Share Via
Summary
Today’s networks are vulnerable to excessive attacks. The principles of zero trust are the gold standard organizations use to protect apps and data. A key element of zero trust access is “trust no one, authenticate everyone”. However, current application-specific or client-specific Zero Trust Access controls do not provide an adequate level of protection for all devices on the network. In order to extend zero trust into
the campus network, every wired and wireless connection must be authenticated and authorized using at least o
ne mechanism such as IEEE 802.1X, MAB, Behavioral MAB and Single Sign On. Here, we explore how IEEE 802.1X helps in accomplishing zero trust access for the enterprise campus network. IEEE 802.1X provides the authentication framework for user devices before granting access to the Local Area Network (LAN).
Why now for Zero Trust Access?
Social engineering attacks are the most common form of security breaches on today’s LAN networks. Social engineering is the use of social skills, rather than technical skills, to gain access to restricted areas. Common types of social engineering attacks include:
- Tailgating where bad actors gain physical access to restricted buildings.
- Phishing Email: where employees unknowingly click on malicious email.
In tailgating, bad actors will dress professionally and carry a “burden”, i.e. equipment boxes, and follow a badged employee to the front door. Using social etiquette and skills, the employee may help “ease” the burden and let that bad actor through into the office building. Once inside, the bad actor has options to find areas in which to sniff traffic, directly plug into networking equipment console ports, install man-in-the-middle (MitM) rogueelements, or simply plug into any open wired port as if they belong at that desk. This then opens the stage for ransomware attacks.
With 98% of cyber-attacks involving some form of social engineering1, today’s IT organizations are looking toward zero trust principles to protect the network access against malicious infiltration.
Zero trust access is pertinent in protecting today’s enterprise campus environments.
What is IEEE 802.1X?
IEEE 802.1X, used to secure both wired and wireless networks, provides the authentication mechanism to provide network access control for user devices. Rather than having a complex distributed environment, 802.1X centralizes the WLAN/LAN network authentication using a dedicated server, i.e. RADIUS server. Network switches and wireless access points can now hand off authentication to the RADIUS server using 802.1X. Once on the network, 802.1X continuously validates users and devices. The combination of 802.1X and RADIUS servers is considered the most secure method to protect wireless and wired networks today.
The RADIUS server can serve as a single point of enforcement for network access control, giving the device access to the protected side of the network after authentication. As opposed to single-sign-on (SSO) access, 802.1X uses certificates to check the credentials of the requesting user. Depending on the network policy of that user, the correct level of access is granted. This prevents any unauthorized access to the network from bad actors and prevents inappropriate access by employees themselves.
How does IEEE 802.1X Work?
There are 3 main components to IEEE 802.1X:
-
- Supplicant
- Authenticator
- Authentication server
The authenticator (the network switch or wireless access point) acts as a proxy between the supplicant and authentication server.
- The authenticator detects a new device (the supplicant) and sends an EAP-Identity-Request for identity authentication. The supplicant, or the network access requestor, sends an EAP-Identity-Response back.
- The authenticator uses this to send the access request to the RADIUS server (authentication server). The Radius server will respond back to the authenticator with a challenge notating the authentication method required. Additionally, the RADIUS server sends its own credentials to prove itself to the client and avoid Evil Twin attacks. The authenticator passes this method back to the supplicant.
- The supplicant checks the authentication server’s credentials while also sending its challenge-credentials back to the authenticator
- The authenticator will relay these credentials back to the RADIUS server to receive an APPROVE or DENY. Once approved, the authenticator will transition that port from unauthorized to 802.1X authorized for access.
How to deploy IEEE 802.1X
One of the benefits of utilizing IEEE 802.1X to secure network access is the ability to prevent network access to those who either are unauthorized or do not physically belong on the corporate network. While a powerful methodology to secure the network, IEEE 802.1X deployment can be cumbersome for the wired environment. This is where many IT organizations, especially those with limited staff, weigh the risk versus complexity ratio. Often, organizations end up leaving their wired ports vulnerable to attacks with the absence of wired 802.1X authentication.
Guidelines for today’s campus network drive simplicity in design and execution for securing network access. IEEE 802.1X deployment, with associated RADIUS server, across both wired and wireless environments establishes the gold standard to experience Zero Trust Access in the enterprise campus environment.
IEEE 802.1X, a key component for NaaS
The Nile Service delivers the enterprise campus network completely as-a-service. With this comes the first network to deliver guaranteed network performance outcomes based on strict SLAs. Nile’s NaaS service is engineered from the ground-up around the principles of zero trust, inclusive of end-to-end MACsec, IEEE 802.1X across wired and wireless, and automated security patches. All of this is delivered in a simple, pay-per-user consumption model.
- Security is the number one reason to update software
- Cyber Security Trends in 2021
- Admins: Patch management is too complex and cumbersome
- Patch Management
