Wired Authenticated Access is a Chicken and Egg Problem, and It’s Scrambled Up
May 3, 2013 Leave a comment
- Strong wired authentication and access control is available using 802.1X, which is needlessly complex in wired networks and 802.1ae which is not widely available.
- Lack of customer demand doesn’t give equipment vendors any inducement to simplify 802.1X wired functions or add 802.1ae to network equipment. You can change that.
Ever wonder why 802.1X and 802.11i is so well supported in wireless LANs—even consumer grade access points—yet is complex and fragile in wired ports? It’s not the technology or differences in the capability of wireless compared to wired equipment. The reason is customer demand. You. The average enterprise user hasn’t demanded the same level of functionality in the wired network as they did in the wireless.
I have maintained for years that on the access edge your WLAN is more secure than your wired network (let’s ignore for the moment that inconvenient Wireless Protected Setup security problem from 2011) if you are using WPA2 Enterprise, which is a combination of 802.11X for station authentication and key management along with 802.11i for encryption and validation. In what should be a standard best practice (much hand waving at this point) for network access, your wireless devices or users have to authenticate to the network and establish an encrypted session using a unique set of keys while your wired devices just need to find an open Ethernet port and plug-in.
WLAN access security is much better than wired because with a WLAN an attacker only needs to get access to the RF media, which with using special antennas can be much further than 100 meters. Enterprises demanded secure wireless access and wireless vendors and the standards bodies responded with appropriate technology. What’s important is that wireless vendors took the standards and made WPA2 implementations simple to implement which certainly greased the wheels of enterprise deployments.
Setting up similar access security strategies in the wired network is difficult or impossible. There’s only a few Ethernet NICs that are capable of performing 802.1ae encryption and they aren’t installed in workstations, laptops, and other network devices. Modern operating systems support 802.1X and standing up a certificate server and RADIUS server in Windows is rather simple, but putting together a network using 802.1X is difficult with many fragile integration points that can bollix up the works.
To make matters worse, there are numerous network devices like printers, cameras, and other network appliances that don’t support 802.1X at all or support is so rudimentary that the support is effectively useless. Each of those non-802.1X devices needs to be handled as an exception which means more work for IT to track, manage, and maintain which devices and ports are 802.1X enabled and which aren’t.
Why is wired access control so weak? Because there is little demand from enterprises. Perhaps the perception that attacking wired networks is harder because the attacker has to walk into the building to gain access to the network is to blame but doing so isn’t nearly as difficult as you might think.
If you care about network security then start demanding from server, workstation, laptop, and network device vendors simple and robust 802.1X and 802.1ae support. Make it a requirement before you buy. You’ll thank me later.