Jump to content United States-English
HP.com HomeProducts and ServicesSupport and DriversSolutionsHow to Buy
» Contact HP
 
HP ProCurve Networking

» My ProCurve Sign In

HP ProCurve Networking

ProCurve Network Security solutions


  »

HP Networking



» Introduction
» Network security concerns
» The 802.1X solution
» Challenges to deploying 802.1X
 » Guest VLANs: the interim solution
 » Case study: the University of Alberta
 » Figure 2: University of Alberta Guest VLAN implementation
» ProCurve security strategy
» Glossary
» View in pdf format
(pdf: 222 KB)
» Download latest version of Adobe Acrobat Reader

Introduction

Where a network manager used to be concerned only with external threats, today's network manager must also be concerned with problems, both real and potential, internally. Unfortunately, it's no longer a given that anyone with authorized network access is completely trustworthy. Companies must implement network-based security combined with the conventional host-based security.

As Ethernet extends into the far reaches of every campus corner, wired active ports are nearly everywhere. This is due largely in part because ProCurve Networking by HP has made it cost-effective to activate every port in the network at one time, rather than having to go back and pay to rewire ports on an as needed basis. Controlling access to valuable information is a key requirement. With standards like 802.1X port based access control—established with ProCurve leadership-security begins when a user plugs in a cable. In addition, with 802.1X, access will only be granted if the user is authenticated against a secure database.

Furthermore, the network can control which isolated VLAN the user should be placed on in order to restrict access to certain systems and services based on the users profile. Otherwise, it's just like the port is turned off. This standard extends to 802.11 wireless LANs as well.

As enterprises depend more and more on Ethernet LAN for all kinds of communication, they need to protect the network itself from attack. Certainly, physical security of wiring closets and equipment rooms is necessary but enterprises must also secure management access to the infrastructure. It is vital to implement an enterprise LAN with switches that offer the latest in management security.

ProCurve Networking switches have a number of security features that enable customers to secure access to their networks. In particular, ProCurve switches support the 802.1X standard, MAC address lockdown, port isolation group, and ACLs. We often think of these features as independent capabilities, but they typically require additional resources within the network to enable a complete security solution. For customers, coordinating these additional capabilities can represent a barrier to deployment, and in some cases the capabilities do not even exist. Add to this the complexity of trying to customize these capabilities depending upon what type of user is connecting to the network and the problem gets even worse. One way to get around this is to implement a "guest VLAN" which can be done using ProCurve Networking products. The real value of guest VLANs is that they automatically provide different configuration capabilities for different classes of users—guests as well as authorized users.

This paper will explore some of these additional capabilities and suggest application architectures to address them. In particular, this paper will look at 802.1X technology, the benefits of using guest VLANs as an interim step to implementing 802.1X on every client, and finally, it will demonstrate how ProCurve Networking products can help you implement this solution today.

» Return to top

Network security concerns

Security used to mean setting up a firewall as a perimeter line of defense to keep trusted users on the inside and untrusted users on the outside. But in today's world of remote workers, wireless users, trading partners, customers and hackers, that perimeter line has been blurred beyond recognition. The perimeter or point of contact with the Internet is still important but it is not sufficient in providing end-to-end network security. An effective security strategy needs to be far more flexible and sophisticated than just posting a guard at the gate to your network. The new model for network security calls for protecting data wherever it is and trusting no one completely wherever they are.1

In terms of dollars, a network security breach can mean billions of real and future revenues lost. The price paid often includes both direct and indirect costs and is measured by damaged sales, consumed IT staff resources, lower user productivity levels, lost intellectual property if trade secrets are stolen, decreases in public confidence and lost business opportunities and revenue.

In terms of wired and wireless networks, security means access control is a significant issues as pervasive, live ports are everywhere within the enterprise, not just in a controlled office environment with a workstation or PC.

In terms of wired and wireless networks, access control is a significant issue as it is common to have pervasive, live ports nearly everywhere within an enterprise campus. Where enterprises once had a one-to-one correspondence between an access port, a PC and a user, today's LANs extend beyond the controlled office environment. The emergence of numerous mobile network access devices, next-generation convergence solutions and inexpensive wireless access points, combined with open ports existing in many campus public areas, provides endless connectivity opportunities. It is critical that enterprises understand that wireless security solutions will not be entirely effective if the enterprise wired LAN security is not airtight. If the wired network is not secure, it is simple to plug-in a wireless access point that can go undetected and provide endless access to multiple users.

In terms of network strategies, creating security solutions that bring peace of mind means having an adaptive network model that controls which users perform which tasks based on the needs of their job. Enterprises should consider their network security like airports. People come and go at all hours, some areas are more secure than others, and as people pass from one area to another they have to present their credentials: tickets, boarding passes or passports. Apply this approach to computer security, and instead of an "exclusive" model in which organizations try to prevent people from doing things they shouldn't, they have an "inclusive" model that seeks to provide appropriate access.2

With ProCurve Networking by HP solutions based on the ProCurve Adaptive EDGE Architecture™, security means creating intelligence throughout the enterprise network to the edge where the user connects. This approach enables enterprises to mitigate risks more effectively as they protect their digital assets. Furthermore, it allows cost effective partitioning of the network to create zones of similar users with similar access needs.

1Gaspar, Suzanne. "The New Security Battle Plan." Network World. September 30, 2002. Article.
2"Securing the Cloud." The Economist. October 26, 2002. Article.

» Return to top

The 802.1X solution

802.1X is the preferred method for implementing edge access security. Guest VLANs are the preferred method of migrating end users to an 802.1X environment and for delivering limited services to unauthorized or temporary users. ProCurve switches support the 802.1X protocol and can be used to secure the edge in the following way:
  1. Client devices running 802.1X supplicant software authenticate with the ProCurve switch when they are plugged into the 802.1X-enabled switch port.
  2. The ProCurve switch verifies the credentials of the client by communicating with a RADIUS authentication server.
  3. If the credentials are verified, the RADIUS server informs the ProCurve switch to 'unblock' the switch port and allows the client unrestricted access to the network.
  4. The RADIUS server may additionally inform the switch to configure the client's port to be a member of a particular VLAN, thus restricting or confining the client's access within the internal network.
Within a wireless environment, the RADIUS server returns attributes to the wireless access point that allows it to generate encryption keys and deliver them to the client without any manual configuration. This is a significant advantage of using 802.1X in a wireless environment. Once authenticated, the ProCurve switch also returns accounting records to the RADIUS server, which may be used for billing or tracking purposes.

If 802.1X were not enabled on a port, the client would simply be allowed access to the network without any restrictions. However, when 802.1X is enabled on a port, and the client fails authentication or is not running the 802.1X supplicant software, the switch can be configured to do one of two things; block access or, uniquely with ProCurve switches, provide guest access.

If the switch blocks access to the client completely, the client will be isolated from any other part of the network. Alternatively, if the switch places the client on a guest VLAN, the client has access to a controlled set of resources or services. Guest VLAN functionality provided by ProCurve switches goes above and beyond the 802.1X specification (see Figure 1).

» Return to top

Figure 1: 802.1X Solution using ProCurve Networking by HP products

802.1X Solution using ProCurve Networking by HP products
» Return to top

Challenges to deploying 802.1X

Customers deploying an 802.1X solution have several barriers to overcome. The primary issue is the availability of 802.1X supplicant software on the clients. Microsoft includes 802.1X software in Windows XP and only recently in Windows 2000, but not in previous versions. A number of 3rd party vendors have developed software for previous versions of Windows, Linux and Apple OS, but in some cases licensing, support and expense issues are preventing customers from embracing this path. This problem is not unlike the problem that existed many years ago when dial-up networking was in its infancy.

Once the customer has committed to installing and supporting 802.1X client software, the next barrier to deployment is the RADIUS server. Not all customers use a RADIUS server to manage their end-user database. Many customers use Microsoft NT domains, Unix password schemes, Kerberos or LDAP. Customers wishing to leverage their existing database may need to establish a bridge or gateway between the RADIUS server and their existing system. In some cases, this impacts the underlying authentication method used when authenticating the client via 802.1X.

In the 802.1X environment, the RADIUS server must support authentication transactions using the Extensible Authentication Protocol (EAP). While this is becoming more commonplace, EAP is a fairly new protocol. Within EAP, there are a number of authentication methods that may be selected (EAP-MD5, EAP-TLS, EAP-TTLS, PEAP, etc). Some of these authentication methods have not been fully standardized yet, and deploying certain methods can be a fairly difficult task. Different devices have different requirements, thus dictating which EAP methods to use. For example, wireless access points need a mutual and encrypted exchange to install dynamic encryption keys (WEP keys) for 802.11b. EAP-MD5 does not support this capability, and is therefore only appropriate for wired networks.

As mentioned above, bridging between the RADIUS server and an existing authentication database such as Kerberos is often required. Only certain EAP methods enable this capability because of their ability to securely transfer the complete username and password to the bridge or gateway so that it may perform a proxy authentication call to the existing database. Both EAP-TTLS and PEAP can be used to securely transfer the complete username and password to the RADIUS server. However, these methods also require the installation of a 'certificate' on the RADIUS server, the client, or both. Installing and maintaining a Certificate Authority (CA) is yet another deployment hurdle.

Network administrators of public or semi-public network environments (i.e. universities) must consider issues involved with migrating towards and maintaining an 802.1X environment. Assuming they have successfully set-up a RADIUS Server that supports all the necessary EAP methods, a Certificate Authority, bridges to existing databases and client software for Linux, NT, Windows and Apple that also supports all the necessary EAP methods, they still may need to deal with installing certificates, assuring the latest client software is installed, downloading or upgrading that client software if necessary, and finally, setting up new, temporary and guest accounts. These functions may best be accomplished using a separate security services application platform. An ideal place for these applications is on the guest VLAN or the RADIUS server itself.

» Return to top

Guest VLANs: the interim solution

ProCurve believes that 802.1X operating on every client is the correct and appropriate long-term solution for access security, but we also recognize that alternatives exist and migration paths are needed. The key barrier to deployment is the availability of client 802.1X software supporting all the necessary EAP methods. Solutions that utilize existing software and enable migration towards a homogenous 802.1X client-environment are most attractive.

Guest VLANs provide an attractive and feasible interim path to implementing a comprehensive 802.1X solution and can be deployed using existing features of ProCurve Networking switches today. When a non-802.1X client attaches to the switch it is by default connected to the guest VLAN. The client can access anything on the guest VLAN. This means that no additional software is needed on the client in order to give them guest access. Now anyone that is a visitor to a campus or other site that has active ports, can access a group of special services set up specifically for them to use during their stay. At the same time the private network is kept secure.

» Return to top

»

Case Study: University of Alberta

University of Alberta has an environment that is benefiting from the use of guest VLANs. The Electrical and Computer Engineering department has recently moved into two new buildings. One of these buildings houses several large research groups. The other is home to all of the undergraduate classrooms and teaching labs. A large open common area joins the buildings. During the design phase of the buildings they understood that they would have to install a reliable and flexible network that would be scalable as well as cost-effective. Kees denHartigh, Systems and Network Analyst for the department said, "We had been deploying a lot of ProCurve network switches in our old facility and it served us very well so it was not a difficult decision to continue with what works best for the price."

They now have a ProCurve Routing Switch 9308m that fulfills their network requirements for both buildings with a gigabit fiber backbone and over 160 ProCurve 2524 switches at the edge of the network which serve their graduate, undergraduate staff, and faculty population of over 1200 people.

One problem they experienced was that several of the ports on the Switch 2524 were being placed in open public areas and large classrooms. They needed a way to offer network services on these ports to only their own students, staff and faculty. They solved this problem by creating a guest VLAN for these ports and place them all behind the firewall. Switches with the 802.1X protocol can authenticate a user from a RADIUS server database and place the user's port onto any VLAN the user authenticates to.

Figure 2: University of Alberta Guest VLAN implementation

University of Alberta Guest VLAN implementation

"The ProCurve 802.1X protocol is of keen interest to the university because it provides a mechanism whereby we can authenticate people against a secure database via the ports," said denHartigh. "Anyone could go into our classrooms, plug in their PCs and access the entire network™ we needed some method of authentication to assure that only verified university faculty, students and personnel can obtain network connectivity."

ProCurve's 802.1X protocol is also customizable, a feature that denHartigh says puts HP ahead of the competition. "One of the features we worked on with ProCurve was to add the concept of a guest VLAN to the 802.1X protocol, which enables a person without access to a university account to be dropped on to a guest VLAN." A person who would benefit from this capability would be, for example, a university conference attendee who could receive Internet access or other conference-related services without having access to the entire network, explained denHartigh.

Here's how the guest VLAN feature works in this environment. University of Alberta has a Kerberos database of their student population stored on a RADIUS server that is configured to authenticate all students on campus. When a user authenticates, they are placed on the campus VLAN. Using a database of faculty and staff on the RADIUS server, they too are placed on their own private VLANs from that same authenticated port. This would give them additional network security and better functionality. If a user fails to authenticate against any of the RADIUS server's databases, they are dropped onto a guest VLAN. Once here, the user can be offered some customized web services or applications. For instance, a large classroom might want to offer access to a specific web service or conference that applies only to the class in session, but you wouldn't want to offer full internet access that would be distracting for students and costly for the university. This allows for a captive audience without sacrificing any bandwidth to students surfing the web.

» Return to top

ProCurve security strategy

ProCurve Networking by HP is leading the way in addressing the ever-growing security concern that all networks are becoming public networks. With features like 802.1X and guest VLANs, ProCurve Networking products enable customers to provide secure and appropriate access to their networks.

ProCurve Networking solutions have several layers of built-in security. The company has heavily invested in making sure that HP products comply with the newest and most stringent standards-based security features to protect data, in fact HP leads the establishment of many of these standards.

For nearly 20 years, ProCurve has been building enterprise LAN products that help customers run their business more effectively. The company has a complete and affordable portfolio of security solutions and services for its customers. ProCurve security solutions allow important network access decisions to move to the edge of the network where users and applications connect.

Authorizing customers, suppliers, contractors and other users needing network access is now as common as verifying that a printer is online, however, with much greater consequences. Quite simply, enterprise networks must have enhanced security to accommodate current and evolving needs. To adequately protect network data and resources, security must now be enforced at the point where the user accesses the network.

As enterprises depend more and more on Ethernet LAN for all kinds of communication, they need to protect the network itself from attack. Certainly, physical security of wiring closets and equipment rooms is necessary but enterprises must also secure management access to the infrastructure. It is vital to implement an enterprise LAN with switches that offer the latest in management security.

Glossary

802.1X: IEEE standard for a port-based authentication protocol

Authentication server: Server that authenticates the supplicant (e.g. RADIUS server)

Authenticator: Device that receives the request from the supplicant and sends the request to the authentication server, such as an ProCurve Networking by HP switch. Then it receives information back from the authentication server back to the supplicant and grants or denies appropriate access.

EAP: A mechanism to allow supplicants to authenticate with an Authentication Server (e.g. RADIUS server) through an Authenticator (Switch or Access Point)

Supplicant: An entity at one end of a point-to-point LAN segment that is being authenticated by an authenticator attached to the other end of that link, such as an end-user's laptop or PDA.

Supplicant software: The client-side software package that communicates with an 802.1X server or authenticator and a RADIUS server to confirm a user's identity. The 802.1X software is used to authenticate wireless or wired local-area network (LAN) users during login and network sessions.
Printable version
Privacy statementUsing this site means you accept its terms
© 2009 Hewlett-Packard Development Company, L.P.