- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
If I implement 802.1X on my Ethernet switch ports, do I still have to worry about rogue access points?
Rogue access points are like cockroaches; they're everywhere, they're impossible to get rid of, and once you declare war on them, you better be in it for the long haul. You can slice'em and dice'em and they just keep on coming. They are a cheaply-implemented problem with diverse, complex, and often expensive solutions. Administrators now have the tools to identify, locate, mitigate, and relocate (onto eBay of course) rogue access points of all kinds. "There must be a better way!" you exclaim. Sure there is, but it's not foolproof.
802.1X is a standard that addresses port-based authentication. If you have worked in the enterprise wireless market for a while, this standard is likely quite familiar to you - usually accompanied by EAP-something. 802.1X is the framework used by various types of Extensible Authentication Protocol (EAP) to control the process of a network user authenticating to a network infrastructure. Various 802.1X/EAP types are used in 802.11 WLANs due to their low overhead, ease of use, and support for data encryption. 802.1X is also used by Ethernet switches to authenticate wired station users, and in fact predated 802.1X use in wireless networks.
When rogue access points are connected to unsecured Ethernet ports, they have connectivity into the VLAN the port is assigned to. By using 802.1X to control use of the Ethernet port, any device connected to the port will have to successfully authenticate itself to a user database (like RADIUS) in order to bring the port into a forwarding state. Even if an intruder has an access point capable of performing such an authentication (which is especially uncommon in SOHO models), they will need legitimate credentials before such an authentication will be successful.
At face value this solution seems foolproof, but there are other common problems with rogue APs. One such problem is a hijacking attack from a software-based rogue access point that isn't connected to your network infrastructure. This attack is against a mobile computer rather than against a network infrastructure. Also, intruders know that the chance of authorized access points being connected to an 802.1X-enabled port is slim, so they might try to replace one of your access points with a rogue if your authorized access point isn't physically secured.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comment