If you need to secure a physical network port, then you’ll want to consider some type of network access control (NAC). In this video, you’ll get an overview of port security and I’ll show you a step-by-step of 802.1X in operation.
<< Previous Video: Access Control ListsNext: Flood Guards >>
Another challenge we have is security of our switches and the ports that are on our switches. When you have all of these different ports on a device, anybody can walk into a conference room, they can walk into an empty jack that might be wired up on your network, they can plug in their device, and they might have access to all of the internal resources of your organization. Because of that, there’s a type of security called Network Access Control, NAC. You’ll sometimes see this referred to as Port-based Network Access Control. And what it’s really referring to is a standard technology called IEEE 802.1X.
The idea is that before you’re really allowed access to that switch port and it’s turned on and giving you access to the network, you first have to authenticate. And that way someone couldn’t walk into your conference room, plug in, and see your network because they wouldn’t have the authentication credentials. It uses some technologies called EAP, “eep”, and RADIUS. This stands for an Extensible Authentication Protocol. It’s a very standard way to authenticate on a network. And RADIUS is a way to store and communicate authentication details like user names and passwords that stands for Remote Authentication Dial In User Service. We’ll almost refer to this all the time as EAP or “eep” and a RADIUS server somewhere in your environment.
And we’re talking about protecting here the physical interfaces of your switch. When somebody talks about port-based network access control, you sometimes have to make sure– Are you talking about the physical ports on my switch? Or are you talking about TCP and UDP ports? In this particular example for switch port security and 802.1X, we’re really talking about physical access to the ports on these switches.
You can also– and this is a very good best practice– is to administratively enable and disable ports as they are needed. If a port is not being used, disable it. That way you won’t accidentally enable it. And that also means somebody can’t walk up to your switch and plug in and get access to your network.
You also have switches that have some intelligence built into the ports themselves. If somebody was to get on your network and duplicate MAC addresses on your network in an effort to redirect traffic, your switch can recognize when some of those things occur and stop people from what we call spoofing, or trying to fool the switch into thinking that you are somebody else on your network. And by having these switches look for those types of security issues, you can prevent also someone from stepping in and taking over a session that might already be authenticated. Your switch recognizes– wait a second, that MAC address already exists somewhere else. I’m not going to allow you access onto this switch.
Network access control using IEEE 802.1X is a pretty complex set of protocols, and needs to be. We’re providing access to ports on a switch through software. And so there needs to be a lot of checks and balances in between. There’s three major components you have to think about with 802.1X. There’s something called a supplicant that is a piece of software that is running on your computer that recognizes how to communicate via 802.1X.
There’s also something your supplicant will be talking to called an authenticator. And as you might think, that’s the device that really is providing a middle ground for authenticating on the network.
And then there’s something called an authentication server. Your supplicant never really talks directly to the authentication server. Your supplicant on your computer is talking to the authenticator, who’s then passing through that information to the authentication server.
The conversation goes something like this. When you first connect to a network, you don’t have access to the network. You’re not able to communicate. You’re essentially in a initialization phase where you have no ability to communicate out on the network. And you sit there, and you wait. Very often, the authenticator, the authentication device that’s on the switch– usually it’s a part of the switch itself– is sending out these requests every so often saying, hey, is there anybody new out there? This is really called an EAP, an “eep” request, to find out– has somebody else plugged in lately? And if you have, you might want to let me know that you’re here.
In fact that’s the next step, is that the supplicant recognizes, oh, somebody’s asking for me. Yes, my name’s James. I’m here on the network. I’d like to go ahead and start the process of gaining access to the network. The authenticator then lets the authentication server know that, by the way, James is on the network. What would you like to do with this? And the authentication server is now waiting to find out more information from that.
So the authenticator asks, hey, James, are you able to talk? Can you communicate on the network? The authentication server would like to communicate. Well, sure, here’s my credentials. Let me give you information about who I am and how I can communicate on this network. And the authentication server then receives that information from the authenticator that says, hey, James is on the network. Here’s his credentials. Maybe this is someone you might want to allow access to the network.
The authentication server looks through that information, says that looks fantastic. James is allowed access to the network. Go ahead, enable some ports, and let him on to the network. And at that point your machine is allowed access to the ports on your network. Very often the switch is reconfigured to allow access to a particular VLAN or to the VLAN that is specific to you, and now your computer is on the network and able to communicate.
It’s a relatively complex process, but as I mentioned, it’s one that really provides us with a lot of checks and balances and ensures that only the people who are allowed on the network really have access to the network.