The new 802.1X-2010 (formerly referred to here as 802.1X-REV) offers a multi-faceted approach to increasing integrity, availability and confidentiality throughout network infrastructures at every segment- from LANs and WLANs to WANs and MANs. Yeah, I threw out the I.A.C. triangle. As much as I hate using it, it is a foundational element of security.
Today I’m sad. When I Google 802.1X, the only results are passing articles and tidbits from 2006, 2007 and a few from 2008, and then of course, all my more recent articles and posts are intermingled with these older magazine contents. Oh, and Wikipedia. God only knows what THAT site says…
Is this my fault? I feel like it is. For quite a while, it seemed the majority of 802.1X-REV resources found on the Internet or any public forum were from articles or posts I wrote, or discussions I was stirring up with peers.
My focus strayed for a bit and the next thing I know 802.1X has dwindled in the public eye to a mere authentication method for wireless. This standard STARTED as a wired standard more than ten years ago, and now, in the 2010 revision I believe 1X has refound its lost roots and is ready to take the infrastructure world by storm.
I’m going to be better about blogging, and more specifically, I’m going to be better about sharing this type of new information. I think this technology will prove invaluable and I want to help demonstrate the many uses cases.
As a starter, let’s recap my top 3 technologies from the new IEEE standards:
- MACsec – Very basically, layer 2 encryption for infrastructure devices
- DeviceID – A standard for cryptographically-unique device identification, based on X509 certificates, with options for initial IDs (from manufacturer) and local IDs (defined by the user) and interaction with TPM
- Network Advertisements – Part of the new 1X, allows a wired network to advertise different networks, with different security, on the same port (much like wireless SSIDs)
I don’t know which I’m more excited about; the network advertisements, or the unique device ID, which uses cryptographically unique hardware for device identification on a network. Well, when in doubt, go with crypto, right?
As I’ve been writing this post, I’ve had this song in my head.
# # #
Hi Roland,
Well, there are a variety of ways technologies like 1X can contribute to higher availability; the most significant being in the reduction of DoS attacks. If systems that are interoperating are built on a trusted infrastructure, then the only traffic to/from a system has some level of confidence of trust. In other implementations at the edge, solutions like 1X can aide availability by ensuring the appropriate systems that need access, have access. Meaning, things that don’t have a business or tech requirement to see/access another system are semi-isolated, reducing the threat of (again) DoS or other availability attacks, whether intentional or inadvertent. By inadvertent I mean perhaps something as innocent as a loop or broadcast storm.
-jj
How does using 802.1x (or any crypto-oriented system, for that matter) directly enhance availability?