Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Access and 802.1X Klaas Wierenga SURFnet

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Access and 802.1X Klaas Wierenga SURFnet"— Presentation transcript:

1 Network Access and 802.1X Klaas Wierenga SURFnet
Ljubljana, April 3, 2006

2 Contents Network access Wireless access 802.1X Conclusions

3 Network Access

4 Access to the campus network
Bad outside world Campus network ? ? Connection is either via a trusted or an untrusted network

5 Intermezzo: protecting traffic
Secured tunnel Bad outside world Campus network VPN’s can be used to protect the data sent to and received from the trusted network

6 Access to the trusted network
Bad outside world Campus network ? How do you protect access to the trusted network? Wired Wireless

7 Access to wireless LAN’s

8 Wireless LANs are unsafe
tcpdump -n -i eth1 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply ^C

9 Requirements Identify users uniquely at the edge of the network
Prevent session hijacking Scalable Easy to deploy and use Open Give away for tomorrow: allow for guest use

10 Possible solutions Standard solutions provided by AP’s:
Open access: scalable, not secure MAC-addres: not scalable, not secure WEP: not scalable, not secure Alternative solutions: Web-gateway+RADIUS VPN-gateway 802.1X+RADIUS

11 Access to the campus WLAN
Not trusted local network Trusted local network Initial connection is either to a trusted or an untrusted network

12 Open network + web gateway
Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) Can use a RADIUS backend to verify user credentials Guest use easy Browser necessary Hard to maintain accountability Session hijacking

13 Open network + VPN Gateway
Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network Client software needed Proprietary Hard to scale VPN-concentrators are expensive Guest use hard (sometimes VPN in VPN) All traffic encrypted NB: VPN’s are the method of choice for protecting data on a WAN

14 IEEE 802.1X True port based access solution (Layer 2) between client and AP/switch Several available authentication-mechanisms through the use of EAP (Extensible Authentication Protocol) Standardised Also encrypts all data, using dynamic keys RADIUS back-end: Scalable Re-use existing trust relationships Easy integration with dynamic VLAN assignment (802.1Q) Client software necessary (OS-built in or third-party) For wireless and wired

15 Summary Standard available security options of AP’s don’t work
Web-redirect+RADIUS: scalable, not secure VPN-based: not scalable, secure 802.1X: scalable, secure

16 802.1X

17 802.1X/EAP Authenticated/Unauthenticated Port
Supplicant/Authenticator/Authentication Server Uses EAP (Extensible Authentication Protocol) Allows authentication based on user credentials

18 EAP over LAN (EAPOL)

19 Through the protocol stack
Supplicant (laptop, desktop) Authenticator (AccessPoint, Switch) Auth. Server (RADIUS server) EAP 802.1X EAPOL RADIUS (TCP/IP) Ethernet Ethernet

20 Secure access to the campus LAN with 802.1X
Supplicant Authenticator (AP or switch) RADIUS server (Authentication Server) User DB Internet Employee VLAN Guests VLAN Student VLAN 802.1X (VLAN assignment) signaling data

21 Conclusions

22 Summary There is a difference between providing access to campus resources over the Internet and providing network access Access via the Internet: VPN Network access: 802.1X Tomorrow: How 802.1X can be leveraged for guest access

Download ppt "Network Access and 802.1X Klaas Wierenga SURFnet"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Similar presentations

Ads by Google