IPSec Enforcement Network Policy vs 802.1x Enforcement Network Policy

I've read various online articles but sometimes one of you guys explaining this makes it a lot easier to understand.

In which scenarios would use IPSec Enforcement?
In which scenarios would you use 802.1x enforcement
When would you look to use both?

From my understanding IPSec is encryption between client and server (and visa versa) and the NAP side is ensuring that all traffic is encrypted.

802.1x enforcement would be used with compatible switches as it's a switch based enforcement to ensure that the client machines comply with the preset health policies.

You would use both for ultimate NAP.

Sorry for the rather broad question! I just want to make sure that I'm 100% confident on this material before my next retake!

Find more posts tagged with

Comments

broc

IPSec is encryption, you're right there.

802.1X is for access control, it's not for compliance within a health policy! (well it's use as part of the health policy, NAP, etc...). It's basically used to authenticate at switch port level.

NAP can make use of IPSec and 802.1X to enforce your policy depending on what you want implemented.

As a MCSE:S, you should really be quite familiar with all of that

LukeQuake

broc wrote: »

IPSec is encryption, you're right there.

802.1X is for access control, it's not for compliance within a health policy! (well it's use as part of the health policy, NAP, etc...). It's basically used to authenticate at switch port level.

NAP can make use of IPSec and 802.1X to enforce your policy depending on what you want implemented.

As a MCSE:S, you should really be quite familiar with all of that

I am fairly familar but in all honesty it's been 2 years since I last looked at it!

It's something that I haven't yet been exposed to in a corporate environment and out of all the material is by far by weakest area.

broc

I haven't taken the 649 exam but I did pass the 642 a few weeks ago and it was quite heavy on IPSec, 802.1X, NAP and Windows Firewall.

You should definitely have a look at the 642 book if those area are your weakest'.

I know what you mean though, I have seen many environment where they had all the equipment in place and didn't bother use 802.1X mostly due to lack of knowledge/expertise. Shame as it is a great security feature.

Rootstonian

broc wrote: »

I haven't taken the 649 exam but I did pass the 642 a few weeks ago and it was quite heavy on IPSec, 802.1X, NAP and Windows Firewall.

Oh joy! 642 (my first-ever) scheduled for 02.04.10

Boy, could I ask some questions, but as we all know, the NDA prohibits (and rightly so) that. LOL

I'm solid on IP Addressing, Name Resolution, File/Print Sharing and Monitoring. Configuring Network Access (except Firewall) is my weakest of the 5 objectives. I figure if I can hit 90's/100's on those first 4, I have a little room for error on the NAP, IPSec stuff. It's not that I'm *not* studying it, it just seems (to me) hard to implement on a one-person virtual lab setup.

broc

Rootstonian wrote: »

It's not that I'm *not* studying it, it just seems (to me) hard to implement on a one-person virtual lab setup.

On those areas, more than implementing it, it's understanding it that matter. The implementation is actually "quite easy" but the understanding of the concepts and the design are the key.

If you can understand how IPSec, NAT, TCP/IP and 802.1X works then you'll be fine but there is a lot to learn there!!

Rootstonian

No kidding as the NAP lab in MS Press book was 7 pages (longest one, iirc

)

I understand NAP and the remediation server concepts, VPN and DHCP enforcement types. IPSec and 802.1X are a little tougher to understand. However, was I to implement, odds are I would go with the 802.1X switch route

Keep the roles on your servers as independent as you can w/o having 10 servers for a small company

Sorry for the thread crap/steal here Luke, but I believe we are both studying 70-642 (you may be doing the upgrade to 2008 route vs. my ZERO certs

) and the more the merrier when it comes to learning new stuff.

LukeQuake

No worries at all chief! Feel free to use this to ask any questions you have, it will also help me to grasp this!

I'm studying for the 70-649, I failed it twice last week, both times on the networking (70-642) element. I've ordered the 70-642 book and it should be on my desk on Monday!

Broc - thanks for you help, greatly appreciated and I do agree that a lot of firms don't implement it because it simply isn't understood. That's one of the reasons I want to make sure that I know this material inside out before my next re-take.

HeroPsycho

broc wrote: »

IPSec is encryption, you're right there.

802.1X is for access control, it's not for compliance within a health policy! (well it's use as part of the health policy, NAP, etc...). It's basically used to authenticate at switch port level.

NAP can make use of IPSec and 802.1X to enforce your policy depending on what you want implemented.

As a MCSE:S, you should really be quite familiar with all of that

IPSec is not just about encryption. You can do IPSec without any encryption. It's also about authenticating at the packet level.

802.1x can be used to literally not let someone on the network whatsoever at the switch port. Using IPSec only for NAP would only stop someone from establishing connections to some or all nodes within the network, depending on the policy implemented. They could still be able to have network connectivity, but hosts theoretically they're connecting to would refuse the connections depending on the NAP policy in place.

The advantage of 802.1x is let's say a hacker wanted to attack your physical machines using an exploit of the entire TCP/IP protocol stack. IPSec NAP policy only wouldn't stop him since the TCP/IP stack would process the malformed packet before the OS could make any decision about if they should drop or process the packet based on NAP IPSec policies. 802.1x could have by denying him access at all to the network.

You could use them in conjunction with each other I suppose, although there are often better solutions potentially. For example, if your remediation servers are on the same network as your application servers, you could use 802.1x to stop someone from getting on the network whatsoever if they couldn't authenticate. If they could authenticate, you could then let 802.1x to allow them network access, but if their AV sigs are out of date, use IPSec to not allow them to connect to anything but the remediation servers until their sigs are updated.

With that said, you could have just put the remediation servers in a different subnet, and set 802.1x to allow that port access only to that subnet until the sigs are updated.

LukeQuake

Hero,

Thanks for your post - it's made things ALOT clearer now.

Rootstonian

Agreed. Nice informative post Mr. Hero. lol

Thanks!