«
»

LAN security with 802.1x

2. April, 2007

Security has always been a major point in the past few years in IT. I’ve seen several SMBs without a DHCP-Server, because this supposedly helps security.

Of course, just because you don’t have a DHCP server doesn’t mean that nobody can access your network. There’s a much better technology available that helps to prevent unauthorized devices from accessing your network. It’s called 802.1x.

In case you’re wondering, 802.1x can also be used with Wireless LAN. I’ve written a little HOWTO about Wireless 802.1x with Windows Server 2003 and Cisco APs.

Most access points support 802.1x, but with switches the functionality is a bit more scarce, especially if you’re looking at SMB equipment. But there are several vendors that offer 802.1x functionality in their switches, for affordable prices.

But what is 802.1x? It’s a technology that allows authentication at the link level to take place – it requires a RADIUS server as a backend (such as Microsoft IAS, which allows you to authenticate against active directory). The switch or AP just works as an intermediary between the RADIUS server and the client – this makes the switch/AP agnostic to the authentication method used.

802.1x can be great to enhance your network security. It prevents people from installing unauthenticated devices into your network. Of course, you will need to either whitelist older devices without 802.1x support by MAC-Address, or upgrade to newer devices with 802.1x support. For example, all newer Lexmark/IBM printers fully support 802.1x out of the box.

Especially with the dawn of Windows Vista, which can configure 802.1x LAN authentication through GPO (XP could only configure Wireless LAN 802.1x through GPO), it makes sense to start implementing 802.1x.

Allied Telesis

Even new Allied Telesis (formerly Allied Telesyn) switches look like they’re at least 10 years old. But they offer all features usually needed at nice pricing points. Their software is not always consistent between different product lines, but this shouldn’t be a problem for SMBs. For example the AT 9000/24 offers 802.1x support and 24 Gigabit Ethernet ports. Retail price in switzerland is about 1000 CHF.

Linksys

Linksys, a brand of Cisco, also offers business switches with 802.1x support. The SRW2024 can be had for about 600CHF, featuring 24 10/100mbit Ports and 802.1x support.

Category: Networking  |  Comment (RSS)  |  Trackback

Leave a comment