As security requirements increase, network port authentication technology will be increasingly called upon to provide additional layers of security. Authentication is one of the security layers that can be provided by networking switches to increase the security of corporate networks. Authentication is not new and has been provided by networking equipment in a number of different ways.
One widely known and utilized way for providing for authentication utilizes IEEE 802.1X authentication. Strong authentication using the IEEE 802.1X standard relies on Extensible Authentication Protocol (EAP) to secure the authentication information passed between the client (supplicant) and the authentication server, where the server is frequently a Remote Authentication Dial-In User Service (RADIUS server).
Another approach is to provide for security based on the physical address, such as a Media Access Control (MAC) address for a device. The discussion herein will frequently refer to a MAC address for a device, but it should be recognized that other forms of a physical address for a device might also be used. Where the MAC address is used for port security, the network port can be locked down to a particular MAC address or series of MAC addresses. The MAC addresses can be statically assigned or dynamically learned for specified number of MAC addresses per port.
Another approach for providing for authentication security uses WEB Authentication. Where Web authentication is used, the network access device, or switch, secures the port by making all clients authenticate by entering user credentials which are validated against an Authentication Server. The client uses a WEB browser to allow the client to enter the user credentials.
As recognized by the inventors herein there are a number of disadvantages to some of the systems that utilize a single one of the above authentication methods. For example, while IEEE 802.1X can provide for a reasonably high degree of security, utilization of 802.1X requires an 802.1X supplicant (client software) to be installed on all client hosts wishing to access the network. To many network managers and IT professionals, 802.1X port based authentication is often too cumbersome. It requires planning, resources for rollout of the 802.1X supplicant, high levels of user education, and ongoing maintenance. These requirements can significantly increase system operational costs.
MAC port security, which uses MAC address authentication, is an authentication method that is tied to a device and not an individual. Many security professionals and security conscious IT Managers view this form of port authentication as weak—as MAC addresses are easily snooped and spoofed by users understanding the technology. Traditional MAC authentication using only the MAC address has been used in past, but this method is flawed and cannot be called a true authentication system due to the inherent weaknesses. By performing some simple common TCP/IP commands, a hacker can easily discover the MAC address belonging to a particular host. Using widely known routines such as PING and ARP, the target's MAC address can easily be revealed, allowing the hacker to assume the identity of another device to easily gain access to the network.
In addition to the spoofing weakness, MAC Authentication does not identify the user who is using the device. Audit logs cannot identify the user but only the device (and the device's identification may not be accurate due to spoofing). To many IT professionals, MAC Authentication is one of the weakest forms for authentication and is considered suitable for casual access control only.
In many instances, where WEB Authentication is utilized, the Web authentication communications are usually secured using an SSL tunnel protocol which secures the credential information being passed between the host or supplicant and the Authentication Server. WEB Authentication is one of the simplest forms of authentication and requires the least amount of user education as WEB browsers are common applications found on every modern personal computer platform. WEB Authentication can be stronger than MAC Authentication but is generally weaker than the IEEE 802.1X Authentication method due to the ability to circumvent the authentication method by using common hacking methods such as replay attacks.
Another issue with WEB Authentication is the management of user credential information—such as Usernames and Passwords. Many IT managers of large universities and colleges have experienced implementation and maintenance problems of these systems due to the difficulty of managing thousands of user accounts and passwords.