network logoeettechonlineembedded

CMP EMBEDDED.COM

All Articles Products Columns Courses VirtuaLabs Webinars
Search
Login | Register     Welcome Guest  
HOME DESIGN PRODUCTS COLUMNS E-LEARNING CONFERENCES CODE FORUMS/BLOGS NEWSLETTERS CONTACT FEATURES RSS RSS
Embedded.com > Design Articles

Using the 802.1x standard to secure nextgen multimedia VoIP phones



By Sebastien Brun
Embedded.com
(10/07/08, 12:15:00 AM EDT)

Some Limitations
It should be remembered that the security offered by 802.1x is limited to some degree. For example, there is a gap in 802.1x protection if an Ethernet hub is inserted between an authenticated supplicant and the network. When this occurs, other devices connected to the hub can access the network.

Ethernet switch suppliers have taken steps to fill this gap in the standard by blocking traffic on a port if the media access control (MAC) address of the supplicant changes. It is worthwhile noting that 802.1x is under revision to facilitate secure communication over publicly accessible LANs/MANs, as well as allow its use in additional applications.

The 802.1x standard was never truly intended to offer security beyond authenticating and authorizing physical connections to a network. As a result, once a device has been authenticated and communication commences, 802.1x does not offer security on any of the ensuing data traffic.

It is imperative that the security supported by 802.1x be supplemented by other measures such as the IP Security (IPSec) standard for authenticating and/or encrypting packets. 802.1AE (Media Access Control Security) together with 802.1af (Authenticated Key Agreement for MACSec) can also be used for data encapsulation, encryption and authenticity with key management.

Authenticating IP Phones
An IP phone is essentially an Ethernet device with all of the capabilities needed for VoIP as well as other functionality. Some IP phones have been enhanced significantly with processing power and other resources for additional applications above and beyond voice.

Most IP phones plug directly into the LAN, but they include another LAN port to which another device may be daisy-chained. IP phone manufacturers reason that most offices have only one Ethernet plug in the wall. The IP phone can be plugged directly into the office's LAN via this plug and then the user's PC can access the LAN via the IP phone's second network port.

Most IP phones feature an internal Ethernet switching device to support two connections to the LAN. Within the context of 802.1x, both the IP phone and the PC must be authenticated before they are able to send regular traffic over the LAN. This means that they both must have 802.1x supplicant capabilities and the internal Ethernet switch of the IP phone has to be able to pass 802.1x traffic to the PC (Figure 2, below).

Figure 2. Both devices must have 802.1X capability for full security

In some cases, to enable the authentication of a PC or any other device connected to the IP phone's LAN port, the Ethernet switch in the IP phone must be configured to allow the forwarding of reserved multicast packets.

At the very least, the IP phone itself must support 802.1x supplicant software. The two most dominant embedded operating systems (OS) in IP phones include supplicant capabilities for both the IP phone and devices plugged into the phone's second Ethernet port.

In its Platform for Customer Device (PCD) 3.2, VxWorks from WindRiver includes 802.1x LAN supplicant software, which performs 802.1x authentication for both the IP phone and any network devices connected to its LAN port.

Under Linux, a supplicant module (wpa_supplicant, GPLv2/BSD license) can be added to the IP phone's OS; this module will handle the 802.1x authentication process for the IP phone and will relay the 802.1x packets to the network device plugged into the second network port. This will allow this network device to be 802.1x authenticated.

The Workhorse
The flashy story that catches the headlines in regards to 802.1x focuses on the spec as a gateway to next-generation multimedia applications. In fact, the 802.1x standard's greatest and often overlooked value is in authenticating and authorizing physical connections to a network.

As a growing number of devices that consumers and businesses depend on access the Internet through advanced applications like VoIP, security remains an essential component of effective communication.

Since its introduction, the IEEE's 802.1x standard has provided advanced protection against prospective hackers as any device that is plugged into a network must be authenticated before any regular data traffic occurs. Protecting both the LAN and the wider IP network, 802.1x is the always working gatekeeper to protecting users' network connections.

Sébastien Brun is a Software Application expert for VoIP (Voice over Internet Protocol) at Texas Instruments. He has worked in several positions supporting and training customers to bring their VoIP systems on the market, making them successful in their business. Sébastien earned his degree from the Ecole Polytechnique Universitaire de Nice Sophia-Antipolis. Sébastien is currently working in the Communications Infrastructure and Voice teams within the DSP Systems Group at Texas Instruments Inc.

1 | 2

Rate this article: Low High
Current rating
  • .
Embedded.com Career Center
Looking for a new job?
SEARCH JOBS

Browse all jobs

SPONSOR
RECENT JOB POSTINGS
SEL seeking Business Development Manager in Pullman, WA

SEL seeking Integration / Automation Engineer in Charlotte, NC

ESRI seeking Business Manager - Support Services in Redlands, CA

Amcor PET Packaging seeking Facilities Engineer in Philadelphia, PA

Mentor Graphics seeking Embedded SW Tele-Sales in San Jose, CA

For more great jobs, career related news, features and services, please visit EETimes Career Center



Embedded.com Links
Site Map | About Us | Contact Us | Media Kit | Editorial Calendar | Conferences | ESD Europe | ESC on Demand | Subscriptions | Newsletter | Reprints
TechOnline Communities
Audio DesignLine | Automotive DesignLine | CommsDesign | Digital Home DesignLine | DSP DesignLine | EDA DesignLine
eeProductCenter | Green SupplyLine | Industrial Control DesignLine | Mobile Handset DesignLine | Planet Analog | Power Management DesignLine
Programmable Logic DesignLine | RF DesignLine | Teardown.com | TechOnline | Video/Imaging DesignLine | Wireless Net DesignLine
EE Times
United States | Asia | China | Europe | France | Germany | India | Japan | Korea | Taiwan | United Kingdom | EE Times Supply Network
Additional Network Sites
Analog Europe | Automotive Designline Europe | DeepChip | Design & Reuse | Electronik iNorden | Embedded.com
| Microwave Engineering Europe | Portelligent | Power Management Designline Europe
The RF Edge | Semiconductor Insights | Embedded-europe.com | Mechanical Design | TechOnline India
 
All materials on this site Copyright © 2009 TechInsights, a Division of United Business Media LLC All rights reserved.
Privacy Statement | Terms of Service
 
 :