This is part III in the series of technical foundation posts leading up to our December 11 TechChat“Networks That Know You: Cisco Identity-Based Networking Services”.
Have you ever left the house and forgotten to lock the front door? It can ruin your day, especially if you remember it as you’re pulling up to the office after a grueling commute. But maybe, being a security geek, you’ve installed a security web-cam over the front door. So you fire up your browser and monitor the house. You may not be able to lock the door remotely, but you can at least see if anyone tries to break in.Authenticating someone’s identity without enforcing some form of authorization is like having an unlocked door with a web-cam: you can’t physically prevent anyone from gaining access, but you can see who goes in and out. This kind of visibility is a non-trivial asset. Knowing that someone is watching may be enough to deter some intruders. Still, authentication (the web-cam) by itself may not be an adequate long-term security policy for most homeowners. The same goes for networks. Once you’ve authenticated endpoints and users with IEEE 802.1X or MAC-Authentication Bypass (MAB), it’s time to enforce network access restrictions based on the established identity of that user or endpoint. The rest of this blog looks at the different forms of authorization in Identity-Based Networking Services (IBNS) today.Default Authorization: The default authorization in an 802.1X-enabled network is binary: on or off. All endpoints and users that pass authentication get full access to the statically configured VLAN on the port. Those that can’t authenticate get no access. This is how 802.1X was originally designed to work. However, this default authorization policy may be too black-and-white for real world networks. In the real world, giving every authenticated user and device the same level of access in the statically configured VLAN may not offer enough granularity to meet the goals of your security policy. In addition, you may have good reasons to offer limited access to users who can’t authenticate. Other forms of authorization can be used to accomplish these goals.Dynamic Authorization: Instead of putting all authenticated users into the same static VLAN, some corporations need to be able to grant differentiated access, where one group of known users (“œEngineering”) gets access to different network resources than another (“œFinance”). Dynamic VLAN assignment is a form of dynamic authorization where the AAA server (the centralized security policy server) tells the switch to assign a VLAN to the port based on the identity of the user or device that authenticated. Engineers go in the Engineering VLAN, accountants go in the Finance VLAN. While this form of dynamic authorization is a powerful tool for differentiating access for different user groups, it comes at a cost. Supporting multiple VLANs on every switch may require changes to the network architecture and addressing scheme. In addition, VLANs isolate traffic at Layer 2 in the OSI stack so dynamic VLAN assignment by itself cannot restrict access to specific subnets (at Layer 3) or applications (Layer 4 and above). However, dynamic VLAN assignment does provide the foundation for virtualizing IT resources using Network Virtualization Solutions. Get more information on how Network Virtualization can increase security with path isolation and virtualized services. Local Authorization: With local authorization configured, the switch can allow access to the port in special VLANs in the absence of a successful authentication: endpoints that are not 802.1X capable can be assigned to the Guest VLAN; endpoints that fail 802.1X can be assigned to the Auth-Fail VLAN, endpoints that can’t authenticate because the AAA server is unavailable can be assigned to the Critical-Auth VLAN. With local authorization, endpoints that would otherwise be denied network access entirely can get some form of access. Different networks need different kinds of authorization policies. Many large customers have successfully deployed 802.1X and IBNS on wired networks using the techniques I described above. But other customers still find it challenging to deploy 802.1X. In our Second Life TechChat next week, we’ll talk about new and upcoming innovations in all three kinds of authorizations -default, dynamic and local -that will make IBNS simpler to deploy and easier to customize.Written by Shelly Cadora, PhD**Shelly will be one of our speakers during the December Cisco Live in Second Life TechChat. She is a technical marketing engineer for Identity-Based Networking solutions. She is a 10 year Cisco veteran with a CCIE in Routing and Switching (#16318). Prior to becoming involved with Identity and 802.1X, she was involved in the development of the ASA firewall and Cisco IP Telephony solutions
Human social and technological transformations are forming on a tectonic scale creating new advancements and opportunity. New ideas and tools are being created, to help understand and raise the standard of living for the undeveloped and developed world around us. Whether from social, economic, informational, manufacturing, distribution processes and consumer behavior, there increasingly determined by the intricate dynamics of these evolving networks or simply said, the coming ‘ Internet of Things‘. Allow me to attempt to connect a few dots Bruce Sterling, Author and Futurist of,”Shaping Things“, best describes the phenomena of ‘Spimes’. Sterling coined the name ‘Spime’ by contracting the words ‘space’ and ‘time’. Spimes have the ability to be aware of their environment, they know where they are, and when they are, and keep track of some parameter around them. Sensing, memory, and ubiquitous communication enable Spimes to accurately map the physical world around them. He describes that we have come from the making of artifacts from hand to complex machines and the recent era of ‘gizmos’. Those methods of using finite materials and energy have reached beyond unreasonable levels becoming economically unsustainable and toxic on many levels. FlickrWatch this very interesting Bruce Sterling interview Part 1, Part 2, Part 3. The ‘Spime’ represents the new form of object that can be formed. They are here already in their most primitive form on our phones and laptops. Future objects or Spimes will be so informational rich and extensive they will be regarded as a new form of material in an immaterial system. Spimes basically rely on improvements in distribution chain management technology (such as computationally active - not passive - RFID chips with GPS positioning and time-binding capability) to monitor their own progress, order supplies and maintenance work, notify their owner when action is required, and, at the end of their life, arrange for their own collection and dispatch to a suitable recycling point.This past Spring David Orban Chief Evangelist at Widetag.com The OpenSpime Technology Company, spoke about their project the world of OpenSpime at ETech He asked,”Do we really know our planet? Because it talks to us but it talks to us in a manner we can not comprehend quickly enough because our societies change the planet more quickly than we can listen”. He believes that OpenSpime will give us the tools to listen and monitor our planet; further more giving us the ability to have pier to pier Science to collectively explore new ideas and creativity. More recently this month at Shift 08 he goes beyond the surface and describes not why but how you can manage to filter and aggregate critical data as it’s generated from tens of millions of sensor devices. FlickrEteh Watch here Shift 08 Watch hereLater on this past summer the OpenSpime Developer Network and OpenSpime.org were launched. The architecture of the OpenSpime protocols, based on an extension to XMPP, formally known as Jabber, is available for anyone to explore, and improve. Anybody can run his or her own OpenSpime servers, and implement OpenSpime compliant applications using the Pyopenspime libraries which were released simultaneously.Technical explanation watch here.Tagging to Fabbing The wisdom of crowd sourcing is already at work with a cool mashup using OpenSpime and Google Maps to detect CO2 gases. Watch here.Mashup Google Maps on Second Life from Daden.co.ukWatch here.To follow on idea above imagine holding a secure mixed reality company meeting, music fest, sporting event or business conference on something like this? Push a little more to stream live broadcast from YouTube or Flickr galleries, Twitter feeds, sub-group match making for breakouts and background statistics in 3D graphics from different points around the world playing along the surrounding walls? The clouds in the sky, time of day, ambient lighting, music and audio translation could all be altered live individually per screen. The effective reduction in the size of the combined carbon foot print not only achieving significant cost savings but is extremely information rich experience accelerates the connected network effect. Ultimately shaping the design of such experiences would reflect positively on the entities brand perception. Current efforts by EOLUS in Second Life have brought together several companies to collaborate on creative solutions that demonstrate mixing real and virtual life ecommerce integrated with real world supply chain and CRM. Spimes are the logical output of a logistics infrastructure based on now affordable fabbers such as the Mcor Matrix, The only 3D printer in the world that can use ordinary/used A4 paper to make 3D objects at costs up to 50 times less expensive than its competitors’ current technologies. Ponoko.com allows you to design a product and get it made in your own personal factory. You can also edit and mashup the product plans you download from Ponoko to create something completely original. If that isn’t enough you can produce and sell real homemade toys right from Second Life by creating plastic versions of avatars with Fabjectory.com Designing the Shape of Things has a profound effect on our quality of life. The motivation for companies to pay greater attention how they effect the ‘human experience’ in part can be viewed from areas of technological stagnation. A current example is with auto manufacturers who have been up against competition using better technology who have the upper hand on quality and price. Introducing Spimes could help the former change their thinking of designing for categories of products into experiences designed for an intended purpose. The more aware of experiences that your customers having or not with objects the better you can fine tune your offering. Designing for the ‘Shape of Things’, presents a robust offering of technologies to inspire marketers and provoke innovators into rethinking their market offerings’ essential qualities.I hope to expand on this more next time-Until then. : ) Dennis
This is part II in the series of technical foundation posts leading up to our December 11th TechChat “Networks That Know You: Cisco Identity-Based Networking Services”.
Chances are, you got authenticated today. If you withdrew money from an ATM, swiped your employee badge or joined a secure wireless network, then you provided a valid form of identification to prove who you were. Once authenticated, you were authorized for some kind of access: to your money, a building or a wireless network. The one time you might not have been authenticated was when you plugged into the wired Ethernet port in your cube. IEEE 802.1X, the protocol designed specifically to authenticate users and devices at the access edge, is not ubiquitous on wired switches. One of the reasons is that 802.1X requires a client, called a”supplicant,” to carry out the authentication. Without a supplicant, a device cannot get access. That’s not a flaw in 802.1X -it’s the purpose of 802.1X: keep unauthenticated devices off the network.So what can be done about legacy devices that do not support 802.1X? One option is to un-configure 802.1X on ports connected to devices that are not capable of 802.1X. Besides being a nightmare for the IT administrator (“œhey, what port was that printer on again?”), it is also not very secure: an intruder could simply unplug the non-802.1X-capable device and voila! -total access to the corporate network. Clearly, this is sub-optimal. Better solutions leverage the intelligence of the network to automate the process of getting non-802.1X-capable devices on the network. Until now, Cisco’s Identity-Based Networking Services (IBNS) has offered three solutions:1) Configure the switch to attempt 802.1X and, if there is no response, automatically enable the port into a special VLAN (the”Guest VLAN”) with configurable access to the corporate network. With this solution, you could at least use the same configuration on every port, thus lowering the administrative overhead. However, you still have a problem: non-802.1X capable managed assets (such as printers, IP cameras) would have exactly the same access as guests or even rogue devices. Guest VLAN alone cannot provide differentiated network access for different kinds of non-802.1X-capable devices.2) Configure the switch to learn the MAC address of the connected device and validate that against a corporate identity store after 802.1X times out. This technique is referred to as MAC Authentication Bypass (MAB). Devices with known MAC addresses can be granted access to the corporate network while unknown MAC addresses can be denied access or dropped into the Guest VLAN as a fallback. In addition, because the switch queries an external identity store, MAB results in a centralized record of every device that attempts to connect to the network (giving it more visibility than a pure Guest VLAN approach where the switch simply allows the device onto the network). Of course, MAB requires an up-to-date database of the MAC addresses of every managed device on the network-which, of course, every organization has-or do they?3) Configure the switch to provide a login web-page if the device does not respond to 802.1X requests. This is sometimes called Web-Auth or captive portal. This approach only works for devices with web browsers operated by users who can manually enter usernames and passwords. Web-Auth doesn’t do much good for printers. Fortunately, MAB and Web-Auth can be configured together so that devices that fail MAB can be offered Web-Auth as a final option. Organizations that have successfully deployed 802.1X on their wired networks have used one or more of these solutions to support non-802.1X-capable devices. However, even with these features, it is not always smooth sailing. For starters, have you been wondering how the switch determines there is no supplicant on the attached device? The answer is simple: the switch asks if there is a supplicant on the wire and then it waits. Only after a timeout can MAB and/or Guest VLAN or Web-Auth do their work. This may result in significant delays in network connectivity and thus impair productivity.To address these and other concerns, newly announced IBNS features will complement the existing solutions to smooth the deployment of 802.1X in wired networks. We’ll discuss these features in our IBNS Second Life Techchat on December 11.Written by Shelly Cadora, PhD* *Shelly will be one of our speakers during the December Cisco Live in Second Life TechChat. She is a technical marketing engineer for Identity-Based Networking solutions. She is a 10 year Cisco veteran with a CCIE in Routing and Switching (#16318). Prior to becoming involved with Identity and 802.1X, she was involved in the development of the ASA firewall and Cisco IP Telephony solutions.
We just updated the design of our main product page on Cisco.com. Here is the new design:This new design is intended to:
- Help you find the right product categories quickly, by virtue of being much quicker to scan
- Group products better by category so you can see related items
- Make it easier to see related service offerings
- Simplify the page, while allowing access to tools and resources (such as the Visio templates) via hover menus at the bottom.
Thanks to all of the customers who helped us test the preview versions in our labs. By the way, if you need to, you can also visit the previous design, which looked like this:Enjoy!
Here’s a neat idea that we’d like your feedback on. We have set up a simple search plug-in that works in Internet Explorer and Netscape.The way it works is that you can add it to you browser and then use the search pulldown built into your browser to search Cisco.com even if you’re not right on the site.We’ve set up a page that explains how it works and how you can play with the options. If there is interest, we will probably do a final implementation that could be added as a plugin to your browser from any page.There’s a conversation on the NetPro Idea Center where you can join a conversation about the ins and outs of the plug-in.Enjoy!