By Paula Musich  |  Posted 2005-05-31 Print this article Print

Compared with alternative edge-point access control approaches, such as IEEE 802.1x and NAT(Network Address Translation), Meta IP and SAFE DHCP are less costly, offer greater interoperability and are ready now, said MetaInfos Asplund.

"IEEE 802.1x or hardware layer controls are smart solutions, but theyre very costly," Asplund said. "And the likelihood of full interoperability between multiple vendors 802.1x implementations is substantially reduced because its a fluid, evolving standard. DHCP and DNS are clear, and theyre not evolving. A NAT strategy requires that you replace the entire edge, and its only as good as the last piece of hardware that supports it."

The DHCP-based authentication also leaves that function to hosts rather than to network switches or routers.

"This is good because IP networks work best when they are dumb packet handlers. Reliability and QOS [quality of service] suffer when you jam too many smarts into a packet network," said Daniel Golding, an analyst at market research company Burton Group, in Midvale, Utah.

Click here to read about how much security do you really get with NAT firewalls. "DHCP-based authorization protects you against the most likely attacks—visitors with infected laptops, contractors without updated virus detection, etc.," said Golding. But the downside is that "there is no widely implemented, standards-based DHCP authentication. MetaInfos approach is proprietary, but they do support efforts to standardize it," he said.

Cisco Systems Inc. is pursuing a multipronged NAC (network access control) strategy that uses IEEE 802.1x, RADIUS and extensions to several other security protocols that involve key exchanges for authentication. "That is very expensive to deploy," said Asplund.

Microsoft Corp., for its part, plans to implement network access protection in software, which quarantines hosts at the IP layer. But that functionality wont be available for at least two or three years, as Microsoft strives to make it work with Ciscos NAC strategy.

"Ive been harping on this for about a year," said Duncan. "We needed to centralize DHCP, centralize DNS and have a centralized inventory address database we could manage our addresses from. Cisco and Microsofts work is down the road, but we need a solution today."

Using IP address management as another layer of security is one piece of a puzzle that extends throughout the enterprise, said LoTruglio. "You need a whole set of tools that start at the perimeter and run throughout the infrastructure and run at the host as well," he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel