Белая книга для Cisco Cisco ASA 5540 Adaptive Security Appliance
Cisco and Public Sector Cyberdefense
4
Prevention in the LAN
The Cisco Catalyst Series switches share many common security
characteristics, especially when used as access-layer switches. As this
is the portion of the network that provides basic access, either wired
or wireless, to the rest of the network infrastructure, establishing user
identity, policy, and services are important features. Collectively these
capabilities are described as
characteristics, especially when used as access-layer switches. As this
is the portion of the network that provides basic access, either wired
or wireless, to the rest of the network infrastructure, establishing user
identity, policy, and services are important features. Collectively these
capabilities are described as
identity-based network services (IBNS).
The first component of IBNS is the IEEE 802.1x protocol, a MAC-layer
protocol that communicates with a RADIUS server—such as the Cisco
Secure ACS to associate the end station with a username and password.
The access switch acts as an intelligent mediator for the transaction
and enables the user port only upon successful completion of the
authentication process. The actual authentication mechanism used is
Extensible Authentication Protocol (EAP). EAP is carried in the 802.1x
frame, passed through the network by the switched infrastructure, and
conveyed to the authentication server.
protocol that communicates with a RADIUS server—such as the Cisco
Secure ACS to associate the end station with a username and password.
The access switch acts as an intelligent mediator for the transaction
and enables the user port only upon successful completion of the
authentication process. The actual authentication mechanism used is
Extensible Authentication Protocol (EAP). EAP is carried in the 802.1x
frame, passed through the network by the switched infrastructure, and
conveyed to the authentication server.
If the client device supports 802.1x, then the end station replies with its
credentials, and the switch forwards that information to the Cisco Secure
ACS. If the client does not support 802.1x or does not authenticate,
the Cisco Catalyst switches offer several fallback mechanisms
for authenticating devices, including MAC Authentication Bypass
(authentication via MAC address) and Web Authentication. This provides
you with the maximum flexibility in providing a secure identity-based
access architecture, while still allowing for devices that might not support
802.1x such as printers or other network devices.
credentials, and the switch forwards that information to the Cisco Secure
ACS. If the client does not support 802.1x or does not authenticate,
the Cisco Catalyst switches offer several fallback mechanisms
for authenticating devices, including MAC Authentication Bypass
(authentication via MAC address) and Web Authentication. This provides
you with the maximum flexibility in providing a secure identity-based
access architecture, while still allowing for devices that might not support
802.1x such as printers or other network devices.
In addition, customers who require providing network access to the hosts
when the RADIUS server is not reachable by the switch can designate
the hosts connected to a port as critical. Cisco Catalyst 4500 and 6500
Series Switches can grant network access to the hosts by putting
the port in the critical-authentication state when the RADIUS server is
unavailable. When a RADIUS server becomes available, all critical ports
when the RADIUS server is not reachable by the switch can designate
the hosts connected to a port as critical. Cisco Catalyst 4500 and 6500
Series Switches can grant network access to the hosts by putting
the port in the critical-authentication state when the RADIUS server is
unavailable. When a RADIUS server becomes available, all critical ports
in critical-authentication state will be automatically reauthenticated.
Upon successful authentication, the switch fully enables that port and
allows access to the networked resources. Based on the information
provided by the Cisco Secure ACS, however, the network can enable
other policies. Such policies could include assigning the user to a
specific VLAN or setting up specific per-user access control lists (ACLs).
allows access to the networked resources. Based on the information
provided by the Cisco Secure ACS, however, the network can enable
other policies. Such policies could include assigning the user to a
specific VLAN or setting up specific per-user access control lists (ACLs).
It is this combination of identification with policy that elevates Cisco IBNS
beyond simple 802.1x authentication and allows a more comprehensive
set of capabilities and restrictions to be applied to the end user. Table 1
illustrates some of the basic security questions that need to be resolved
on a per-network-user basis and the technologies used to resolve them.
beyond simple 802.1x authentication and allows a more comprehensive
set of capabilities and restrictions to be applied to the end user. Table 1
illustrates some of the basic security questions that need to be resolved
on a per-network-user basis and the technologies used to resolve them.
Table 1 Elements of Cisco Identity-Based Network Services
Questions
Actions Taken
Who are you?
Cisco IBNS uses 802.1X or other authentication
methods to authenticate the user.
methods to authenticate the user.
Where can you go?
Based on authentication, the user is placed in
the correct workgroup or VLAN.
the correct workgroup or VLAN.
What service level
do you receive?
do you receive?
The user can be given a per-user access
control list to explicitly restrict or allow access
to specific resources on the network or given
specific QoS priority on the network.
control list to explicitly restrict or allow access
to specific resources on the network or given
specific QoS priority on the network.
What are you
doing?
doing?
Using the identity and location of the user,
tracking and accounting can be better managed.
tracking and accounting can be better managed.
Continue
Previous