Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Vendor Newsfeed

More Vendor Newsfeed »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Security Watch
C O L U M N  
Trust in Networking: a Fairy Tale?

  January 7, 2002
  By Robert Moskowitz


Printer Print This Article
E-Mail E-Mail This URL
When did you wake up and realize that not only do you no longer know what components are connected to your network, but no matter how hard you try you might never know. Perhaps you've invested in extensive network-discovery and -mapping tools that provide partial snapshots of your network. But would you know if a manager installed a wireless hub to gain mobility, and if other wireless users were on your network? And exactly how are the network drops in your conference rooms used? Is anyone swamping your VLANs (virtual LANs) with bad MAC (Media Access Control) addresses, turning them into simple bridges just for the fun of it?



The IEEE has a proposal for controlling your network: total network component authentication via 802.1x, or Port-Based Network Access Control. Get with the program and you'll know about every component on your network and be able to control which components have access to which services. The components will be able to send datagrams appropriate only for the authenticated MAC address. 802.1x comes at a steep price and its full potential may never be achieved, but it offers much promise. And for certain parts of your network, 802.1x's value is real and attainable.

802.1x is nothing more than a mechanism to transport EAP (Extensible Authentication Protocol, RFC 2284) packets over an 802 link layer. 802.1x defines a supplicant system connected to the network, an authenticator connected to the network to facilitate the supplicant's access to the network, and an authentication server that authenticates the supplicant and grants it access to the authenticator. RADIUS is typically the authentication server, while the authenticator plays the role of the RADIUS client. 802.1x evokes an image of waves of authentication spreading out from your secure data center to the edges of your organization. In this model, each component moving out from the authentication server acts first as a supplicant and then as an authenticator. A hub is authenticated to a router, then some routers are authenticated to that hub, a switch is authenticated to the second tier of routers, and finally a server or workstation is authenticated to that switch.

The Downside

Unfortunately, the deficiencies of EAP and RADIUS limit the use of 802.1x to the extent that significant risk mitigation does exist. As the tools function today, total deployment is hardly practical. Although the 802.1x model of a network component acting first as a supplicant and then as an authenticator is powerful, RADIUS supports only a static key between the authenticator (RADIUS client) and the authentication server. This has always been an operational deterrent to deploying many RADIUS clients, which is exactly what 802.1x requires. It would take a special RADIUS implementation to use a session key generated through the supplicant authentication as the client RADIUS key. Then there's the bootstrap issue: What is the first authenticator and how is it configured? Perhaps an even more serious roadblock to 802.1x deployment is the choice of EAP types. The TLS (Transport Layer Security) EAP is the most talked about but requires a PKI (public key infrastructure) and certificates in every authenticated networking component, which won't make deployment any easier for most companies. Other EAP types are needed, such as the proposed SRP (Secure Remote Password, RFC 2945). SRP provides the ease-of-deployment of user ID and password with the exchange strength of Diffie-Hellman public keys.

None of this will happen if price is a barrier. For wireless, at least, the cost of not securing the network will exceed the cost of adding 802.1x. Other networking components, such as VLAN, will be more cost-sensitive. But if 802.1x support comes free with your next switch and NIC software upgrades, we'll all win.

Robert Moskowitz is a senior technical director at TruSecure Corp. Send your comments on this column to him at rgm@htt-consult.com.


Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Next Generation Data Center, Delivered, November 17th
NWC


Salary

Video

View All Videos

Most Popular

Stories Blogs

More Stories »

Whitepapers

More »

BlogRoll