802.1x port-based authentication - when and why?
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
@pete-s said in 802.1x port-based authentication - when and why?:
802.1X port-based authentication - when is it used and why?
Is it to protect the network from unauthorized physical access to ports that you have no physical control over?
Basically, yes.
In @scottalanmiller’s lan-less design it doesn’t matter. But for the rest of us....
Well really it comes down to risk assessment, like all things. How much will it cost you to set up and manage day to day versus doing nothing. Then how much of a cost would be associated with some type of malicious actor accessing an open port.
How about just using MAC address to lock down ports in use and turn off ports not in use? Would that not be as effective?
-
MAC filtering in general is not considered real security. The MAC has to be in the unencrypted part of a transmission, so if a hacker can get a shim to monitor, they can get MACs they can use to spoof a network.
-
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
-
@pete-s said in 802.1x port-based authentication - when and why?:
turn off ports not in use
This is always helpful, and easy.
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
@pete-s said in 802.1x port-based authentication - when and why?:
turn off ports not in use
This is always helpful, and easy.
Very true.
-
@pete-s said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@pete-s said in 802.1x port-based authentication - when and why?:
802.1X port-based authentication - when is it used and why?
Is it to protect the network from unauthorized physical access to ports that you have no physical control over?
Basically, yes.
In @scottalanmiller’s lan-less design it doesn’t matter. But for the rest of us....
Well really it comes down to risk assessment, like all things. How much will it cost you to set up and manage day to day versus doing nothing. Then how much of a cost would be associated with some type of malicious actor accessing an open port.
How about just using MAC address to lock down ports in use and turn off ports not in use? Would that not be as effective?
It's casually effective, but any focused attack can generally get around that pretty easily.
-
I dont know about you guys, but I worry a lot more about accident stupidity than targeted attacks.
-
@donahue said in 802.1x port-based authentication - when and why?:
I dont know about you guys, but I worry a lot more about accident stupidity than targeted attacks.
Often both result in the same ending, lol.
Rather than overcomplicating my network, I'd rather just keep unused ports disabled. Ideally, there would at least a couple of folks on my team who know how to enable and disable ports as needed.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
-
The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.
-
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
If you are plugging something in to a company asset that you wer enot told to do, you are intentionally doing something. Shit doens't plug itself it. Shit does not bring itself into the office.
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
If you are plugging something in to a company asset that you were not told to do, you are intentionally doing something. Shit doesn't plug itself it. Shit does not bring itself into the office.
That reminds me of something. When you set up 802.1x on a windows computer, is it the user account that is logged in that you are authenticating or is it the computer itself or both?
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
If you are plugging something in to a company asset that you wer enot told to do, you are intentionally doing something. Shit doens't plug itself it. Shit does not bring itself into the office.
If company policy says to not plug that stuff into the network, and you do so anyways, then yes, I'll agree that is malicious.
-
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
What is this:
-
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
Odd, i wonder why they don't show up for me