Guest

Identity Based Networking Services

IT Service Provider Brings 802.1X Security to Wired Network

  • Viewing Options

  • PDF (117.7 KB)
  • Feedback

Siemens IT Solutions and Services uses Cisco 802.1X security solution to control network access for mobile workforces.

Challenge

Siemens IT Solutions and Services is an internationally leading provider of IT solutions and services. It covers the entire IT service chain from a single source, from consulting to system integration right through to the management of IT infrastructures. The organization supports customers in a broad range of industries, but its largest customer currently is the Siemens group of consolidated companies with offices in more than 190 countries.
Maintaining a secure environment for an organization the size of Siemens is difficult enough when all employees work from fixed locations. As workers have become more mobile and business applications have evolved over the past several years, however, the challenge has become even greater.
"The traditional network barriers that separated trusted from untrusted and `inside' from `outside' are now disappearing," says Thomas Kraemmer, who is responsible for technical solution design for LAN services at Siemens IT Solutions and Services. "As more applications become directly accessible to remote users and systems, the concept of the network perimeter has become increasingly vague and more difficult to protect."
As the traditional network perimeter has eroded, Siemens asked for solutions which shift its focus from simply preventing intrusions to trying to control the behavior of users and devices on the network.
Siemens IT Solutions and Services initially relied on a variety of physical security solutions and machine certificate and authentication systems to control employee network access. But with no centralized solution, multiple authorization and access infrastructures could be involved, depending on the user, device, and application. The end result was a complex web of proprietary access systems and end user software clients that was difficult to scale with Siemens' increasingly mobile workforce. Thus Siemens required a smart and efficient security solution that would meet the increased security needs.

Solution

Faced with a LAN environment that was evolving before its eyes, Siemens IT Solutions and Services, in close collaboration with its customer Siemens, turned to the next evolution in access control and jointly designed a secure infrastructure environment based on 802.1X. "In today's networks, access control is essential, and it became clear that 802.1X would be the right technology for implementing identity and authentication features across our entire network portfolio," says Christian Biller, service offering manager responsible for the LAN portfolio at Siemens IT Solutions and Services. The company had previously used IEEE 802.1X port-based authentication capabilities embedded in Cisco Catalyst ® switches to control wireless access only. Since Siemens IT Solutions and Services uses Cisco ® Catalyst switches as one of its standard LAN platforms, the company believed the system could provide the ideal foundation for the global wired environment as well.
"Cisco offered us a very advanced and flexible solution in this area, and could provide us with a lot of experience and technical options with the solution," says Kraemmer.
"If the need arises for a new feature, or we need to support an emerging technology, we know Cisco will integrate that functionality very quickly," continues Kraemmer. "That was very important. We wanted a partner who had the lead in this technology to make sure we wouldn't have to turn back. We want to be able to always move forward."
The Secure Authentication solution uses 802.1X technology to examine every device attempting to gain access to the Siemens LAN. The Cisco switch communicates with both the requesting device and Siemens' authentication and policy servers to determine:

• Identity of the device

• Where the device can go on the network

• Which policy should be applied to the device

Once the device is authenticated, the Cisco switch grants access to the port and applies the appropriate policy. In case the device is moved to a different LAN socket or from LAN to WLAN, authentication has to be redone. Additionally, even when the device is continuously connected, it has to re-authenticate itself in defined intervals to make sure it is still authorized to be connected.

Results

Today, Siemens IT Solutions and Services has a uniform network access security approach that encompasses wired, wireless, and remote network access, extending Secure Authentication to users anywhere, anytime. As a result, Siemens IT Services and Solutions is able to tightly control access to the network, while supporting an increasingly mobile workforce.
"The biggest benefit has been improved security," says Biller. "Creating device profiles that define trust relationships between devices and the network is an essential feature for our customer Siemens and makes sure that all wired and wireless network users can easily be authenticated, authorized, and accounted for."
"The state-of-the-art secure infrastructure environment provided by Siemens IT Solutions and Services works perfectly together with our PKI [Public Key Infrastructure] solution and offers us maximum network security," confirms Thomas Oeser, Corporate IT Governance Information Security at Siemens.
By enforcing authentication and registration of all end devices before granting access, the solution eliminates the threat from unknown devices inside the LAN. It also greatly improves reliability and manageability of the network. It brings more transparency to the network, and allows extensive statistics about the number of devices authenticating and the authentication successes and failures in the environment.
The Siemens IT Solutions and Services authentication solution based on Cisco 802.1X-enabled equipment has also resulted in capital and operational savings. Instead of using multiple proprietary architectures, authentication servers, and client-side solutions, Siemens IT Solutions and Services can now use a centralized, homogeneous authentication solution for all access technologies with a standardized interface to a PKI infrastructure. Additionally, it simplifies office moves by eliminating the need to manually reassign ports or make wiring changes when employees change locations. "Secure Authentication is a valuable extension to our service portfolio and creates additional savings potential for our customers," says Biller.
To support non-Siemens employees, the solution is able to provide guest network connections and predefined visitor access levels that make it easier to access the network resources that guests need, while still maintaining security.

Technical Implementation

The Cisco 802.1X implementation employs two basic components: a software client, called a "supplicant," on the device requesting access, and an "authenticator" service within the Cisco Catalyst switch that verifies the device with Siemens' centralized authentication and policy servers. Unlike proprietary access control systems, however, which require installation of dedicated client software on all devices, the Cisco 802.1X system can use the embedded 802.1X supplicant already included in Windows and other standards-based operating systems. In addition, since the authenticator service is already built into Cisco Catalyst switches, Siemens IT Solutions and Services could deploy the new capabilities without having to upgrade hardware. The fact that these 802.1X features have been implemented consistently across all Cisco Catalyst platforms (the Catalyst 2000, 3000, 4000, and 6000 Series) also helped simplify the deployment, and allowed for easier ongoing management in the large, multinational Siemens network.
To create a single, universal authentication system for the entire company, Siemens IT Solutions and Services implemented a certificate-based PKI solution, which incorporates device authentication via machine certificates and optionally user authentication, via the microprocessors in each user's "smart card" employee ID.
"We've made major strides in the identity management area," says Kraemmer. "We were able to use certificates on smart cards provided by the Siemens PKI to identify employees when they remotely access the network, as well as granting access to portal-based applications they use. In addition, we were able to use machine certificates, also provided by the Siemens PKI, for all standard Windows platforms to make sure we can authenticate the devices and verify that they are authorized to use the network." "And the best part is that the PKI-based secure authentication function has been designed in a way that it can be used for multiple network services, such as LAN, WLAN, and remote access services," adds Biller.
In addition to providing an extensive, scalable authentication solution, the Cisco 802.1X system also provides secure "multi-auth" capabilities, or the ability to securely authenticate multiple devices on a port simultaneously. In practice, the feature means that the Cisco solution will accommodate IP telephones securely, and allow Siemens to integrate its worldwide voice-over-IP (VoIP) infrastructure into the enterprise-wide identity and authentication system.
Siemens IT Solutions and Services began the rollout on a small scale, and proceeded to incorporate larger and larger sites. Within one year, they had deployed Secure Authentication on more than 50,000 switch ports across the Siemens wired LAN environment in Europe. When issues arose, Cisco was always there to provide immediate assistance.
"We had very good cooperation with Cisco throughout the process," says Kraemmer. "When problems came up, we managed to solve them very quickly with the help of Cisco TAC [Technical Assistance Center]. They were very good."

Next Steps

In the coming months, Siemens IT Solutions and Services plans to expand its Secure Authentication solution beyond Europe, to Siemens locations around the world. The company also plans to integrate IP phones with the solution as it proceeds with a global VoIP rollout. Based on the experience implementing an 802.1X solution in a wired environment, Siemens IT Solutions and Services can offer the same type of identity and authentication solutions to all non-Siemens customers.
"It's a unique selling point for Siemens IT Solutions and Services to be able to offer these services to other customers," says Biller. "We can demonstrate that we have implemented this solution on a large scale, we have the experience, and we can now provide consulting and operational support for complex networks incorporating this kind of technology."

For More Information

To find out more about Cisco Identity Based Networking Services that incorporate IEEE 802.1X technology, visit http://www.cisco.com/go/ibns.