1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet Protocol Security (IP Sec)
Introducing Campus Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.
SCSC 455 Computer Security Virtual Private Network (VPN)
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Access and 802.1X Klaas Wierenga SURFnet
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
A Guide to major network components
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Virtual Private Network
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
© 2004, Cisco Systems, Inc. All rights reserved.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Policy and Configuration Compliance for Devices Connecting to the Wireless Network.
Chapter 13 – Network Security
Altai Certification Training Backend Network Planning
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Implementing Network Access Protection
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Hierarchical Network Design – a Review 1 RD-CSY3021.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.
Configuring Network Access Protection
輔大資工所 在職研一 報告人:林煥銘 學號: Public Access Mobility LAN: Extending The Wireless Internet into The LAN Environment Jun Li, Stephen B. Weinstein, Junbiao.
A machine that acts as the central relay between computers on a network Low cost, low function machine usually operating at Layer 1 Ties together the.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
Lecture 24 Wireless Network Security
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Cisco Aironet 350 Series: The Right Choice for the Enterprise.
Network Access Control
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Port Based Network Access Control
Implementing Network Access Protection
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity
Virtual Private Network
Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity Internet Technologies Division

2 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Agenda IBNS & 802.1x 802.1x Components 802.1x Markets 802.1x Customers 802.1x Target Platforms 802.1x in Cisco IOS Cisco IOS 802.1x Roadmap

3 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Identity-Based Networking Services and 802.1x 802.1x is a key component of Identity-Based Networking Services (IBNS) Identifying who can access what information in the network IBNS has predominantly been focused on switches

4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID User Identity Based Network Access User Based Policies Applied (BW, QoS etc) Campus Network Equivalent to placing a security guard at each switch port Only authorized users can get network access Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized Access Points Authorized Users/Devices Unauthorized Users/Devices Cisco Embedded Security with IBNS

5 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID IBNS Benefits Improve flexibility and mobility for users Strengthen security for network connectivity, services, and applications Increase user productivity and lower operating costs Combine authentication, access control and user profiles IBNS combines authentication, access control and user profiles

6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Client-server based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports Key technology in IBNS for authentication & access control Standard set by the IEEE working group. Standard link layer protocol used for transporting higher- level authentication protocols Works between the supplicant (client) and the authenticator (network device) Maintains backend communication to an authentication (RADIUS) server 802.1x

7 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID IEEE 802.1x Authentication Server x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports User activates link (ie: turns on the PC) 2 Switch requests authentication server if user is authorized to access LAN 3 4 Authentication server responds with authority access Switch opens controlled port (if authorized) for user to access LAN

8 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID IEEE 802.1x Components Authenticator PAE (Switch or Router) Supplicant PAE (Port Access Entity) EAPOL Extensible Authentication Protocol over LAN Authentication Server

9 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID How Does 802.1x Work? Controlled Un-Controlled For each 802.1x switch port, the switch creates TWO virtual access points at each port Uncontrolled port provides a path for Extensible Authentication Protocol over LAN (EAPOL) traffic ONLY The controlled port is open only when the device connected to the port has been authorized by 802.1x EAPOL

10 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Header EAP Payload What Does 802.1x Do? Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads Authenticator (switch or router) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL)

11 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Identity and Security Authentication Who can access the network and services? Authorization What is the user allowed? Access Control Control is based on authentication and authorization Policy enforcement Combining authentication, authorization, and access control to enforce enterprise/SP policies

12 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Key 802.1x Functions/Building Blocks 802.1x Authenticator Controls access to Layer 2 resources Mechanisms to grant access Authorization policy from AAA/Radius/ACS 802.1x Supplicant Provides client capability Computers, routers, switches, PDAs, IP phones 802.1x Mutual authentication Client and server authentication Support for EAP transport

13 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Benefits Uses standards-based technology to control network access Extends authentication to other security areas Authorization, access control, and policy enforcement Controls exercised at link layer, so all services riding on it can use link layer services Interoperates in wired, wireless, & switching scenarios Reduces overall IT costs by preventing external and internal threats Enables and performs centralized user administration

14 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Markets and Applications SOHO/Telecommuter Enterprise Wired Wireless Remote access Service provider Metro Ethernet Wireless

15 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Service Provider VPN Tunnel Corporate user Personal user Difficult to prevent unauthorized “home users” from accessing corporate network No prevention of rogue wireless access points Today’s Enterprise Barriers – “Spouse and Kids Problem” SOHO / Telecommuter

16 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID VPN Tunnel Corporate user Uses Tunnel Personal user Straight to Internet Prevents unauthorized users from accessing corporate network Identifies IP phone, identifies the policy, and uses the Corporate VPN tunnel Identifies individual wireless access points, applies the policy, and enables authorized users to access the VPN tunnel Cisco IOS® Software 802.1x Phase 1 addresses all of these issues Service Provider 802.1x Integration SOHO / Telecommuter (Cont.)

17 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID POP CE Authentication by SP (Optional UNI Feature) PE-CLE Authentication by SP Supplicant PAE Metro Ethernet x

18 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID SOHO / Telecommuter Customers ABB Intel Verizon Home Depot

19 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Metro Ethernet Customers Time Warner Verizon Swisscom SBC Telecom Italia Bell Canada AT&T Sprint Bell South EDDI Cox Cable Reliance FastwEB NTT

20 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Target Platforms Access Routers Cisco 800 – 3700 Series Routers Metro Ethernet hardware Cisco 2750, 3550, and Congo Routers Cisco Catalyst ® 4500 and 6500 Series Switches Cisco 7600, 10000, and Series Internet Routers

21 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Cisco Catalyst 6500 Series Switch Cisco Catalyst 4000 and 4500 Series Switches Cisco ACS Server Cisco Catalyst 2950, 3550, 3750 Routers Cisco Aironet Cisco Products with 802.1x

22 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Cisco Catalyst 6500 Series Support Basic 802.1X Support 802.1X with VLANs 802.1X with Port Security 802.1X with VVID 802.1X Guest VLANs 802.1X with ACLs High Availability for 802.1X High Availability for Port Security Cisco Catalyst Switch portfolio

23 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x in Cisco IOS Software Control who is allowed access earlier and sooner in the stack by building authentication at link layer (Layer 2) Use standards-based 802.1x technology so it is easier to interoperate with switches and wireless access points Extend 802.1x services to leverage other identity and security services Address SOHO/Telecommuters, wired and wireless Enterprise, and Service Provider markets

24 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x in Cisco IOS Software (Cont.) Build common 802.1x features to address the basic building blocks (Release 12.3T) Authenticator Supplicant EAP transport capability for different hashing types Mutual authentication Port common functionality to Release 12.2S and derivatives All supported hardware must add unique 802.1x functionality

25 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Roadmap Phase Summary Phase 1 Authenticator Phase 2 Supplicant Mutual authentication Phase 3 Metro Ethernet market Phase 4 Wireless iEdge

26 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x authenticator support in Cisco IOS Software MAC based authentication Static DHCP address pools Default authorization policy Split tunneling Multi-auth support Stealth deployment 802.1x Phase 1 Release 12.3(4)T

27 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x supplicant support in Cisco IOS Software Mutual authentication Support for EAP transport EAP MD5 EAP TLS Policy enforcement to include user access restrictions 802.1x Phase 2 Target: Release 12.3(5th)T

28 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Phase 3 Target: Release 12.2(Rls6)S Addresses Metro Ethernet market segment Common feature code from Phase 2 Hardware-specific feature code and test strategies will be determined with hardware teams Metro Ethernet Platforms Cisco 2750, 3750, Congo, 6500, and 7600 Series

29 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Phase 3.1 Target: Release 12.2(Rls7)S Add additional hardware products for the Metro Ethernet market segment New hardware products will be supported: Cisco 4500 Series Switch Cisco and Series Internet Routers

30 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Radius Proxy IP Phone Monitoring and management 802.1x MIB Scalability and high availability 802.1x Phase 4 Target: Release 12.3(6 th )T

31 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Phase 5 Target: Release 12.3(7 th )T Interoperability with wireless access points Antibody iEdge interoperability

32 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID References Ian Foo: Slide presentation at brown-bag lunch Ken Hook: IBNS launch Eric Voit: Metro Ethernet slide presentation Eric Marin: Slide presentation

33 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 33 © 2003 Cisco Systems, Inc. All rights reserved x Overview, 11/03