Upload File

improved network access security using 802

30
Improved Network Access Security using 802.1x NATIONAL INSTITUTE OF TECHNOLOGY JAMSHEDPUR, INDIA – 831014 Presented By Ayush Kumar Yagargala Niranjan 153/11 Roll No. 1

Upload: ajay-kumar-mahto

Post on 19-May-2017

218 views

Category:

Documents


2 download

Report

TRANSCRIPT

Improved Network Access Security using 802.1x

Improved Network Access Security using 802.1x

NATIONAL INSTITUTE OF TECHNOLOGY

JAMSHEDPUR, INDIA 831014Presented By

Ayush Kumar Yagargala Niranjan153/11 Roll No.1

Introduction2

IEEE 802.1X IEEE 802.1X is an IEEE standard for port based network access control. It is a part of the 802.1 group of networking protocols.It provides an authentication mechanism to devices wishing to attach to a lan or wlan.

IEEE 802.1x defines the encapsulation authentication protocol. 802.1x authentication involves three parties :

The supplicant is a client device (laptop) that wishes to attach to the lan /wlan, though the term supplicant is also used to refer to the software,running on the client that provides credentials to the authenticator.

The authenticator is anetwork device, such as an Ethernet switch or wireless access point.

The authentication server is typically a host, running software supporting the radius and eap protocols.

3

802.1x architecture802.1x port based access control has the effect of creating two different point of access to the authenticators attachment to the LAN. One point of access allows the exchange of frames between the system and other systems on the LAN, often this uncontrolled port allows authentication(eap message) to be exchanged. The other point of access allows the exchange of frames only if port is authorized.

When a host connects to LAN port on 802.1x, switch the authenticity of host is determined by switch port, according to protocol specified by 802.1x, before the services offered by switch, according to protocol specified by 802.1x, are made. On that port, only eapol frames are exchanged until the authentication is complete.

4

802.1x in wifi-networksThe 802.1x specification includes two main features, aimed specifically, at supporting the use of port access control in 802.11 LANs.

Logical ports : The ability of making use of the mac address of the station and access points the destination addresss.

Key management: It is the ability for an access point to distribute or obtain global key information to/from attached stations,by means of eapol message.

5

loGical ports and mac address associationIn an 802.11 LAN environment, stations are not physically connected to the network. In addition, multiple connecting stations share the network access media(the rf air space). A special case of shared media access exists in IEEE 802.11, wireless LANs in which a station must form an association with access point in order to make use of LAN. The protocol that establishes the association allows the station and access point to learn each others mac address. This effectively creates a logical port that the station can use to communicate with the access point..this allows the supplicant to associate with the access point before dynamically derived encryption keys are applicable.

6

associated eap authentication procedureA station must first associate with a given access point. Once the station is associated with access point, it can exchange the eap messages with the authentication server to authorize the port. Before the logical port has been authorized it can only exchange eap messages.

7

dhcpStands for Dynamic Host Configuration Protocol. It automatically assigns an IP address to each computer attached to router. Actually, static IP address can become a security risk, because the address is always same. Moreover static IPs are easier to track for data mining companies. On the other hand dynamic IP addressing has less security risks, as the computer is assigned new IP address each time the the customer logs on. Also, it is cost effective.

8

Implementation of 802.1x and NAC in JANET

9

IPv6 end user authenticationOne of the areas where IPv6 solely lacks feature parity with IPv4, is user authentication, and source IP spoofing prevention in large scale carrier Ethernet Network.

IPv4 DHCP is used to address the individual end users. Access layer switches use DHCP spoofing and uses source host name in DHCP request sent by client. DHCP servers log IP address assigned to customers. DHCPv6 snooping is not widely supported.

Solution : DHCPv6 requests sent by IPv6 hosts or cpe devices must be encapsulated in DHCPv6 envelopes, every time the request is released.

Getting creativeUse VLAN per customer.Monitor ND messages.

10

Dhcp ProtocolProvides fundamental services in many IP networks.Primary purpose: To allow ip configuration information to be passed to hosts on an on-demand basis. This allows unconfigured hosts to be attached to a network and to obtain a valid IP address and other basic configuration information.

11

Dhcp functioning and its anamolyThe services provided by DHCP is critical, as settings provide IP address, DNS server address and defines how hosts communicate over the network.

DHCP runs over UDP and as one side of the UDP does not have an IP address during the conversation, DHCP is an inherently insecure protocol.

12

Security IssuesPresence of unauthorised DHCP servers on network.A port usually has no way of knowing that it is being attacked.Simplest attack(DoS attack): Prevents client to obtain their configuration from DHCP.May use DHCP server for further access to network.May set an incorrect DNS server on the network.

13

Current ProposalsFirst technique is token based with servers and clients exchanging passwords token.

Delayed authentication : Uses a shared symmetry key and sends only a hash based on a varying part of the key.

Prevent mac address spoofing.

Utilise active detection techniques to identify rogue DNS server.

Block DHCP at the firewall, separating your network from network.

14

PORT ACCESS ENTRYRefers to processes executing the authentication protocols and algorithms associated with a port.

Before authentication: authenticators PAE is set to uncontrolled state.

After authentication: result true, then state changes to controlled state and will allow other network services to flow.

If fail, then may be disabled or remain in uncontrolled state.

Ciscos implementation uses unauthorized and authorized state uses 8550 switches and radius servers with clients.

The 802.1x is not supported on trunk port, dynamic ports and dynamic access ports.

15

Configuring 802.1x Authentication

16

Enabling 802.1x Authentication Switch # configure terminal: enter global configuration mode.

Switch(config)#AAA new model: enable AAA.

Switch(config)#AAA authentication dot 1x default group radious: create an 802.1x authentication method list . use default keyword followed by the method that are to be used .

Switch(config)#interface fast Ethernet 0/1: specify interface to be enabled for 802.1x authentication .

Switch(config-if)#dot 1x host control auto : enable authentication method on the interface . example auto ,force authorized, force unauthorized.

Switch(config-if)# end :returns to privileged exec mode.

Switch# showdot1x:verify your entries.

Switch#copy running _config startup:save your enties in the backup file.

17

Configuring the switch to Radius Server Communication.

In this step switch should be configured with radious server name or ip address, radius server UDP ,encryption key optional .

This is required so that switch can forward the authentication messages from client to radius server.

18

ENABLING MULTIPLE HOST ON FAST ETHERNET INTERFACE 0/1

Switch(config)#interface fast Ethernet 0/1

Switch(config-if)#dot 1x host_control auto

Switch(config-if)#dot 1x multiplehost

19

CONFIGURING THE 802.1X CLIENT From the start program select control panel.

Select network and internet connection and then select network connection .

Right click on local area network and then click properties .

Select authentication method .

Select EAP types.

20

What is NAC??NAC (Network Access Control) is a system which decides what systems are connected to network.

Keeps attached computer as free as possible from virus and spyware.

If your computer fails security checks then your computer will be quarantired.

21

Why 802.1x??

It allows for automatic authentication by the device without requiring the user to manually login every time they connect to wireless network.

XPRESS connect is the automatic configuration tool for configuring client devices for 802.1x

It eliminates common configuration mistakes.

22

Multiple device authentication using 802.1xWhen we look at multiple device authentication on a single port with 802.1x, we are pretty good with solution if we are using 802.1x to authenticate each device individually.

VOIP phones that are not 1x capable, and we are using MAC-auth for that.

23

Mixed authentication. Why? Because it is outside the scope of 802.1x .

Switch vendors mixes 802.1x to be mixed with MAC-auth but they do so with their own implementation.

MAC-auth: authenticates a device using MAC address.

Also WEB- auth ,MAC-sec ,802.1x- REV is being used in recent years.

Multiple device authentication can be tricky to secure but it is possible with current 802.1x version.

24

This figure clearly shows the combination of supplicant that can be staff laptop, authenticator device ( i.e: switch), and the backend is under the control of radius sever which assures the credentials of the client matches with the credentials of database.

25

This fig. clearly shows the infected laptop from being prevented to attach it self to other ports on the network. This fig. also shows the use of NAC apart from 802.1x which makes the infected laptop to be placed in quarantine VLAN .this system was implemented in JANET community.

26

This fig. shows the organizational LAN to be connected to ex-switch.802.1x identifies the point at which the attackers are going to access the network and thus preventing them to use the network. It also provides guest access this can be done securely by providing sockets , such as DMZ sockets.

27

WHY 802.1X IS NOT ENOUGH?It can be bypassed .

PWNIE express: Released a product that any can buy that uses the infrastructure to bypass even having to do authentication in the first place .

802.1x does not authenticate every packet , meaning if you can set the middle and capture a source MAC address then you are in. PWNIE express captures all EAPOL authentication packets. Create a bridge between switch and PC.

802.1X CAN ALSO BE HACKED.

28

Questions?

29

Thank You!

30


Worldwide interoperability for microwave access wi max(ieee 802)

STUDY PROTOCOL Open Access Improved accessibility of

Benefits of Improved Road Access Road Access · the improved road access to the beneficiaries has been made through a study. This study was designed and implemented by the Project

HIBISCUS: Post-Production Management for Improved Market Access

RESEARCH Open Access Optimization of Improved Motion … › content › pdf › 10.1186 › s12968-014... · 2017-08-24 · RESEARCH Open Access Optimization of Improved Motion-sensitized

802-11-1999.pdf, Part 11: Wireless LAN Medium Access ...vitsca/RC-0809I/IEEE-802-11.pdf · (MAC) Bridges. Specifies an architecture and protocol for the interconnection of IEEE 802

IEEE 802 Seminar Vijay Rathi Improved

METHODOLOGY ARTICLE Open Access Improved application of

Security for 802 Access Networks: A Problem Statement · Security for 802 Access Networks: A Problem Statement Norman Finn, ... protocol elements, ... Metro Ethernet provider one

Performance Comparison of Medium Access Control Schemes for IEEE 802

Improved Access and Participation for Persons with

Microsoft Windows 7 Improved Network Access

Improved Access to Foreign Markets Raises Plant-Level

31-Medium Access Control for IEEE 802

PHYSICAL THERAPY.BENEFITS. Better Access Improved Outcomes Reduced Cost

Measuring the Benefits of Improved Market Access

Improved Access Opioid Addiction Care BC

The New Frontier for Improved Access to Medicines

Improved access to Psychological Services in Residential care

PHYSICAL THERAPY.BENEFITS. Better Access • Improved Outcomes • Reduced Cost

Improved Market Access and Smallholder Dairy Farmer ...s3.amazonaws.com/zanran_storage/ · 1 Paper presented on Improved Market Access and Smallholder Dairy Farmer Participation,

The Medium Access Control Sublayer - professor.unisinos.brprofessor.unisinos.br/jcgluz/fund-redes/tanenb-mac-sublayer.pdf · • Bridges from 802.x to 802.y • Local Internetworking

Demystifying IEEE 802 Standards Wireless Standardsgrouper.ieee.org/sa/sec/public/presentations... · Wireless Access 802.19 Co-existence TAG Sponsor IEEE 802 Local and Metropolitan

Improved Water and Sanitation Access in Rural India ... Center... · Improved Water and Sanitation Access in Rural India – Challenges and Opportunities ... Arghyam Presentation

Cisco aironet 802 11n access points antenna products

The Real Impact of Improved Access to Finance: Evidence ...siteresources.worldbank.org/...1361888442321/...Bruhn_Love_Paper.pdf · 1 The Real Impact of Improved Access to Finance:

GINGER: Post-Production Management for Improved Market Access

Quality Information and Improved Access: Keys to Achieving

IEEE 802 Tutorial – Wireless SDN in Access and Backhaul · PDF fileIEEE 802 Tutorial – Wireless SDN in Access and ... technologies. Tutorial background ... - Probably for the Backhaul

Improved Devices STARgraft for Dialysis Access

REPORT Open Access An improved kinetic ... - BioMed Central

IEEE 802 - Drexel Universityedge.cs.drexel.edu/regli/Classes/CS680/Papers/802.11/802.11...IEEE 802 Background • IEEE Computer Society ... 802.20 a Mobile broadband wireless access

Better Positions Improved Access ational Spatial Reference

RFC 802: The ARPANET 1822L Host Access Protocol Andrew … · RFC 802 Andrew G. Malis 2 THE ARPANET 1822L HOST ACCESS PROTOCOL The ARPANET 1822L Host Access Protocol, which replaces

No Access: The Need for Improved Language Assistances Services