Using 802.1X to control physical access to LANs

Network security would be so much easier if you could control which physical computers were allowed to join your network. It would mean a hacker would have to gain physical access to a particular computer before they could even start to attack your network. One technology used to control admission of computers into a network is 802.1X, a port-based access control. It is mainly used on wireless networks but is increasing in popularity as an access control method on wired networks too.

802.1X features MAC address filtering. Any machine whose MAC address on the network adapter does not match an entry in the account database is not permitted access to the network. Unfortunately, like IP addresses, MAC addresses can be spoofed. This creates the possibility of a man-in-the-middle attack, albeit a sophisticated one. To prevent this type of attack, 802.1X should be combined with the Extensible Authentication Protocol (EAP) to authenticate the client to the network and the network to the client.

802.1X is one way of preventing entry to your network, but once it authenticates the connection it assumes all traffic over the connection is legitimate. To really solve the problem of rogue machines, each computer needs to protect itself from the other computers on the network.

More information Learn more about network device compliance Visit our resource center to learn more about wireless access control, including 802.1X

So, 802.1X should also be used in conjunction with IPSec, which provides end-to-end authentication and encryption between hosts on a network.

Looking ahead to the release of Microsoft Windows Vista/Longhorn, it's understood that they will include Network Access Protection (NAP). This feature will allow you to protect your network from unhealthy computers by enforcing compliance with network health policies. This is similar to Cisco's Network Admission Control (NAC), which isolates and denies network access to non-compliant devices. While NAP and NAC play a different role from 802.1X in controlling network connections, it will certainly go a long way to ensuring trusted computers on the network stay that way.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics IE 8 beta 2 security features may mark improvements for browser security Screencast: How to use Nipper to create network security reports Mining enterprise SIM logs for relevant security event data How to configure NAP for Windows Server 2008 Exploring Microsoft's Network Access Protection policy options Screencast: How to use Wikto for Web server assessment How to avoid DLP implementation pitfalls Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Endpoint Security Companies Finding a Place for Maturing NAC Projects Product Review: Sophos Endpoint Security and Control 8.0 PCI DSS 1.2 clarifies wireless, antivirus use Hidden endpoints: Mitigating the threat of non-traditional network devices Symantec launches Endpoint Management Suite Symantec to offer Endpoint Management Suite Sophos finds patching issues through endpoint NAC tool Websense, Reconnex top Forrester ranking of DLP vendors Cisco, EMC to partner on data protection, PCI Product review: Promisec's Spectator RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary brute force cracking  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) Crash Course: Spyware  (SearchSecurity.com) email spoofing  (SearchSecurity.com) endpoint security  (SearchSecurity.com) phishing  (SearchSecurity.com) rootkit  (SearchSecurity.com) social engineering  (SearchSecurity.com) tunneling  (SearchSecurity.com) Wired Equivalent Privacy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.