You've heard a lot about how the 802.1X protocol is designed to close a yawning security gap, particularly for wireless traffic. But it also provides added security for your wired networks. Strong passwords, two-factor tokens or digital certificates notwithstanding, your data in transit is vulnerable, and your network is open to unauthorized access before higher-level authentication takes place.
802.1X provides the framework for challenging access at your network's front door -- the switch or access point -- as well as dynamic key delivery to protect wireless traffic. It's generally a good fit for larger, security-conscious organizations.
While MAC ACLs allow a switch or AP to check MAC addresses before allowing traffic to pass, there's no provision for individual station or user authentication. MAC addresses can be sniffed off wired or wireless transmissions, and the address can then be applied to any NIC that supports configurable MAC addresses.
So, 802.1X may be your best bet to enhance enterprise-level security for both wired and wireless LANs. If your environment already has the basic components for 802.1X support in place, such as 802.1X-compliant APs and switches, and a user base with built-in client software (e.g., Windows XP), deployment can be quick and cost effective.
But it's not for everyone. With added security comes added complexity. 802.1X deployment can be expensive, and vendor support is still far from universal. SOHO networks and companies with older equipment and limited or no wireless deployment may conclude it's simply too costly and complicated. In that case, you may be better served by sticking to MAC ACLs and using encryption for sensitive data.
For more information on this topic, visit these resources:
- Network Security Tip: Securing wireless, part one
- Network Security Tip: Enable 802.1X security in Windows 2000
- Best Web Links: Infrastructure and Network Security