Shulou(Shulou.com)06/01 Report--

Take a network with a classified level of secondary or higher security as an example, in view of the violation of the inline, a terminal desktop management system will be deployed, and the network access will be controlled. The main means of admission control are:

(1) admission control based on 802.1X

(2) implement admission control based on switch port binding

(3) admission control based on authentication gateway

(4) other access controls such as DHCP.

The combination of the above-mentioned technical means will play an important role in the protection of boundary integrity, but the problem of illegal inlining can not be completely eliminated.

Reason analysis:

First: wireless AP can easily break through 802.1X admission control through NAT combined with DMZ. In fact, based on 802.1X admission control, the greatest promotion and popularity is on university campuses, where the purpose of admission control is to charge fees, not to be secure. On Taobao, enter "Campus Network Router 802.1x Authentication" to search, you can find that many Taobao sellers are peddling their specially modified wireless AP, these wireless AP come with 802.1X client, can be compatible with campus network 802.1X authentication. The method described below can bypass most 802.1X-based admission control systems, such as the combined control of 802.1X + client health check, by connecting the legitimate terminal to the DMZ zone of the wireless AP as a fortress machine, and then the AP is connected to the original network in the form of MAC address clone + NAT. 802.1X access authentication is completed by wireless AP, after 802.1X authentication is passed. Other additional authentication is done by the fortress machine, and other wireless devices connected to the wireless AP can access the intranet through the fortress machine in the DMZ area without re-authentication.

Second, for sub-terminals that cannot deploy clients (such as IP phones, network printers, etc.), the authentication method is mostly based on MAC or IP addresses. Wireless AP can easily break through this limitation through MAC cloning + NAT.

Third: for switch port binding, wireless AP can easily break through this limit through MAC clone + NAT

Fourth: the coverage of the access control system affects the effect of supervision, and it is difficult to complete the task that the coverage rate reaches 100%. There are always a small number of terminals that can evade supervision in various ways, resulting in a blind spot in supervision.

The following is to forward a cracked article written by a technologist: http://blog.csdn.net/github_33709120/article/details/50849175. There are many other similar articles. You can search for "Breakthrough 802.1x" on the Internet.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.