Security Solutions
3-16
Designing Access Controls
Choose the Access Control Methods
Wired Zone Security Concerns
Wired zones can be physically protected to some extent; that is, you can
control physical access to the wire by allowing only authorized people to enter
the buildings that contain the LAN. If would-be hackers cannot physically
access the wires, they cannot tap into the wire and use a protocol analyzer to
eavesdrop on wired communications.
Of course, there is always the possibility that someone will break into your
building, compromising your physical security. And unfortunately, you must
also protect the network against people who are allowed into your build-
ing—either temporarily or permanently. You must set up security to protect
your network against careless or even malicious full-time employees, tempo-
rary employees, or guests.
For example, a temporary employee could unplug a printer and plug an
unauthorized endpoint into the printer’s jack. Depending on your security
configuration, that user might be able to bypass regular security measures
through the printer’s switch port.
Or, an enterprising employee may circumvent the process of requesting a
wireless network through the IT department. Instead, the employee may
purchase an access point (AP), plug it into an unused RJ-45 jack, and configure
it for fellow employees to use. Although the AP is being used for work
purposes and the employee did not have a malicious intent, this rogue AP
could compromise network security. The employee may not select the stron-
gest security—802.1X with Wi-Fi Protected Access (WPA)/WPA2—for wire-
less networks. Not fully understanding wireless security, the employee might
select static Wired Equivalent Privacy (WEP), which can be easily cracked.
To protect your network from both hackers and well-intentioned but ulti-
mately harmful employees, you should protect each port by implementing
802.1X. Of course, you will have to weigh other factors such as whether or not
all your endpoints support 802.1X. (These issues are described in more depth
later in this chapter.)
If most of your endpoints support 802.1X, you can use it as the predominant
access control method for a zone. You can then identify the endpoints that do
not support 802.1X and use a different access control method—such as MAC-
Auth—to authenticate them.
In private wired zones, the network should be configured—whether through
a directory service, static access control lists (ACLs), or dynamic ACLs set in
RADIUS policies—to limit each authorized user’s access to just the resources
he or she needs. In public wired zones, the network configuration should