802.1x port-based authentication - when and why?
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
@pete-s said in 802.1x port-based authentication - when and why?:
turn off ports not in use
This is always helpful, and easy.
Very true.
-
@pete-s said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@pete-s said in 802.1x port-based authentication - when and why?:
802.1X port-based authentication - when is it used and why?
Is it to protect the network from unauthorized physical access to ports that you have no physical control over?
Basically, yes.
In @scottalanmillerβs lan-less design it doesnβt matter. But for the rest of us....
Well really it comes down to risk assessment, like all things. How much will it cost you to set up and manage day to day versus doing nothing. Then how much of a cost would be associated with some type of malicious actor accessing an open port.
How about just using MAC address to lock down ports in use and turn off ports not in use? Would that not be as effective?
It's casually effective, but any focused attack can generally get around that pretty easily.
-
I dont know about you guys, but I worry a lot more about accident stupidity than targeted attacks.
-
@donahue said in 802.1x port-based authentication - when and why?:
I dont know about you guys, but I worry a lot more about accident stupidity than targeted attacks.
Often both result in the same ending, lol.
Rather than overcomplicating my network, I'd rather just keep unused ports disabled. Ideally, there would at least a couple of folks on my team who know how to enable and disable ports as needed.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
-
The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.
-
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
-
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
If you are plugging something in to a company asset that you wer enot told to do, you are intentionally doing something. Shit doens't plug itself it. Shit does not bring itself into the office.
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
If you are plugging something in to a company asset that you were not told to do, you are intentionally doing something. Shit doesn't plug itself it. Shit does not bring itself into the office.
That reminds me of something. When you set up 802.1x on a windows computer, is it the user account that is logged in that you are authenticating or is it the computer itself or both?
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
If you are plugging something in to a company asset that you wer enot told to do, you are intentionally doing something. Shit doens't plug itself it. Shit does not bring itself into the office.
If company policy says to not plug that stuff into the network, and you do so anyways, then yes, I'll agree that is malicious.
-
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
What is this:
-
-
@jaredbusch said in 802.1x port-based authentication - when and why?:
Odd, i wonder why they don't show up for me
-
@pete-s said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
If you are plugging something in to a company asset that you were not told to do, you are intentionally doing something. Shit doesn't plug itself it. Shit does not bring itself into the office.
That reminds me of something. When you set up 802.1x on a windows computer, is it the user account that is logged in that you are authenticating or is it the computer itself or both?
Depends on how you set it up. But Windows is able to do both User and Computer authentication.
-
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
It was THAT good.
But he's right, accidents are not malicious. However, we've discussed malicious before, and "willing to do harm" seems to fit within the definition, when someone willingly puts the business at risk for personal gain. It's not that the goal is the harm, but they harm willingly to further their ends.
A true accident would be if they had no idea they weren't supposed to do it or that they were doing it (like they knocked the cable off a desk and it plugged itself in as it fell.)
-
@scottalanmiller said in 802.1x port-based authentication - when and why?:
...(like they knocked the cable off a desk and it plugged itself in as it fell.)
This feels like it should be a meme of some sort.
-
@donahue said in 802.1x port-based authentication - when and why?:
@scottalanmiller said in 802.1x port-based authentication - when and why?:
...(like they knocked the cable off a desk and it plugged itself in as it fell.)
This feels like it should be a meme of some sort.
Someone tell XKCD
-
how to get him on ML?
-
@donahue said in 802.1x port-based authentication - when and why?:
how to get him on ML?
Now that would be awesome!
Paging Randall Munroe
