicated to do, if one had suitably programmable
hardware. I was looking around for a device to test this with, but was
unable to find anything really suitable for a prototype. Could be done with
a PC and a few interfaces, I guess. Never got a round tuit. :-)
Rogan
-----Original Message-----
From: Mikael Olsson [mailto:mikael.olsson@clavister.com]
Sent: 14 December 2002 01:53 PM
To: fw-wiz
Subject: [fw-wiz] "802.1x"?
Hullo,
Could someone clueful please take a minute or two and give us all the
"techecutive summary" of 802.1x? I've been trying to piece together
what exactly it's supposed to be doing, but everything I've come
across so far has been so buzzword-laden, it's been impossible to
glean real clue from.
All I've understood is that it uses PPP EAP for authentication
(by, for instance, talking to a radius server)
- Which box is the "EAP server"? I would assume that it's the
endpoing ("base station"), but docs seem to suggest that
it just gets passed through to some sever in the background?
- Then there's something about key exchange.... (?)
- Is there a built-in crypto layer, or is that supposed to be
done by something else?
- Does it rely on known-good crypto, or are they inventing
own algorithms again?
- Is it any good? :)
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Previous message: Reckhard, Tobias: "RE: [fw-wiz] recent disclosure debates"
- Maybe in reply to: Mikael Olsson: "[fw-wiz] "802.1x"?"
- Next in thread: Gary Flynn: "Re: [fw-wiz] "802.1x"?"
- Reply: Gary Flynn: "Re: [fw-wiz] "802.1x"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
