Open Systems Connect Model and Authentication

Let’s just take a moment then to look at the OSI layer. This is the segmentation of the Open Systems Interconnect model, which is standardized as an international standard, and it’s a way of segmenting the different layers of the network. We have the physical layer.

The physical layer: the type of traffic we have with the physical layer is zeros and ones. So we have signal or no signal on a copper wire, light or no light on a fibre optic cable.

The datalink layer: here we see at layer two, frames, as a type of traffic. The type of devices at layer two, we see switches, and at layer two, this is pre-IP address. We don’t see an IP address at layer two. Instead, the address we see at layer two is the burnt in address, the 48-bit MAC address, Media Access Control address. This is the address that arrives with the equipment. Each network device has a Media Access Control address burnt in as part of the hardware. It is possible using tools to change this, but it arrives with a hardware address, and it’s called the burnt-in address because it is pre-configured.

The 48 bit MAC address at layer two is segmented into two halves. The first relates to the manufacturer ID and the second half relates to the device ID. Put together, that creates a globally unique ID that’s baked into the hardware. At layer three, we see IP addresses arising. At layer three, we have an IP address, and the type of traffic we see at layer three is a packet. The devices we see at layer three are typically firewalls and routers. And here we see the segmentation of higher level traffic from the application layer. It’s chopped up into packets for transmission. And the routers, their job is to try and get those packets to the next closest hop to their destination.

The term packet switching arises at layer three because the routers may send each packet via different router interface, depending on the interface it thinks works best at that particular time. So it may send 10 packets down the first interface, but then if that’s congested, it may use the second interface. So it may load balance the traffic between different interfaces. So there’s no guarantee of a dedicated route for that traffic. At layer four, we’ve got the transport layer. The addresses we see at layer four are actually ports. We mentioned port 53 for DNS, port 389 for LDAP. So here we see the transport layer ports, these are the addresses.

So one IP address representing a host, maybe suffixed with a number of different ports. If the IP address is the equivalent of a house, then the ports are equivalent to the different doors and windows through which we can access the property. At layer four, the devices we see, again, are routers and firewalls, typically. At layer five, we see the session layer. The session layer has no security. It’s worthwhile remembering, so the session layer does not concern itself with security. Layer six, we see the presentation layer. This is about formatting to the correct format, things like ASCII. And layer seven is the application layer. This is not the application itself, this is typically the network stack on the client operating system.

So we can look at authentication at different points in this layer. If we’re logging onto a web page, typically we’re logging on at layer seven, at the application layer. But we can log in at a far lower level. We can restrict or grant access based on a port at layer four, based on an IP address at layer three, but we have a layer two authentication which occurs before an IP address is even in play. So layer two authentication allows us to authenticate at a switch level, or via wireless. So here we are using the Media Access Control, the MAC address, as a form of authentication.

We can use pre-shared keys, and we can use this in combination with 802.1x to provide a really strong model for authenticating to wireless. So layer two authentication, we can integrate with something like Radius and an identity provider - something like Active Directory - and this enables individual switchports and wireless access to be controlled at layer two before IP addresses are even assigned. By the time a DHCP server or a client is getting, obtaining an IP address, that device is on the network. At layer two, that happens at a much earlier stage, it happens at a precursor to that. So this controls network access before IP assignment.

The benefit of this as well is it leverages the existing authentication infrastructure provided by a service like Active Directory, and uses Radius to provide the interface between the managed network device and the active directory server. So here we see a typical 802.1x architecture. We have the client connecting to a Wireless Access Controller. The Wireless Access Controller passes the information to the Radius server. The Radius server checks with Active Directory, and Active Directory passes the response back along. And if that process is successful, then the client is authenticated at layer two, and can move forward to requesting an IP address at layer three.

We said for layer three, we have access control lists, which can provide or restrict access based on an IP address or a port. We encounter technologies like WISPr Authentication. WISPr stands for Wireless Internet Service Provider Roaming. And this is a method for browser-based or smart client login at a captive portal. This is what you see with a lot of the wireless hotspots. You get a browser popping up, whatever URL you type into the web browser, it pops up with a login prompt for that network. This integrates again with Radius, and provides a method of logging, authenticating through SSL - Secure Sockets and XML protocols. And this was first supported by Aruba, the wireless provider Aruba.