Tag: security

How to Enable Dot1x – more complex setup for wired network

This one is long. Do not be afraid though, I made it just to give you the fastest way to deploy functional dot1x to your company HQ without reading even more documentation and searching for those little timer default settings.

I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.

So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.

What needs to be done:

Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.

  1. We will configure the switch for dot1x but with much more options now.
  2. We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
    Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
  3. We will setup a new GPO object that will automatically setup all PC’s for dot1x.

What will we get using dot1x:

It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉

Basic

Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.

Give Internet only to unauthenticated users

Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.

“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”

If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.

| Continue Reading.. |

How to Enable Dot1x authentication for wired clients

If your LAN is extending to some places where unauthorised people can just plug in and gain access to your protected network, it’s time to implement some security on your access switch. The best thing to do is to implement IEEE 802.1X port-based authentication which will enable users/machine authentication and prevent unauthorized devices from getting access switch port running when connected. IEEE 802.1X port-based authentication is mostly called simply as dot1x.

In this article I will show you how to configure some basic dot1x stuff on switch side. I will also include Windows machine side of configuration as this is something most people presume it’s working out-of-the-box but of course that’s not the case. Radius server policy is fairly simple so a screenshot of the policy will get you going. So as you see, to get dot1x running you need to configure:

| Continue Reading.. |

What is the difference between tunnel | transport mode in IPsec

Intro

IPsec makes VPN connection possible. I enables to simulate a leased line across public Internet and thus enable us to get secure connection across unsecured environment. It enables encryption, authentication and protection of our data when sent across insecurity of the world’s biggest internetwork – Internet.

It’s the cheap way to simulate a leased line, the way to send private data across the public network without compromising privacy. The goal of IPsec is to secure services and lower the cost of data transfer. Try to compare it to pricing of data transfers across dark cables / leased lines.

There are two parts of IPsec security suite
– ESP – Encapsulating Security Payload
– AH – Authentication Header

Based on our situation we can configure two different modes of operation and here we are to make the things clear about the differences and the technology behind those modes.

IPSec Transport Mode and Tunnel Mode

| Continue Reading.. |

IPv6 First-Hop Security

All methods to mitigate IPv6 security issues
Real life security intro

In the process of configuring our corporate network test segment for IPv6, there was a direct demand to pay particular attention to security. It was my role to go trough all materials I could get to learn more about IPv6 security.

It was my role to go trough all materials I could get to learn more about IPv6 security. In that process, first stop was my favourite packetpushers podcast. They published more that 200 podcast till now and one of them was about IPv6 security that I needed. In that security show from last year

They published more that 200 podcast till now and one of them was about IPv6 security that I needed. In that security show from last year Healthy Paranoia Show 4:IPv6 Security Smackdown! Mrs. Y with bunch of great hosts discussed IPv6 security. They speak about almost all stuff that exists today in securing IPv6 enabled networks. One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on

One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on

Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on Internet-facing interface, but my goal is to get IPv6 inside our LAN environment and that part is still tricky if you include all the stuff needed to be done (especially on firewall part of the story).

I searched for additional information and some examples on how to configure Cisco gear for IPv6. Specially helpful were IPv6 webinars from long followed Networking/Cisco genius Ivan Pepelnjak at his great site ipspace.net (one of my homepage tabs). Here the guest is again Eric Vyncke.

After I gathered the knowledge out of those resources, I was ready to deploy IPv6 on my test segments and make it secure. Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out

Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out

Just for the info, not all the equipment has all the features. Some of them came out a few months ago so older switches and routers may not have all of these implemented. Sometimes you will be limited by the license to. I need to mention that other vendor’s equipment also supports most features mentioned below. For

I need to mention that other vendor’s equipment also supports most features mentioned below. For now it seems that Cisco invested the most effort and gathered the best team of engineers to add all possible features for IPv6 first-hop security inside IOS.

Let’s go with the list:

IPv6 RA Guard – RA messages are important part of IPv6 architecture. They are the only way to get default gateway info to host in the network segment (beside static configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. RA messages are Router Advertisement messages send from main router that is default gateway for that specific network segment. Having that in mind it’s clear that, only port on the switch that needs to receive RA messages inbound, is the port connecting the router. All other switch ports for hosts are only forwarding RA messages to host devices but there is no need for host to send RA messages back to switch. Even better, it is wrong if some host sends RA messages because he is then practically trying to take the role of default gateway away from router. Configuring RA Guard on all switch ports except port that heads towards the router is preventing rouge RA advertisements on that segment.

| Continue Reading.. |

RADIUS server Infrastructure

In short RADIUS means Remote Authentication Dial-In User Service server or proxy.  Is used for centralised accounting, authorisation and most of all, authentication. This technology will help you control who will be able to connect to your network and who will not be granted the access.

It can control the access for all sorts of networks, wireless, VPN, dial-up, direct device to device like router to router connections, basically wherever you put it the middle of communication he can do the control.

There is also RADIUS proxy configuration where proxy only receives and accepts the connection requests but for the decision making it will be connected to other server who will do the RADIUS role.

There are two major ways to deploy radius server and that are:

  • Deployment of FreeRADIUS server on UNIX servers. This is by many network engineers basically a best daemon which implements radius protocol and makes your UNIX server a RADIUS enabled server.
  • Deployment of IAS role – Internet Authentication Service on Windows Server machine will allow you to make your Windows Server machine respond to RADIUS requests and act as a real RADIUS server. It includes some AD stuff implemented in so it will be able to authenticate the users from Active Directory domain. Which is his biggest advantage over UNIX deployment of course if you have AD deployed in you organization, and you have surely.

RADIUS server connects to user account database which is Active Directory in Windows Server or some normal user database in UNIX. Can be normal SQL table with users in it and can checks access credentials. If the user is authorized to access some network that is secured with RADIUS, he will authorize the access for that user and writes a log of the user entrance to the network.

Components of a RADIUS infrastructure

radius components

| Continue Reading.. |