Protect Your Network with Leopard Server

With the release of Leopard Server and its sexy new features, administrators shouldn’t overlook one major advancement in the core directory service of Leopard. What’s this, you ask?

Well, it’s a feature that will allow administrators to control who gets on their network, at the wired or access point level. Leopard server also includes a directory integrated radius server, which controls who gets on the wired/wireless network using 802.1x and WPA Enterprise authentication.

Wikipedia.org defines 802.1x as “IEEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (RFC 2284).”

When a user attempts to access your network, the network switch (if it supports 802.1x) or access point will isolate the user and prompt that user for authentication. For instance if you had an Apple Airport Extreme you could set this access point up to use WPA-Enterprise, leveraging the Radius infrastructure now built-in to OSX Server 10.5 (Leopard).

Why deploy a solution like this? The answer is simple. If you need to know or ensure who is accessing your network and from where then you should take a serious look at deploying 802.1x. If you need to protect your wireless network with something stronger than a shared secret and don’t want to manage yet another database of usernames and passwords, then this solution is for you too.

Because Apple typically makes the powerful software easy to use, they have also integrated their Radius server directly into Apple Open Directory. This means you can easily just create a group in Open Directory the way you normally would and assign the access permissions using the tools you are already used to. Here is how it looks from a 10,000 foot view and how it works.

In 802.1x, when the switch receives a link-up or link-down (an indication that a machine has become connected to the port) the switch then prompts the user for credentials in one of several fashions. The most familiar one being the “hotel page,” aptly named for anyone who has accessed the internet from a hotel can tell you. That web page you get asking you to pay or click for your free day of Internet access is an 802.1x authentication page.

In a wireless network the WPA supplicant, which is a piece of software on your Mac or Windows XP/Vista machine will receive an authentication request which can be a pop-up username password box or even a client certificate (x.509) In either case the user must authenticate to gain access to the “wire” and then receive an IP address from a DHCP server. They will then be able to cruise and utilise the network resources that are available.

Another advantage to this type of access control methodology is the auditing that can be provided to administrators allowing for compliance with regulations (HIPPA, SOX, PCI, etc) or incident forensics (who hacked from where). Because Apple has integrated Radius with their Open Directory, it allows users to just remember and use a single set of credentials rather than yet another username and password. Administrators need only worry about maintaining the user accounts and passwords in the directory, rather than having to maintain another user directory or database.

What do you need to deploy a solution like this? Apple OSX 10.5 (Leopard) Server, and either (or both if you are running wired and wireless) an 802.1x capable switch like a Cisco 2924 with appropriate IOS (Check your firmware and cisco.com) for wired networks, or an Apple Airport Extreme/any WPA Enterprise enabled access point (most consumer 802.11g/n routers like D-Link, Linksys, Netgear support this). That’s all, a little configuration time and your off and running. This will support Mac OS X, Windows XP/Vista and most Linux clients right out of the box.

I most stress the importance of security on your wired and wireless network and point out that there are more complex access control solutions, like the up and coming NAC (network access control) products from vendors like AEP, Cisco, Juniper and others which do more granular control, end point policy enforcement, and in some cases integrated intrusion detection/prevention.

However, some security is better then none and starting out with WPA Enterprise and 802.1x is better than just open network access and WEP wireless security.

share permalink ping 3 Comments