Foiling attempts to plug an unauthorized device directly into a localarea network (LAN) has been the purview of the IEEE's 802.1x standard since it wasintroduced in 2001. Without the protection of 802.1x, hackers and othersecurity risks might be able to wreck havoc not only on the LAN itselfbut also on wider Internet Protocol (IP) networks.
Of course, this becomes increasingly critical as more and moredevices such as IP phones connect to LANs and access the Internetthrough applications like Voice over IP (VoIP).
The main tenet behind 802.1x is that any device that is plugged into anetwork must be authenticated before any regular data traffic occurs.As soon as the network cable from a device like a laptop computer or anIP phone is physically plugged into a network or as soon as a deviceattempts to gain access to a wireless Wi-Fi network, 802.1x mustdetermine the identity of the device and whether it is authorized toaccess that network.
802.1x is limited to authenticating physical connections at the DataLink level (Level 2 of the OSI model). Built on the ExtensibleAuthentication Protocol (EAP), 802.1x offers no securityfor any of the data communications once it has authorized theconnection.
Three entities come into play in every 802.1x authenticationprocess. The standard calls any device that plugs into a network asupplicant because it must first seek and be granted authorization toaccess the network.
The entity that is responsible for the 802.1x authentication processis called the authenticator. In many cases this is an Ethernet switchon the LAN. The process is carried forward by an authenticating serverwhich determines whether the supplicant's traffic over the network canbe authorized.
How it Works
Typically, traffic of any unoccupied access point to a network, such asa port on a wired or wireless Ethernet switch, is blocked until the802.1x authentication process has completed. The blocked trafficincludes all configurations mechanisms like DynamicHost Configuration Protocol (DHCP) as well as any othertraffic like HTTP data. When a device plugs into a network and it isdetected, the port on the switch is set as “unauthorized” and only802.1x traffic is allowed.
As a first step in the 802.1x process, the authenticator requeststhe identity of the supplicant. When the supplicant responds with apacket containing its identity, the authenticator forwards thisinformation to the authenticating server, where the request forauthentication and authorization for access to the network is eitheraccepted or rejected. The authenticating server applies itsauthentication rules to make this determination.
When a request for authentication is accepted by the authenticatingserver, the authenticator sets the access port to 'authorized' andnormal network traffic can begin. Should the supplicant log off orsimply unplug its network cable from the network, the authenticator isnotified and the status of the port is returned to an unauthorizedstate where only 802.1x traffic is allowed until another 802.1xauthorization process has been completed. (Figure 1 below )
|Figure1. 802.1x sets up connected devices for authentication|
The messages that comprise the authorization process conform to EAP,which was developed by the Internet Engineering Task Force (IETF)in 1998 as RFC2284 and updated in 2004 as RFC3748. The messages betweenthe supplicant device and the authenticator are carried in a certainEAP packet format known as EAP over LAN (EAPoL).
The messages between the authenticator and the authenticating serverare formulated into a format that is understood by the authenticatingserver. For example, these messages are often encapsulated into EAPover Radius (EAPoR) packets if the authenticating server happens to bea Radius server, a popular type of 802.1x authenticating server.
Generally, the supplicant software for initiating 802.1xauthentication is embedded in the operating system (OS) on practicallyall PCs. For example, 802.1x supplicant software is contained in themost popular OSs, including Windows XP, Windows Vista, Windows 2000(Service Pack 3), and Linux.
If this software is not included in the version of Linux present onthe device, it can be added (wpa_supplicant). Other types of Ethernetdevices also include 802.1x supplicant software and practically allEthernet switches have authenticator software.
It should be remembered that the security offered by 802.1x is limitedto some degree. For example, there is a gap in 802.1x protection if anEthernet hub is inserted between an authenticated supplicant and thenetwork. When this occurs, other devices connected to the hub canaccess the network.
Ethernet switch suppliers have taken steps to fill this gap in thestandard by blocking traffic on a port if the media access control(MAC) address of the supplicant changes. It is worthwhile noting that802.1x is under revision to facilitate secure communication overpublicly accessible LANs/MANs, as well as allow its use in additionalapplications.
The 802.1x standard was never truly intended to offer securitybeyond authenticating and authorizing physical connections to anetwork. As a result, once a device has been authenticated andcommunication commences, 802.1x does not offer security on any of theensuing data traffic.
It is imperative that the security supported by 802.1x besupplemented by other measures such as the IP Security (IPSec) standardfor authenticating and/or encrypting packets. 802.1AE (Media AccessControl Security) together with 802.1af (Authenticated Key Agreementfor MACSec) can also be used for data encapsulation, encryption andauthenticity with key management.
Authenticating IP Phones
An IP phone is essentially an Ethernet device with all of thecapabilities needed for VoIP as well as other functionality. Some IPphones have been enhanced significantly with processing power and otherresources for additional applications above and beyond voice.
Most IP phones plug directly into the LAN, but they include anotherLAN port to which another device may be daisy-chained. IP phonemanufacturers reason that most offices have only one Ethernet plug inthe wall. The IP phone can be plugged directly into the office's LANvia this plug and then the user's PC can access the LAN via the IPphone's second network port.
Most IP phones feature an internal Ethernet switching device tosupport two connections to the LAN. Within the context of 802.1x, boththe IP phone and the PC must be authenticated before they are able tosend regular traffic over the LAN. This means that they both must have802.1x supplicant capabilities and the internal Ethernet switch of theIP phone has to be able to pass 802.1x traffic to the PC (Figure 2, below ).
|Figure2. Both devices must have 802.1X capability for full security|
In some cases, to enable the authentication of a PC or any otherdevice connected to the IP phone's LAN port, the Ethernet switch in theIP phone must be configured to allow the forwarding of reservedmulticast packets.
At the very least, the IP phone itself must support 802.1xsupplicant software. The two most dominant embedded operating systems(OS) in IP phones include supplicant capabilities for both the IP phoneand devices plugged into the phone's second Ethernet port.
In its Platform for Customer Device (PCD) 3.2, VxWorks fromWindRiver includes 802.1x LAN supplicant software, which performs802.1x authentication for both the IP phone and any network devicesconnected to its LAN port.
Under Linux, a supplicant module (wpa_supplicant, GPLv2/BSD license)can be added to the IP phone's OS; this module will handle the 802.1xauthentication process for the IP phone and will relay the 802.1xpackets to the network device plugged into the second network port.This will allow this network device to be 802.1x authenticated.
The flashy story that catches the headlines in regards to 802.1xfocuses on the spec as a gateway to next-generation multimediaapplications. In fact, the 802.1x standard's greatest and oftenoverlooked value is in authenticating and authorizing physicalconnections to a network.
As a growing number of devices that consumers and businesses dependon access the Internet through advanced applications like VoIP,security remains an essential component of effective communication.
Since its introduction, the IEEE's 802.1x standard has providedadvanced protection against prospective hackers as any device that isplugged into a network must be authenticated before any regular datatraffic occurs. Protecting both the LAN and the wider IP network,802.1x is the always working gatekeeper to protecting users' networkconnections.
Sébastien Brun is aSoftware Application expert for VoIP (Voice over Internet Protocol) at Texas Instruments.He has worked in several positions supporting and training customers tobring their VoIP systems on the market, making them successful in theirbusiness. Sébastien earned his degree from the EcolePolytechnique Universitaire de Nice Sophia-Antipolis. Sébastienis currently working in the Communications Infrastructure and Voiceteams within the DSP Systems Group at Texas Instruments Inc.