How to you provide access to your network and services? In this video, you’ll learn about network access control, port security, captive portals, and more.
<< Previous Video: Multi-factor Authentication Next: Wireless Encryption >>
As a network administrator, you’ll probably want to keep people off of the network until they’ve provided the correct authentication. One way to do this is by using port-based network access control, or NAC. The most common type of NAC is using a standard called IEEE 802.1X. When we say port-based access control, we are referring to physical interfaces or physical access to the network. This is not describing a way to restrict access to TCP or UDP ports. If you’re using 802.1X for your network access control, then you’re probably using a type of EAP to provide the authentication. This is extensible authentication protocol, and there’s a triple-a server that’s running TACACS or RADIUS that usually verifies that authentication.
Although it’s good to use network access control, you should also disable any interfaces on a switch that are not in use, and you might also want to enable any MAC address checking functions in your switch to make sure that no one is trying to get around some of the functionality of NAC by spoofing a MAC address.
There are three devices that communicate during this 802.1 authentication process. We have the supplicant, that’s usually a software client that’s running on your device; so this could be on a laptop. You have the authenticator, which is usually inside of a switch, and usually there’s a AAA server used for authentication in the back-end. When you first connect to the network and try to access an interface, you’ll find there’s no communication. The authenticator will then communicate to you and say, is there someone new here? You need to provide some type of authentication.
The authenticator will then send a message back saying, is someone new here? It will send a request for an EAP. The supplicant will then provide a response with the authentication information. The authenticator will take that authentication information and pass it through to the authentication server. The authentication server will say that that’s a valid log in, but let’s find out if we have the right credentials to gain access. The authenticator then requests that information from the supplicant, and the credentials are then provided. If those credentials match what’s on the authentication server, then the authentication server will let the authenticator know that all of the credentials looked fine and that particular device is allowed access to the network.
Another method to control access is with a function called port security. This would allow someone unauthorized from connecting to an enabled port on your switch and gaining access to your network. This can alert you or disable the port and immediately prevent anyone from using that particular interface. This port security is based on the MAC address of the device that’s connecting. Even if that MAC address is being forwarded from another switch, we’re still looking at the MAC address to be able to make this port security decision. You can set up each port on your switch with a different set of configurations that would allow or disallow certain MAC addresses from the network.
Here’s how this works. You would configure your switch with a maximum number of MAC addresses that would be allowed on a particular port on that switch. You get to decide whether it’s a single MAC address or whether there may be more addresses associated with that particular switch port. The switch will then monitor all of the devices that connect to that port, and it will keep a list of all of the MAC addresses. If the number of MAC addresses seen on a particular interface exceeds what’s configured inside of the switch, the default is to disable the interface completely. That means if someone has a computer on their desk and they’re connecting to the switch, you might configure port security to only allow one single MAC address for that particular interface.
If someone wants to disconnect the network interface from that desktop computer and plug it into their own device, the number of MAC addresses seen on that particular interface would now be two, and that would exceed the port security that was configured for that particular interface. That means for the default configuration, the interface would be disabled, and you would have two administratively re-enable the device to gain access again to that particular port.
This MAC address is the media access control address. It’s the hardware address associated with a network interface card, and you can use this address as a filtering mechanism. You can decide exactly which MAC addresses may be allowed or disallowed through particular interfaces on your switch. One way to find these MAC addresses is to perform a packet capture and examine exactly what MAC addresses are communicating through the network. Because of this, it’s very easy to identify and then to spoof particular MAC addresses on a network. So you can’t use a MAC filter as your single method of security. If someone knows the working MAC address, they can easily circumvent the filter, making this method more a security through obscurity.
Captive portals are another good way to provide access to a network. We commonly see these on wireless networks. When you connect to this network, your device is checked against a list of devices that are allowed access to the network, and if you don’t happen to be in that list, you’re presented with a login screen. From there, you can provide username, password, and any other required authentication factors. Once your authentication is validated, you have access to the network, and there’s usually a log out button to log out of the network or the access point may log you out automatically after a certain amount of time.
Another popular method of controlling traffic is with an access control list, or an ACL. ACLs are looking at the packets themselves to be able to allow or disallow traffic through the network. ACLs are also commonly used to determine what traffic needs to have network address translation, quality service, and other network features. A-C-Ls, or ACLs, are usually applied to router or switch interfaces, and you usually assign the ACL to either the ingress or the egress of a particular interface. Because we’re looking into the packet itself, we can make some relatively complex filtering decisions with these ACLs. For example, you can filter on source IP address, destination IP address, TCP port numbers, UDP port numbers, or ICMP. If the traffic going through the network then matches the rule that you’ve configured in the ACL, you can decide whether that traffic is allowed through the network or if it’s denied.
It’s very common to configure ACLs on routers, and in this particular example, we have Sam, Jack, and Tilk. And you can see there’s a number of switches and routers between all of these different devices. We can put an ACL on any of these routers, and of course, we can put ACLs on either the ingress or the egress of a particular interface. If Sam is sending information to Jack, we have a number of spots through the network where we might be able to install an access control list. We can put it on the gigabit side of router one or the serial side of router one. We could also put an ACL on the serial side of router two or the gigabit side of router teo.
Let’s say that we would like to prevent Sam from sending any communication to Jack. We might want to create an ACL. This happens to be an ACL that’s configured in a Cisco router, and it defines an access list– in our case, there’s only a single access list, or Access List One. We’re going to choose a rule that is going to deny any traffic coming through that happens to have a source IP address of 192.168.10.10. And if we look, that happens to be the subnet 192.168.10, and Sam is the .10. We also have another rule in this access list that says, if there is any other traffic going through this particular interface, all of that traffic is permitted. That means that the only traffic that would be denied through this particular gigabit interface is Sam communicating to any other device on this particular subnet.