There’s a world of mixed reviews and predictions as to when 802.1X will see mainstream adoption (2011? 2013? 2015?), enabling port-based network access control at Layer 2. There’s also a steady stream of claims as to what 802.1X-based NAC can and can’t do today (or in the future):
David Newman’s Review
Tim Greene’s Article
Jennifer Jabbusch/Security Uncorked Blog
Joel Snyder/Opus1 Archives
Many folks agree that 802.1X adoption is costly and complex. Some in the industry speculate that – while the standard evolves and matures – there is a need for a solid NAC solution today that supports 802.1X, but is not reliant upon it … that enables strong remediation and enforcement … sidestepping the use of faulty DHCP.
ForeScout customers are spared the worries and waiting, because CounterACT “has them covered”. CounterACT NAC is infrastructure agnostic and supports 802.1X and non-802.1X today … closing the technology gaps and bridging today’s investments to tomorrow’s infrastructures (whatever they may be).
That said … and because our customers ask … we’d like to give a little recap on 802.1X and why it offers the potential for a good NAC authentication standard.
802.1X Basics
802.1X is intended to be a proactive authentication technology that ensures any network traffic being sent is coming from an authenticated user, device, or both. Some administrators believe that 802.1X is a solution for wireless devices only, but it was actually created for campus area networks where devices, users and locations comprise a large part of the network and are always in a dynamic state of flux. The use of IEEE 802.1X offers a framework for authenticating and controlling user traffic to a protected network, as well as dynamically providing many configuration settings.
802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public-key authentication. EAP was originally designed for enterprises that wanted to do more for security than simply employ usernames and passwords for access. This desire gave birth to a new authentication protocol, called the Extensible Authentication Protocol (EAP), which was designed to supplement Point to Point Protocol (PPP). PPP is commonly used to authenticate remote users to the corporate or other remote network, and is the standard used for dial-up connections to the Internet. EAP sits inside of PPP’s authentication protocol and delivers configuration settings in tandem with 802.1X.
With 802.1X, the initial communications begin with an unauthenticated supplicant (this is the 802.1X term for the client) attempting to connect with an authenticator (this is the 802.1X term for the WAP or switch). The concentrator responds by enabling a port for passing only EAP (authentication) packets from the client to an authentication server located on the target network. All other traffic, such as HTTP, DHCP, and POP3 packets are blocked by the concentrator, until the client is authenticated.
The authentication rarely is performed by the concentrator, itself, and most network designers choose to verify the client’s identity using an authentication server (almost always RADIUS). Once authenticated, the client (supplicant) may be given configuration information such as IP address, VLAN membership, firewall ruleset, and even encryption keys. The basic 802.1X protocol should provide effective authentication regardless of whether or not you wish to provide configuration settings.
CounterACT in an 802.1X Environment
CounterACT NAC goes beyond authentication by inspecting the client for compliance with the organization’s client security policies. It helps to verify anti-virus has been installed, is currently running, has performed a scan in the last 30 days, and that dat files are up to date. It can also go beyond anti-virus checking to verify a device has all hotfixes and patches installed, a personal firewall is enabled, only approved software is installed, and it can even require encryption of the client’s hard drive. Today, CounterACT is able to allow or block access via the device’s USB ports and other removable storage, thereby protecting the organization against information leakage.
In many ways, CounterACT is the glue that holds all of the aforementioned solutions together … in many cases helping IT managers to centrally manage and monitor the security posture of every device/user on the network … thereby making the administration much less expensive and time-consuming.
These elegant solutions along with better software coding practices are beginning to blur the line between network and security administration … making it possible for network to be full protected from the inside-out.
