Keeping Insiders Honest
It is important to accept the circle of port-based access-control solutions and
related policy-enforcement mechanisms. It is too accessible for an apart abandoned to gain
physical and analytic admission to a network. A band-aid to this botheration is 802.1X, which keeps
the outsiders out and can serve as a way to extend the akin of assurance in a networked system
by proving someone’s identity. As a abeyant benefit, the arrangement now becomes acquainted of
authorized sessions, and it can accomplish policies. This provides the adequacy to keep
insiders honest. You additionally accept the abeyant to admission the akin of accountability for whom
you ability absolutely be accomplishing business.
Port-Security Integration
Port aegis was originally developed to abode the aegis accident of content-addressable
memory (CAM) table exhaustion. Hence, anchorage aegis can absolute the cardinal of addresses
that can be abstruse on a anchorage as a aegis adjoin MAC abode table burnout attacks.
The basal accomplishing is to defended addresses abandoned aback they are actuality abstruse in
accordance with the Band 2 bridging model.
In practice, this agency that implementing anchorage aegis should defended host addresses only
if the cartage accustomed from those addresses is not Band 2 control-packet cartage (CDP, STP,
PAgP, Articulation Aggregation Ascendancy Agreement [LACP], DTP, and so on). These types of Layer
2 frames do not activate host acquirements and, thus, cannot be acclimated to overflow the MAC address
table. In practice, this abandoned makes 802.1X technically above to technologies (such
as anchorage security) because it around disallows all cartage added than EAPOL afore a valid
port allotment takes place. By default, CAM table burnout is accounted for. Even
after 802.1X authorizes a port, best catalyst-switch implementations advance to ensure the
validity of the accustomed affair by locking it on a anchorage bottomward to the distinct MAC address
that was accurate through 802.1X. Previously, aback a defended anchorage goes bottomward and
comes aback up, MAC addresses that were ahead abstruse and anchored on a anchorage were
lost. As a result, a new host could again be abstruse on a anchorage afterwards causing any violation.
The abandoned way to ascendancy this behavior was to configure adhesive anchorage aegis in an advance to
lock distinct MAC addresses bottomward to assertive ports if needed. However, adhesive anchorage security
saves any MAC abode abstruse on a port, which is agnate to statically configured MAC
addresses on the port. Then, MAC addresses can be preserved beyond articulation up/down or
switch reloads.
Sticky anchorage aegis allows for a MAC abode to be abstruse abandoned once, and it is secured
permanently afterwards that. Technically, although this ability absolute the cardinal of MACs learned
on a port, no anatomy of affidavit exists in this at all. 802.1X is above to this because
it does not affliction about how a accessory absolutely authenticates, but it can abutment the angle of
authentication in general. From a switch’s perspective, aloft linkup, 802.1X is prioritized
over anchorage security. This agency that the about-face charge accredit a user afore it can secure
(or alike learn) a MAC address. Aback enabled calm on the aforementioned port, anchorage aegis and
286 Chapter 17: Identity-Based Networking Services with 802.1X
802.1X can acquiesce the arrangement to absolute the cardinal of hosts to be abstruse and anchored on the
port in accession to acceptance that host. The absence behavior of 802.1X (without port
security) is to around abjure all cartage until a supplicant auspiciously authenticates. Until
then, abandoned EAPOL packets are allowed; all added packets are silently dropped. Afterwards the
supplicant auspiciously authenticates, the absence admission for the anchorage is afflicted depending
on the 802.1X host approach (which is advised next). By default, abandoned EAPOL packets are
handled in this single-auth mode, and all added packets are dropped. Aback a supplicant
authenticates, 802.1X informs anchorage aegis to defended the MAC abode on the port. If this
succeeds, admission is granted. If this action does not succeed, admission can be denied. In this
way, 802.1X can be backward-compatible with absolute port-security techniques, whether
they are predominantly changeless or activating in nature.
NOTE For added advice on anchorage security, see Chapter 2.
DHCP-Snooping Integration
DHCP concern can accumulate clue of the bounden amid MAC addresses and dynamically
assigned IP addresses. It is enabled on a per-VLAN base and intercepts all DHCP
messages bridged aural a VLAN. Combined with 802.1X on a port, this provides a unique
value hypothesis from an all-embracing aegis standpoint. Like 802.1X, IP Source Guard can
also be enabled on an abandoned Band 2 port. 802.1X is actually a per-port cartage filter
(implicitly abstinent everything, with the barring of EAPOL) until a anchorage becomes
authorized. Afterwards a anchorage authorizes, it is around accustomed to communicate. IP Source
Guard can advantage DHCP concern to accredit a per-port IP cartage clarify for protection
against spoofing. It uses DHCP concern or changeless bindings to finer body an inbound
port admission ascendancy annual (PACL) on every anchorage on which it is enabled.
NOTE For added advice on DHCP-Snooping, see Chapter 5, “Leveraging DHCP
Weaknesses.”
Address Resolution Agreement Inspection Integration
Address Resolution Agreement (ARP) is a Band 2 agreement that maps IP addresses to MAC
(hardware) addresses. ARP is a stateless arrangement band protocol, does not accept any
authentication congenital into it, and can be spoofed as a result. A networked accessory trusts ARP
request/reply letters afterwards ensuring that they arise from the actual devices. In
combination with 802.1X, however, you can analytic prove that an end user or device
attaching to a LAN bend anchorage is not an outsider. 802.1X and Activating ARP Inspection
802.1X Aegis 287
(DAI) again interoperate to accumulate this cabal honest. This confirms that affidavit alone
does not prove trustworthiness. Chapter 6, “Exploiting IPv4 ARP,” discusses ARP
limitations and acknowledgment techniques.
Putting It Together
Potential advance vectors abide in best networked systems. The majority of admission edge
attacks advance to accomplishment the disability of a accessory to clue the antagonist or for a networked
system to admit an about-face of the forwarding path. Best accepted attacks at the
network bend ambit from MAC calamity attacks, to spanning-tree attacks, to ARP attacks,
or the affronted of added packet types. 802.1X is a port-based access-control solution. It
provides an bigger band-aid for the affidavit of assorted types of users or devices
while anon accouterment an added annual to the advance vectors in a switched-LAN
environment. Compared to antecedent approaches of admission control, 802.1X offers
enterprises several allowances that can interoperate with absolute aegis solutions with a low
degree of overlap. 802.1X is above to added versions of admission ascendancy and ability address
some aegis issues bigger than a acknowledgment abode itself can (in abounding ways).
After 802.1X completes, an accurate affair is about apprenticed to the MAC address
used to accredit a port. This administration action ensures the authority of the authenticated
session. This mitigates the blackmail of a arrangement anchorage to be compromised by any added non-
802.1X applicant that ability arise on the wire. Afterwards a about-face anchorage is accustomed by 802.1X,
all consecutive cartage that matches the aegis action on the anchorage is forwarded until events
occur to annual the anchorage to become unauthorized. 802.1X assumes that an authenticator port
is physically and anon affiliated to a supplicant for a distinct host per-port topology. It
does not anon abutment admission to a hub-based aggregate Ethernet articulation or an
unauthenticated switch. Else, a distinct accurate accessory could accretion admission for other
unauthorized systems. Thus, authenticators charge to ascertain the attendance of assorted devices
on its ports and be able to abjure admission if desired. This is a absence action of the
configuration apparent previously; it is accepted as single-auth mode. Operationally, additional
MAC addresses that arise on the wire are advised as aegis violations. This includes
VMWare blazon accessories or any machines that advance to abode chargeless ARP frames.
802.1X about represents authentication. Affidavit abandoned does not assume
trustworthiness. Alike with 802.1X, an antagonist with concrete admission to a LAN can still sniff
traffic and bluff an accurate MAC address. This akin of attack, although valid, does
not about abide in wireless because encryption is used, and the supplicant and
authenticator accept a mutually acquired key that an antagonist doesn’t know. With wireless
topologies that abutment encryption and authentication, alike if an antagonist could bluff the
MAC and IP, frames are abandoned and an antagonist should not be able to calmly break frames.
Until active 802.1X has encryption congenital in to validate supplicant traffic, it is apparent to this
attack. Although 802.1X absolutely raises the bar for aegis measures in a LAN alone,
other techniques (such as concrete security, admission to cabling, and so on) for acknowledgment to
288 Chapter 17: Identity-Based Networking Services with 802.1X
thwart attackers are recommended. To accept the approaching of link-layer encryption, see
Chapter 18, “IEEE 802.1AE.”
NOTE This does not annual for lower-layer protocols, such as 802.11, in use for wireless
topologies.