You are on page 1of 15
Technical Note CounterACT: 802.1X and Network Access Control

Technical Note

CounterACT: 802.1X and Network Access Control

CounterACT : 802.1X and Network Access Control

Contents

Technical Note

Introduction

3

What is 802.1X?

3

Key Concepts

3

Protocol Operation

4

What is NAC?

4

Key Objectives

5

NAC Capabilities

5

The Role of 802.1X in NAC

6

Advantages of 802 1X

6

Disadvantages of 802 1X

6

How ForeScout helps Implement 802.1X within a NAC Framework

7

Verifying 802 1X Readiness

7

Supplicant Remediation

9

Hybrid Mode

10

Automated Exception Process for non-802 1X endpoints

10

When to Use 802.1X and When Not to

12

Organizational Needs

12

Use Case: Secure Guest Access

12

Use Case: Endpoint Compliance

13

Use Case: Secure BYOD Access

13

Network Environment

14

Use Case: Exception Management

14

Other Considerations

15

Conclusion ....................................................................................................................

15

About ForeScout

15

CounterACT : 802.1X and Network Access Control

Introduction

Technical Note

In an era of mobile devices and IT consumerization, Network Access Control (NAC) has emerged as a popular solution for network and security managers to mitigate risk and retain control of the network NAC provides the capability to authenticate users and devices when they connect to the network, assess the security posture of a device, and enforce security controls while the device is connected to the network

There is often confusion about the relationship between 802 1X and NAC, i e whether they are competing or complementary technologies This paper will help to clarify the issues and resolve this confusion

The following technical note provides the reader a basic understanding of 802 1X and NAC, the advantages and disadvantages of using 802 1X authentication within a NAC implementation, and guidance on which solution set is better suited for different use cases and network environments It describes the capabilities of ForeScout CounterACT™ and the unique features it provides to overcome some of the challenges of using 802 1X within a NAC implementation

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

What is 802.1X?

IEEE 802 1X is a standard for port-based network access control It provides an authentication mechanism for devices wishing to attach to a wired or wireless LAN It does not address other security controls that may need to be enforced when a device connects to a network (discussed later in this

technical note) The 802 1X standard was first published in 2001 (IEEE 802 1X-2001) and later updated in 2004 (IEEE 802 1X-2004) and in 2010 (IEEE

  • 802 1X-2010)

  • 802 1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over LAN, or EAPoL, which allows a number of different

authentication methods to be used EAPoL was originally designed for 802 3 Ethernet in the 2001 standard, but was extended to other IEEE 802 LAN

technologies such as 802 11 wireless in the 2004 specification The EAPoL protocol was modified in the 2010 update to address vulnerabilities in the previous specifications by using optional point to point encryption over the LAN segment

Key Concepts

  • 802 1X authentication involves three components that communicate using EAPoL: the supplicant, the authenticator, and the authentication server

The supplicant is an endpoint device (such as a laptop) attempting to connect to a wired or wireless network The term “supplicant” is also used interchangeably to refer to the software that is required on the endpoint (or client) to provide credentials to the authenticator Credentials can include username/password, digital certificate or other methods

The authenticator is a network device, such as an ethernet switch or wireless access point that acts like a security guard to a protected network It facilitates authentication by relaying the credentials between the supplicant and authentication server, and allowing the supplicant access to the network only after successful authentication occurs

The authentication server is typically a host running a RADIUS server that validates the credentials of the supplicant and authorizes access

3

CounterACT : 802.1X and Network Access Control

Technical Note

CounterACT : 802.1X and Network Access Control Technical Note Figure 1: 802 1X authentication components Protocol

Figure 1: 802 1X authentication components

Protocol Operation

802 1X provides port-based access control and as such ties authentication and admission to the point of connection to the network — a network port In an 802 1X environment, all network ports default to “unauthorized” state prior to authentication Upon successful authentication a port is dynamically changed to the “authorized” state Control is enforced at each switch port for wired LANs, and each wireless access point for wireless LANs

EAPoL operates at the network layer on top of the data link layer In unauthorized state, the port is allowed to transmit and receive EAPoL messages; other traffic, such as DHCP or HTTP, is not allowed The typical authentication process is as follows:

  • 1. Initiation — The port on the authenticator starts in the “unauthorized” state To initiate authentication the authenticator periodically transmits EAP-Request Identity messages On receipt of this message, the supplicant responds with an EAP-Response Identity message containing an identifier such as a username The authenticator forwards this message on to the authentication server The supplicant can also initiate or restart authentication by sending an EAPOL-Start message to the authenticator, which then replies with an EAP-Request Identity message

  • 2. Negotiation — The authentication server sends a reply to the supplicant (via the authenticator), containing an EAP request specifying the EAP method (the type of EAP based authentication it wishes the supplicant to perform) At this point the supplicant can start using the requested EAP method, or do an NAK (“Negative Acknowledgement”) and respond with the EAP methods it is willing or able to perform

  • 3. Authentication — Once the authentication server and supplicant agree on an EAP method, EAP requests and responses are sent between the supplicant and the authentication server (proxied through the authenticator) until the authentication server responds with either an EAP-Success or an EAP-Failure message If authentication is successful, the authenticator sets the port to the “authorized” state and normal traffic is allowed; if it is unsuccessful the port remains in the “unauthorized” state

  • 4. Termination — When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator The authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAPoL traffic

802 1X authentication can be a one-time process (once a connection is authorized it remains authorized until the connection is terminated by the supplicant), or re-authentication may be required after a specified time interval Network connections can also be configured to time out and then force re-authentication for any new connections

What is NAC?

NAC controls access to a network based on adherence to security policies including authentication of users, pre-admission endpoint security compliance checks, and post-admission controls over where users and devices can go on the network and what they can do Unlike 802 1X, NAC provides the ability to enforce security controls based on the security posture of the device and/or the user’s role in the organization

Commercial NAC solutions incorporate quarantine and remediation capabilities (fixing non-compliant endpoints before allowing access) Some advanced NAC solutions also include the ability to automatically profile and classify endpoints when they connect to the network, and subsequently make policy decisions based on device type and other granular profiling data NAC often incorporates post-admission functions, further differentiating

4

CounterACT : 802.1X and Network Access Control

Technical Note

it from 802 1X which provides pre-connect authentication only Basic post-connect functions may include periodic re-authentication and monitoring for changes in device posture, with more advanced solutions providing capabilities for monitoring changes in device behavior and/or malicious activity, and enforcing post-connect security controls

Key Objectives

With an exponential increase in the number of mobile devices that are connecting to corporate networks, the focus of security controls has shifted from the perimeter (via firewalls and IPS devices) to the internal network Best practices now require that each endpoint be inspected to ensure that it is compliant with security standards before the endpoint is permitted access to the network The definition and capabilities of NAC are still evolving, but as of this writing its primary objectives are:

Network visibility — In order to provide secure access and prevent unauthorized connections to the network, a NAC solution must be aware of all users and devices that attempt to connect to the network It can create a database of network users and a hardware and software inventory of network endpoints

BYOD and mobile device management — NAC provides the foundation for implementing a “bring your own device” (BYOD) environment without compromising network security This enables access while providing control over personally owned mobile devices such as laptops, smartphones and tablets

Role-based access — NAC ensures that only the right people with the right devices gain access to the right network resources For example, a guest may only be allowed access to the internet An employee in the shipping department should not be allowed access to the company’s financial systems

Endpoint compliance — Unlike 802 1X, a primary objective of NAC is to manage endpoint compliance Endpoint posture checks are required to ensure a security baseline for any and all types of devices connecting to the network, and in some environments may be needed to demonstrate compliance to industry or government regulations

Network security — A key goal of NAC is to mitigate security risks within the network Infected mobile devices, misconfigured endpoints, rogue wiring devices and wireless access points are sources of threats and data loss, and can be identified, quarantined and remediated by NAC

NAC Capabilities

Commercial NAC solutions vary widely in terms of the functions they provide The list below is indicative of the functions that most large enterprises are looking for

Authentication: Authentication in NAC is conceptually similar to 802 1X, in that it occurs when an endpoint first attempts to connect to a network Commercial NAC solutions can leverage 802 1X as well as other standard means of authentication such as a guest registration databases, MAC address bypass lists, or existing directory systems such as Active Directory, OpenLDAP etc

Security Posture Assessment: Unlike 802 1X, NAC products are able to assess the security posture of each endpoint This assessment may include:

checks for operating system versions and patch levels

presence of anti-virus and other security software with latest updates

required and prohibited applications (such as P2P software)

active and prohibited ports

configuration settings for various applications

custom registry checks

Endpoint Profiling and Classification: Some NAC solutions provide the capability to automatically profile and classify endpoints by type Policies and access control can be tailored based on the device type An effective device profiling capability also allows exceptions to be automatically created for devices such as printers, phones, security cameras, healthcare and manufacturing equipment, none of which support standard authentication mechanisms such as 802 1X

Access Control: NAC can implement access control in a number of ways, ranging from simply enabling or disabling physical switch ports and wireless connections (which is included in the 802 1X standard) to the ability to enable very granular access using VLANs, Access Control Lists (ACLs), virtual firewalls and other mechanisms Access policies can be tied not just to authentication, but also to endpoint security posture, the user’s role, device type, location, connection method and other factors

5

CounterACT : 802.1X and Network Access Control

Technical Note

Quarantine and Remediation: Quarantine and remediation is another important function of NAC In the event that an endpoint is found to be non- compliant with security policies — for example, not having the latest security patches for its operating system — the device can be isolated on the network In this state, network access is significantly restricted and typically includes access to only remediation resources such as patch servers, anti- virus update websites, virus cleansing applications etc Post remediation, the endpoint is allowed to re-enter the production network NAC solutions that automate the remediation process by integrating with existing IT systems (e g patch management) reduce IT overhead costs and increase user productivity

Post-connect Controls: Some NAC solutions provide post-connect controls in addition to pre-connect authentication and security posture validation Post-connect functions can include continuous monitoring of security posture changes and network activity to maintain real-time awareness of device behavior (anomalous or threat activity) For example, if a device originally appeared to be a printer, but then starts reading documents from a file server, the NAC system can take appropriate action based on policy The best NAC solutions include both pre-connect and post-connect functions, in order to first ensure that network access is limited to only users and devices that are authorized and compliant with security policies, and then to ensure that users and devices stay compliant while connected to the network

The Role of 802.1X in NAC

There is often some confusion between 802 1X and NAC Because the 802 1X specification also uses the term “network access control” there is uncertainty whether these are competing or complementary technologies

By itself, 802 1X is simply an authentication solution It is adequate at providing reasonable assurance that the connected user and device belong on the network purely from an authorization standpoint NAC is much more In addition to authentication, it includes device profiling, endpoint compliance validation, enforcement capability to limit access, remediation mechanisms to bring endpoints into compliance, and post-connect monitoring to ensure devices stay compliant 802 1X is not required for a NAC implementation However, network access control solutions can leverage 802 1X for authentication

In this section we’ll discuss the advantages and disadvantages of using 802 1X authentication

Advantages of 802.1X

IEEE standard: 802 1X is an IEEE standard originally published in 2001, and as a result it is has been universally adopted (to varying degrees) by most network infrastructure vendors Similarly, most laptops, tablets and smartphones available today feature embedded 802 1X supplicants While there are some inconsistencies among different vendors’ networking products, and supplicant support for non-mobile operating systems may be lagging, an organization purchasing network infrastructure and endpoint devices today can be reasonably confident that they are 802 1X-capable Though interoperability in a multi-vendor environment can be tricky, 802 1X is well suited to a homogenous network environment

Layer 2 approach: 802 1X requires successful authentication before layer 3 network access is permitted by the authenticator EAPoL operates once a layer 2 connection is established obviating the need for an IP address during the authentication process Since the 802 1X conversation between the supplicant and the authenticator is done without an IP address, there is no potential for the endpoint to attack the network prior to network admission This advantage may be useful in high-risk environments

Disadvantages of 802.1X

Reliance on supplicants: 802 1X requires supplicant software on endpoints for authentication While newer laptop and mobile device operating systems include supplicants, many legacy endpoints do not and therefore cannot participate in the 802 1X authentication process Additionally, printers, IP phones, physical security devices (surveillance cameras, card readers, entry keypads etc ), manufacturing, healthcare and a variety of industry-specific equipment do not support supplicants In many environments, non-802 1X endpoints far outnumber 802 1X-capable ones Managing network connectivity for non-802 1X endpoints can require a great deal of manual configuration (managing MAC authentication exception lists) as well as potential security tradeoffs

Simply put: many IT managers don’t want to put “yet another agent” on the endpoint, so this is a major disadvantage compared to the NAC products that can work without agents

Complexity in Wired LANs: While 802 1X is well-suited to wireless LANs, adoption has lagged in wired LANs due to a number of challenges that make deployment complex and costly Legacy switches or other network infrastructure devices may lack 802 1X support Additionally, switches from different manufacturers are inconsistent in the manner they support 802 1X Unlike wireless LANs which are predominantly used by newer mobile devices with built-in supplicants, wired LANs tend to have a greater variety of legacy endpoints, many of which do not support 802 1X supplicant software Also, it is challenging to configure different switches in a multi-vendor environment to handle a mix of 802 1X and non-802 1X endpoints

6

CounterACT : 802.1X and Network Access Control

Technical Note

Architectural limitations: By itself, the 802 1X standard does not address exceptions that abound in most business environments It assumes that all legitimate devices in an organization will always have properly configured supplicants The authentication result is binary – allow or deny There are no considerations for guest or contractor devices with supplicants configured for a different 802 1X environment, remediation actions upon failure, or tolerances for configuration errors Lack of resiliency or graceful failover means that a failure in any part of the process usually requires manual IT intervention – a major challenge for any organization Commercial NAC solutions sometimes extend and/or complement 802 1X with additional capabilities to address these architectural shortcomings

Lack of security posture validation: Pre-connect security posture validation and post-connect compliance monitoring of endpoints are outside the scope of the 802 1X standard In addition to authenticating the endpoint and/or its user before allowing access, it is important to determine whether the endpoint is safe and in compliance with an organization’s security policies Even authorized users can unknowingly bring “unsafe” devices onto the network, which can place the entire network and the organization at risk As a standalone solution, 802 1X wraps up after authentication is completed and does not monitor the compliance posture of the device or behavior of the user post-admission By itself, it is essentially a one-trick pony – other solutions are required, either in addition to, or in place of 802 1X in order to address pre-connect and post-connect endpoint compliance

How ForeScout helps Implement 802.1X within a NAC Framework

If you have determined that 802 1X is the right authentication technology for your organization, you then need to decide how to implement 802 1X

You could “roll your own” and work directly with the protocol and its components, but case studies published by analysts such as Gartner have shown that such implementations often take a long time – months or even years – and require a large

amount of administrative overhead

Alternatively, you could purchase a turnkey solution such as ForeScout CounterACT which makes rollout much easier CounterACT provides all of the network access control features and functions described above in this technical note

ForeScout CounterACT allows enterprises to use multiple authentication methods (including 802 1X) and access control enforcement techniques It includes a built-in RADIUS server to make rollout of 802 1X easy Alternatively, it can function as a RADIUS proxy and leverage existing RADIUS servers

CounterACT provides a number of unique features to help customers implement network access control while leveraging 802 1X authentication We illustrate some of these features below

Verifying 802.1X Readiness

Forescout CounterACT Functions

Pre-Connect Authentication

Profiling and Endpoint Classification

Security Posture Assessment

Access Control Enforcement

Quarantine and Remediation

Guest Registration and Enablement

BYOD Provisioning and On-Boarding

Post-Connect Monitoring and Controls

An 802 1X-based NAC deployment has a lot of moving parts and is dependent on multiple elements of the IT infrastructure being 802 1X-capable and ready Because the 802 1X architecture is not very forgiving or resilient, it behooves IT security managers to verify that all aspects of their environment are properly configured before enforcing access control

ForeScout CounterACT includes built-in visibility tools to verify that all your participating switches and endpoints are correctly configured for 802 1X authentication This helps identify and solve problems before they become disruptive

Authentication

Access Control

802 1X

Allow/deny

LDAP directory systems

VLAN assignment

MAC address bypass list

ACL management

Guest registration database

Virtual firewall

External authentication repositories

 

7

CounterACT : 802.1X and Network Access Control

Technical Note

CounterACT : 802.1X and Network Access Control Technical Note Figure 2: Verifying 802 1X readiness using

Figure 2: Verifying 802 1X readiness using CounterACT

CounterACT provides 802 1X policies to verify Network infrastructure readiness Client readiness (details in the supplicant remediation section) End-to-end authentication communication from client (via switch) to RADIUS sever and directory (see Figure 2)

These policies can be run in monitor mode to identify potential issues before enforcing 802 1X access control (see Figure 3) This helps avoid business disruption and help-desk calls After turning on 802 1X, these policies can be used to identify problems as they occur and take corrective action

CounterACT : 802.1X and Network Access Control Technical Note Figure 2: Verifying 802 1X readiness using

Figure 3: CounterACT policies for 802 1X switch readiness and monitoring

8

CounterACT : 802.1X and Network Access Control

Supplicant Remediation

Technical Note

802 1X requires supplicant software on endpoints for authentication Supplicants must be properly configured for the specific 802 1X environment Often times, supplicants are not installed or enabled on guest or BYOD endpoints, or the supplicant may be incorrectly configured for the particular corporate environment For example, a common issue with guest or BYOD devices is that the supplicant is configured by default to use the windows login and password for authentication Since these credentials may be for a different domain, they do not travel well, and the user will not be able to get onto another 802 1X network ForeScout CounterACT solves this problem because of its ability to allow all users, even those that fail 802 1X authentication, to register for network access

CounterACT provides built-in remediation tools to identify when an endpoint does not have a properly configured supplicant (see Figure 4) Policies are provided to identify common supplicant issues for Windows, Mac OS, Linux and mobile platforms such as iOS and Android When such issues are found, CounterACT can automate the remediation process through scripts to install and/or configure a supplicant

CounterACT : 802.1X and Network Access Control Supplicant Remediation Technical Note 802 1X requires supplicant software

Figure 4: Supplicant remediation policies in CounterACT

9

CounterACT : 802.1X and Network Access Control

Hybrid Mode

Technical Note

By itself, the 802 1X standard is not resilient or fault tolerant It assumes that all legitimate devices in an organization will always have properly configured supplicants The authentication result is binary — allow or deny Lack of resiliency means that there are typically many failures, and 802 1X’s inability to gracefully failover creates a heavy helpdesk load and places a heavy toll on end user productivity

CounterACT includes a hybrid mode which lets you utilize 802 1X and/or other authentication technologies within the same network environment In addition to 802 1X, CounterACT supports authentication against LDAP directories such as Active Directory, authentication against a built-in guest registration database or MAC address bypass list, or authentication against other external databases that house guest, BYOD or contractor authorization information

Using CounterACT’s hybrid mode, any device that fails 802 1X authentication can be placed in a lobby VLAN If the device is a computer, CounterACT can give the user an opportunity to authenticate via another method, such as by entering his/her Active Directory credentials If the user is a guest, CounterACT can give the user the opportunity to register for guest access on the network

Hybrid mode provides two benefits:

  • 1 Allows organizations to roll out NAC quickly and completely in an environment that does not support 802 1X in every location

  • 2 Provides a redundant authentication mechanism for endpoints that fail or are unable to use 802 1X authentication

CounterACT : 802.1X and Network Access Control Hybrid Mode Technical Note By itself, the 802 1X

Figure 5: Configuring Hybrid mode using CounterACT policies

Automated Exception Process for non-802.1X endpoints

ForeScout CounterACT automates the MAC exception process for non-802 1X endpoints (printers, phones, etc ) using its built-in endpoint profiler (see Figure 6) CounterACT automatically identifies such devices, and based on the device type and associated policy, CounterACT adds the device’s MAC address to an exception list and then places the device on the production network Subsequent connections are automatically allowed as long as the device profile stays consistent

10

CounterACT : 802.1X and Network Access Control

Technical Note

In addition, ForeScout CounterACT continuously monitors every endpoint in order to prevent MAC address spoofing (see Figure 7) For example, if a device originally appeared to be a printer (based on profiling) and was allowed network access, but then starts reading documents from a file server, CounterACT can detect this change in device profile and can remove the device from the network and the MAC exception list This provides a fully automated, closed-loop exception management process and alleviates security concerns related to MAC authentication in high-risk environments

CounterACT : 802.1X and Network Access Control Technical Note In addition, ForeScout CounterACT continuously monitors every

Figure 6: Automating exceptions for non-802 1X endpoints

CounterACT : 802.1X and Network Access Control Technical Note In addition, ForeScout CounterACT continuously monitors every

Figure 7: Detecting MAC address spoofing and Impersonation using CounterACT

11

CounterACT : 802.1X and Network Access Control

When to Use 802.1X and When Not to

Technical Note

As described above, 802 1X has some advantages and disadvantages, and addresses only a subset of security controls It can be deployed as a stand- alone network access control solution, or it can be used to provide authentication within the broader context of a commercial NAC solution

Since 802 1X is a standard that is supported by most networking devices and operating systems, some may perceive it as “free” and pursue the path of implementing a NAC solution using stand-alone 802 1X However, deploying 802 1X requires integrating multiple components; it is not a turnkey solution Interoperability of devices, or lack thereof, can prove challenging And by itself, it doesn’t solve the problem of non-802 1X-capable devices, which often exceed 802 1X-capable ones

In this section we’ll examine a few use cases for implementing network access control We’ll provide guidance on when to consider using 802 1X as a stand-alone solution, and when to consider deploying a commercial NAC solution, such as ForeScout CounterACT

Organizational Needs

Begin by considering your current needs Do you simply want to separate guests from employees and place all guests in a different VLAN which only provides internet access? Or do you want the ability to control guests, find out who they are, selectively approve each guest’s request for access, and control how long they can connect to the network?

Also consider future goals and objectives Do you think you will want to control network access on the basis of device type, security posture, user role and other factors? Are there other needs such as integration with MDM systems or SIEM solutions lurking around the corner?

Let’s take a look at a few use cases to provide additional clarity

Use Case: Secure Guest Access

Consultants, contractors, business partners and other guests bring their own personal devices and request internet connectivity so they can work on site To remain productive they may need access to basic services such as printing, or broader access to specific corporate applications and data Providing them unlimited access to the production network can expose you to malware and possible data loss

Based on your specific needs, you may choose to implement some or all of the following capabilities:

User authentication to delineate between employees and guests

Provide different levels of network access (limit access to specific resources) based on user role

Automate guest provisioning through the use of captive portals and self-registration techniques

Sponsorship capability to allow non-IT employees to create and manage guest accounts based on IT policies, in external databases, utilized by a NAC solution to authenticate guests

By itself, 802 1X can provide authentication for employees and VLAN segmentation for guests You need a commercial NAC solution like ForeScout CounterACT to implement the remaining functionality

Capability

802.1X

ForeScout CounterACT

User Authentication

Guest Registration (Captive Portals etc )

 

Non-IT Sponsor Support

 

Access Control Options

VLANs

Various Granular Options

 

Multiple Components,

Fully Integrated,

Deployment

External RADIUS Server

Turnkey Solution

12

CounterACT : 802.1X and Network Access Control

Use Case: Endpoint Compliance

Technical Note

Mobile devices that connect to corporate and public networks can become infected or non-compliant over time Endpoints can become misconfigured Security agents can be disabled Antivirus software can fall out-of-date Unauthorized software can be unknowingly installed by employees To control risk, the security posture of all devices must be verified before and after they’re allowed on the network

Based on your specific needs, you may choose to implement some or all of the following capabilities:

Identify and authenticate a user and endpoint

Assess an endpoint against a security policy, such as verifying the device configuration or the status of antivirus

Contain or limit access to resources for endpoints that fail to meet security policy requirements

Remediate endpoints that do not meet security policy requirements so they can be made compliant and allowed access to the network

Post-connect monitoring of device behavior to detect malicious activity or failure of one or more of the onboard security controls

Endpoint compliance is outside the scope of 802 1X To implement the above functionality you need a commercial NAC solution like ForeScout CounterACT

Capability

802.1X

ForeScout CounterACT

User/Device Authentication

Security Posture Validation

 

Mobile Device Configuration Checks

 

Custom Policies and Checks

 

Quarantine and Remediation

 

Post-Connect Monitoring

 

Compliance Reporting

 

Use Case: Secure BYOD Access

With the proliferation of mobile devices, employees are increasingly looking to use their own personal devices at work A Gartner survey reveals that U S -based CIOs expect 38% of mobile devices used within the enterprise will be employee owned by 2014 BYOD policies are required because employee owned devices may present risks to the network such as propagation of malware, network instability and potential data loss

Based on your specific needs, you may choose to implement some or all of the following capabilities:

Profile and identify endpoints by type when they connect to the network

Assess BYOD endpoints against a security policy, such as verifying the device configuration or the endpoint security posture

Provide different levels of network access and limit access to specific resources based on user role, device type and security posture

Automate provisioning of BYOD devices through the use of captive portals and other techniques

Remediation capability such as downloading mandated device configuration, endpoint protection agents, operating system security updates etc so that BYOD endpoints can be made compliant and allowed access to the network

13

CounterACT : 802.1X and Network Access Control

Technical Note

802 1X can provide authentication for BYOD endpoints, however to do so requires properly configured supplicant software on all endpoints A commercial NAC solution like ForeScout CounterACT provides the most flexible approach to securing a BYOD environment because CounterACT does not require BYOD devices to contain configured 802 1X supplicants Also, ForeScout CounterACT can provide more granular control over which types of devices are granted access to the network, and to limit access based on the user’s role

Capability

802.1X

ForeScout CounterACT

User/Device Authentication

Profiling and Endpoint Classification

 

Security Posture Validation

 

Mobile Device Configuration Checks

 

Quarantine and Remediation

 

Role-Based Access Control

 

MDM Integration

 

Client Software Dependency

Supplicant Required

None Required

Network Environment

Another important consideration is your enterprise network environment Do all your switches and wireless access points support 802 1X? Is most of your network infrastructure from a single vendor or do you have a multi-vendor environment? Do most of your endpoints have 802 1X supplicants built-in? Or do you have a large number of legacy endpoints and/or other non-802 1X capable devices and equipment?

802 1X authentication is well suited to a homogenous network environment, and is easier to implement in wireless LANs than in wired LANs In large and complex heterogeneous environments, using 802 1X authentication can be challenging and costly — the overhead of using 802 1X can be far greater than using alternate authentication methods

Let’s take a look at a use case for managing non-802 1Xendpoints

Use Case: Exception Management

Endpoints such as printers, IP phones and physical security devices cannot respond to requests for identification, nor do they support authentication agents such as 802 1X supplicants Various industryspecific equipment such as machines on a manufacturing floor, cash registers in a retail store, and healthcare devices in hospitals are business critical and need network access MAC authentication is probably the best alternative for handling such endpoints, but maintaining static MAC exception lists requires significant ongoing manual configuration and potential security tradeoffs

Based on your specific needs, you may choose to implement some or all of the following capabilities:

Authenticate an endpoint using its MAC address

Profile and classify endpoints by type when they connect to the network

Dynamically create MAC exception lists for specific types of devices

Post-connect monitoring of device behavior to detect MAC address spoofing/impersonation and dynamic removal of endpoints from MAC exception lists

14

CounterACT : 802.1X and Network Access Control

Technical Note

Capability

802.1X

ForeScout CounterACT

MAC based authentication

Endpoint profiling

 

MAC exception lists

Manual

Automated

Detect MAC address spoofing

 

MAC exception lists can be implemented within an 802 1X environment as a way of admitting devices that don’t support 802 1X supplicants However, these exception lists are static and have to be maintained manually A commercial NAC solution like ForeScout CounterACT can complement 802 1X and automate the exception management process

Other Considerations

There may be other factors to take into consideration when selecting an authentication mechanism for network access control Government organizations and a number of industry verticals are subject to various regulations, some of which may mandate the use of 802 1X or other authentication techniques In high-risk environments or classified networks there may be a legitimate requirement for all devices to use 802 1X supplicants with certificates

Budget is always a factor in any decision making process Upgrading vast amounts of legacy network infrastructure can be a showstopper for 802 1X An organization may choose to use 802 1X for the wireless infrastructure while using other authentication methods on wired LANs Conversely, if an organization has newer homogenous network infrastructure, there may be cost savings to be had in deploying a stand-alone 802 1X solution, especially if the IT staff can create additional home-grown tools for visibility, emediation, resiliency and automation of manual processes

Conclusion

802 1X can be implemented as a stand-alone port-based access control solution, or it can be used as an authentication mechanism within the broader context of a commercial network access control (NAC) solution such as ForeScout CounterACT The decision of whether to use 802 1X or another authentication mechanism rests on the specific needs of the organization and consideration of the advantages and disadvantages of 802 1X within a given network environment

Most organizations find that 802 1X by itself does not provide enough security controls, and it is too challenging to deploy There are tremendous benefits of using commercial solutions such as CounterACT to augment and overcome 802 1X challenges

CounterACT greatly enhances network visibility and security, and provides additional functions such as endpoint profiling, security posture validation, quarantine and remediation, advanced guest management and BYOD provisioning CounterACT also includes a complete set of troubleshooting and remediation tools that speed the deployment of any 802 1X solution and makes 802 1X more resilient and more accommodating to unknown or misconfigured endpoints, such as often happens in a BYOD situation

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

About ForeScout

 

ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks The company’s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues ForeScout’s open ControlFabric™ technology allows a broad range of IT security products and management systems to share information and automate remediation actions Because ForeScout’s solutions are easy to deploy, unobtrusive,

 

flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies Headquartered in Campbell, California,

 

ForeScout offers its solutions through its network of authorized partners worldwide

 

Learn more at www.forescout.com.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 
ForeScout Technologies, Inc. T 1-866-377-8771 (US)
 

ForeScout Technologies, Inc.

 

T 1-866-377-8771 (US)

 

900 E Hamilton Ave , Suite 300

 

T 1-408-213-3191 (Intl ) F 408-213-2283

 
Campbell, CA 95008 www.forescout.com
 

Campbell, CA 95008

www.forescout.com

U S A

 

©2013 ForeScout Technologies, Inc Products protected by US Patent #6,363,489, March 2002 All rights reserved ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc All other trademarks are the property of their respective owners Doc: 2013 0057

15