Foundation in 802.1X
Great Bay’s Beacon Endpoint Profiler was created in 2004 as an 802.1X tool designed to address the challenges of discovering, provisioning, and securing non-EAP endpoints in 802.1X enabled networks. These devices, which include printers, WLAN Access Points, UPS’, Apple devices, Linux devices, and countless other endpoint types are frequently referred to as Non-responsive hosts or non-EAP endpoints, and are frequently provisioned through the configuration of MAC Address authentication or MAC-Auth-Bypass which is a method for authenticating devices in an 802.1X enabled network that will not or cannot support an 802.1X client / Supplicant.
Supporting the 802.1X life-cycle
Beacon’s serves as a critical item in the pre-deployment of 802.1X by discovering all network attached endpoints and serving both as a guide for which endpoints should be running the 802.1X client as well as providing an authentication data store for those endpoints that will not. This inventory is leveraged at deployment time by greatly reducing the time required to discover the network endpoints as well as allowing there to be a single configuration template for all network ports. This single port configuration template (supporting EAP and MAC Authentication on every port) greatly simplifies the complexities and reduces the risks associated with deploying and managing 802.1X. Following the deployment of 802.1X, Beacon provides a number of tools and utilities that are imperative in the successful management of the 802.1X network including endpoint location, LDAP integration, endpoint chronology data, and switch configuration information.
Defending against MAC Spoofing and Shadow Host Configuration
The merits of deploying an authentication system are hard to argue; extending the security boundary of the LAN to the edge of the network, unifying the authentication to applications, VPN, WLAN, and the Wired LAN, and unlocking important management concepts such as identity, location, and endpoint posture. However, there are some gaps in the security of these systems that should be addressed as part of an enterprise deployment. Chief among these concerns is MAC Spoofing, which is simply copying and using the MAC Address of a machine that is gaining network access through MAC Authentication to gain network access for that device. Because Beacon continuously certifies the identity of all network attached endpoints and stores information relative to the endpoints identity it can perform Identity Monitoring. Identity Monitoring allows the known profile of an endpoint to be continuously certified and updated; in the scenario where another device appears on the network using the MAC of a known endpoint, the assigned identity value for that devices will transition, an event will be generated, and the endpoint will no longer be able to authenticate to the network as that endpoint type.
In the case of Shadow Host Configuration, which is more complex, and therefore more obscure than MAC Spoofing a station is inserted between an authenticated host and a network port. The address of the authenticated host is copied and used by the shadow host in an attempt to gain network access among other things. As in the case of MAC spoofing, the identity value of the endpoint is the value that allows this to be detected. Depending on the granularity of the Endpoint Profiles stations in shadow host configuration can be detected, an event generated and the authentication of the endpoint(s) in question denied.
Non-Responsive Host and Non-EAP Endpoint Provisioning
In addition to Great Bay’s Beacon Endpoint Profiler, the Company also provides the Sponsored Guest Access system for provisioning guests, contractors, and non-authenticating endpoints to the 802.1X network. The machine provisioning aspect of SGA is especially important for networks that use remote imaging systems such as PXE Boot, for those that intend to add new endpoints to the 802.1X network, and those that provide help desk technicians to the field to assist users with issues regarding OS, communications, file and print, etc. The ability to provide these machines temporary connectivity, independent of their ability to authenticate or pass posture checks has proven to be one of the most compelling operational advantages in using Great Bay’s technology as an 802.1X management toolkit.