RE: 802.1x was: IPv6 comes in the game

["Victor Williams" <vbwilliams () essvote net>]

I don't think anyone here is implying that 802.1x authentication is the
end-all method to securing a network...be it wireless or not.  I think with
any security implementation, you have to use a combination of
tools/methodologies/rules, in conjunction with a security policy that allows
you to enforce the aforementioned to get the job done.

In my limited experience with wireless (because it hasn't been around that
long), using 802.1x authentication in conjunction with user-level
certificates, MAC address filtering, and a pretty stringent ruleset, I feel
as secure with my WLAN implementation as with the wired
implementation...sometimes more so...and I'm leaving out a lot of other
things you can do here for the sake of simplicity.  I can put an access
point anywhere in my network, but I know not only will it have to comply
with my WLAN ruleset, but it will also have to comply with the ruleset of
where I physically plug it in (it's logical place in the network scheme, as
well as the physical port I plug it into the network).

My original statement was that 802.1x worked as advertised on some common
platforms that probably already exist in people's networks (Windows
2000/2003 server).  It wouldn't be a difficult thing to implement in a test
environment and fool around with.  I messed with it for a few days and got a
good understand of it's strengths and weaknesses.  

Also, 802.1x happens at the layer-2 level...so this should be unaffected by
the existence of IPv6 anywhere in the network.  If your switch or access
point knows about the RADIUS server and how to reach it, there's no issue
there.

 
Victor Williams 


-----Original Message-----
From: Andras Kis-Szabo [mailto:kisza () securityaudit hu] 
Sent: Wednesday, May 05, 2004 3:45 AM
To: Victor Williams
Cc: firewall-wizards () honor icsalabs com
Subject: 802.1x was: [fw-wiz] IPv6 comes in the game


Hi Victor,
Dear All,

> Microsoft Windows 2000/2003 server does 802.1x auth fine.  We use to 
> handle wireless access as well as port access on certain switches in 
> the network.
And do you trust in the security of 802.1x protocol on wireless networks?
(What is the situation with the first steps and the
key-exchanges?)

> > Now the box has an IPv6 address as well, and a prefix for the 
> > internal
> > network, and I would like to forward IPv6 traffic too. But the above 
> > approach is not feasable anymore (not a good idea to have a 2^64 entry 
> > static neighbor cache). Is it possible to prevent using unassigned IP 
> > addresses to be used for Internet access without entering each 
> > assigned address in the firewall, while still having static MAC 
> > entries for registered addresses?
Probably the eui64 match in Linux Netfilter could help you in some limited
cases (and older implementations).


> If you force the user to authenticate prior to forwarding packets, as 
> 802.1x does on switches, then you're able to log the authentication at 
> the RADIUS server, and equate network activity to a port.  If the 
> port's locked to an IP address, then you have the ability to track and 
> basically eliminate abuse by authenticator.
And you could get a deadlock. The IPv6 network itself is a little bit
different from the IPv4 networks on the on-link protocols area. Please check
the differences before you put on mandatory authentication for each packets!

Best regards,

Andras

-- 
Andras Kis-Szabo <kisza () securityaudit hu>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards