802.1X and Windows XP

[Anwar Mahmood]

Hi all,

Our networks team is investigating network security at the network
outlet level. The standard way of doing this is 802.1X. My
understanding is that the device is denied access to the network until
they provide a username and password. However, would this not break
all the background processes going on;

- workstation authentication to a Windows domain
- software update services
- group policies, including applying settings, running startup
scripts and
installing assigned software.
- anti-virus engine DAT updates

No documentation on 802.1X makes any mention of these issues.

Kind regards,

Anwar

 

[Malke]

Hi all,

Our networks team is investigating network security at the network
outlet level. The standard way of doing this is 802.1X. My
understanding is that the device is denied access to the network until
they provide a username and password. However, would this not break
all the background processes going on;

- workstation authentication to a Windows domain
- software update services
- group policies, including applying settings, running startup
scripts and
installing assigned software.
- anti-virus engine DAT updates

No documentation on 802.1X makes any mention of these issues.

Anwar, if you are talking about running a business network using
wireless (802.11x), then you absolutely need to consult some experts
about security. I just had a conversation with a systems administrator
for our Dept. of Defense about this very subject and it is *extremely*
complicated and difficult to have a secure wireless network. From what
he told me, it certainly can be done, but the level of details
necessary to do it properly are not going to be something you can get
from Usenet posts. If your IT Dept. doesn't have the expertise to set
up a secure wireless network, then you really should find a local firm
with the knowledge and pay them to do it for your company.

Good luck,

Malke

 

[Anwar Mahmood]

Malke,

Thanks for your reply. This particular project refers to the wired,
standard Ethernet network, with cat 5 cabling and RJ45 connectors and
HP ProCurve managed switches. While the 802.1X protocol is usually
associated with wireless networks, it does in fact apply to wired
Ethernet as well. We had problems with the Blaster worm last year -
most likely, an individual breached regulations and connected a
portable PC to the network, probably not knowing they were infected.
We'd like to avoid incidents like this.

I'd prefer to do it the "smart" way by using 802.1X, but it looks as
if I'll have to fall back to MAC address authentication (I know, they
can be easily spoofed).

Kind regards,

Anwar

 

[Malke]

Malke,

Thanks for your reply. This particular project refers to the wired,
standard Ethernet network, with cat 5 cabling and RJ45 connectors and
HP ProCurve managed switches. While the 802.1X protocol is usually
associated with wireless networks, it does in fact apply to wired
Ethernet as well. We had problems with the Blaster worm last year -
most likely, an individual breached regulations and connected a
portable PC to the network, probably not knowing they were infected.
We'd like to avoid incidents like this.

I'd prefer to do it the "smart" way by using 802.1X, but it looks as
if I'll have to fall back to MAC address authentication (I know, they
can be easily spoofed).

Kind regards,

Hi, Anwar. Thank you for your excellent answer and setting me straight
on what you're doing. I'm going to suggest you post in a Windows
security newsgroup. Here's a link to a listing of all the MS
newsgroups:

http://aumha.org/nntp.htm

The MVP's there are security wizards. I do know that the gentlemen I
referred to in my earlier post was talking about finding ways with
smart cards and layers of authentication to keep his network clean,
especially when connecting a laptop to the internal lan. We had a
discussion about mac addresses because that was what I did on my own
home network. He said that while that was good and would keep others
from joining my lan, it would not prevent data sniffing. Since he works
for the U.S. Dept. of Defense, it makes sense that he would be
extremely security conscious. So I know there are very specific things
that will help you, but I do think you want to confer with other
network wizards who are your peers.

Cheers and best of luck to you,

Malke