Insightix - Network Security: 802.1X

English

Solutions

BSA for 802.1X Implementations

The Challange

Prior to the deployment of an access control solution supporting the 802.1X protocol, a complete and accurate discovery and documentation of all network-attached devices and their respected capabilities is required. This is to allow accurate pre-planning identifying issues that must be resolved prior to the deployment and enablement of the solution. The following are examples for some of those issues:

Identifying devices that are incapable of supporting 802.1X. For example, devices that do not support the installation of an agent-based software.

Identifying network devices that do not support 802.1X. For example, network switches not supporting the 802.1X protocol that may require a software upgrade.

Identifying existing network topologies that do not support 802.1X. For example, the use of hubs connecting multiple devices to the same switch port.

The information about the network-attached devices must be current and up to date allowing determining the appropriate role and access rights a device is to receive once it is being attached to the network in accordance of its capabilities.

Most enterprises do not maintain information about unmanaged devices. If they have tried a traditional asset inventory solution they would still be unable to uncover information for an additional 20%- 50% of the devices residing on the enterprise network.

To properly roll out a comprehensive access control solution all unmanaged devices need to be discovered and classified; in order to enable enforcement for all devices.

Insightix BSA: Enabling the Successful Implementation of 802.1X-based Solutions

Insightix BSA is an agentless solution that enables an efficient deployment of network access control (NAC) solutions supporting the 802.1X protocol across enterprise networks of various scale and complexity by detecting, identifying, profiling, and auditing ALL devices connected to a network, in real-time. Utilizing unique profiling technology, Insightix BSA gathers and maintains meaningful network, device and user intelligence, thereby reducing ambiguity and enabling better decision making based on accurate and in-depth audit information.

Insightix BSA maintains a comprehensive profile for each device operating on the enterprise network according to its device type. An asset profile may include multiple parameters: MAC address, VLAN ID, VLAN name, IP address, device type, device capability, operating system, operating system type, patch information, switch and port connected to, open network services, user intelligence information, and other device centric properties.

The information provided by BSA Visibility allows IT managers to better understand the type of devices connecting to their networks. Furthermore, an accurate pre-planning of the deployment an 802.1X-based solution is possible identifying issues that must be resolved prior to the deployment and enablement of the solution. Few examples are herein made:

BSA Visibility builds and maintains the physical network topology of the enterprise network allowing identifying switch ports hosting multiple devices. Due to the fact the usage of 802.1X-based enforcement requires a device per port mapping, it is mandatory locating these exceptions prior to the deployment and enablement of a solution supporting 802.1X.

BSA Visibility detects the exact module and software version of switches operating on the network, allowing the identification of switches not supporting the 802.1X protocol.

Ensure the deployment of 802.1X software agents needed for the 802.1X-based authentication.

In order to enable access controls against all devices residing on the enterprise network it is essential to classify a device knowing whether it is capable of user-based authentication or not. This is to allow determining the appropriate role and access rights the device is to receive once it is being attached to the network, preventing a situation in which an device which does not fit into the criteria for authenticated network access, or do not have a user and cannot be authenticated, is required authentication.

BSA Visibility continuously provides with real-time network intelligence classifying the devices, which are being attached to the network. The information provided by BSA Visibility allows third party solutions to dynamically associate appropriate roles and access rights for ALL devices, capable or not of user-based authentication, based on their asset classification.