Security /

New spec plugs LAN security gap

Vendors get behind Ethernet authentication protocol.

By Jim Duffy AND JOHN FONTANA
Network World, 08/23/99

A group of vendors is proposing a new standard to help protect enterprise nets from internal attack.

The Extensible Authentication Protocol Over Ethernet (EAPOE) is intended to keep users from improperly accessing confidential network resources or stealing passwords. 3Com, Cabletron, Extreme Networks, FORE Systems, Hewlett-Packard and Intel are among those pitching EAPOE to the IEEE. The proposal defines how to authenticate users on LANs inside a company's firewall.

Authentication typically occurs when remote users dial in to a corporate network and attempt to penetrate a firewall.

EAP is an existing IETF standard that enables PPP links to use a range of authentication protocols to identify and admit users dialing in to corporate networks from remote sites. PPP usually employs the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) to communicate with Remote Authentication Dial-In User Service (RADIUS) servers to validate users.

Microsoft is supporting EAP in its upcoming Windows 2000 operating system, says Ron Cully, lead product manager for Windows networking. EAP will help users authenticate dial-up and virtual private network connections to a network using a variety of mechanisms beyond PAP and CHAP, including smart cards, Kerberos and one-time passwords.

APIs in the works

Microsoft also will supply a set of EAP APIs in Windows 2000 that let independent software vendors create new EAP modules for clients and servers. The API can be used by third parties to incorporate such authentication mechanisms as biometrics or retinal scans into Windows 2000, Cully says.

If those Windows 2000 desktops are attached to an Ethernet LAN, EAPOE would ostensibly allow users to employ such authentication procedures across a company's internal LAN. By having EAP embedded in the operating system, users would not have to run additional software on the client or modify network interface card (NIC) driver software in order to support EAPOE, 3Com says.

When a Windows 2000 client requests access to a server, the switch to which that desktop is attached would detect a connection attempt. The switch would then "tell" the authentication server about the new connection attempt.

The server would ask the Windows 2000 desktop system to validate the user. The desktop system would send the user profile to the authentication server, and the user would gain access to the switch port - and the target server - once the profile was validated.

Although EAP is an IETF standard, EAPOE is being proposed within the IEEE because Ethernet is an IEEE 802.X standard. The 802.1 working group within the IEEE is looking into the EAPOE proposal.

3Com sees need

3Com is active in the EAPOE effort because the company is the leading supplier of Ethernet NICs.

"Through discussion with a number of our partners in the educational market, we realized that there was a major problem in securing network connections," says Hamid Karimi, 3Com technical marketing manager. "We need to address secure LAN connections, and we need to take advantage of user identification."

Users say they would welcome the standard. One systems administrator at a financial institution, who requested anonymity, says it would be nice to have options if he began looking at other authentication mechanisms for his RADIUS servers. The administrator says he would prefer a standard way of adding those mechanisms rather than one vendor's proprietary method.

More uses possible

3Com has been using a proprietary technology similar to EAPOE since 1996 on its NICs and switches, Karimi says. In addition to securing connections, 3Com believes EAPOE will be useful in policy-based networking because the user ID aspects of the technology can be used to establish policies for granting network resource access.

"If you know who the users are you can charge them based on the services they use and give them more liquidity in accessing resources within the enterprise," Karimi says.

The EAPOE group will meet next month under the auspices of the IEEE 802.1 working group to formalize its work and debate proposals, Karimi says.