Using 802.1X to control physical access to LANs

802.1X, a port-based access control, is primarily used on WLANs to control which machines can connect to the network. However, 802.1X is gaining popularity as an access control method for wired networks. This tip outlines some stipulations for controlling LAN access with 802.1X.

Network security would be so much easier if you could control which physical computers were allowed to join your

network. It would mean a hacker would have to gain physical access to a particular computer before they could even start to attack your network. One technology used to control admission of computers into a network is 802.1X, a port-based access control. It is mainly used on wireless networks but is increasing in popularity as an access control method on wired networks too.

802.1X features MAC address filtering. Any machine whose MAC address on the network adapter does not match an entry in the account database is not permitted access to the network. Unfortunately, like IP addresses, MAC addresses can be spoofed. This creates the possibility of a man-in-the-middle attack, albeit a sophisticated one. To prevent this type of attack, 802.1X should be combined with the Extensible Authentication Protocol (EAP) to authenticate the client to the network and the network to the client.

802.1X is one way of preventing entry to your network, but once it authenticates the connection it assumes all traffic over the connection is legitimate. To really solve the problem of rogue machines, each computer needs to protect itself from the other computers on the network. So, 802.1X should also be used in conjunction with IPSec, which provides end-to-end authentication and encryption between hosts on a network.

Looking ahead to the release of Microsoft Windows Vista/Longhorn, it's understood that they will include Network Access Protection (NAP). This feature will allow you to protect your network from unhealthy computers by enforcing compliance with network health policies. This is similar to Cisco's Network Admission Control (NAC), which isolates and denies network access to non-compliant devices. While NAP and NAC play a different role from 802.1X in controlling network connections, it will certainly go a long way to ensuring trusted computers on the network stay that way.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book
IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

This was first published in February 2009

Dig deeper on Microsoft endpoint security management

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close