Contents

Learning Targets
Authentication, Authorization & Accounting
Password Management
User Accounts
Brute Force Attack
Securing the Network
Client/Server Model
EAPoL Exchange
Security Server
Port Security
Static MAC address-based authentication
IEEE 802.1x Authentication
IEEE 802.1x and MAC address based Authentication

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-1 Hardening the Switch
Industrial Networks Education Security in Industrial Networks
Siemens AG © 2016. All rights reserved 2-2 Hardening the Switch
Authentication
Authentication is the process in which the identify of a device or a user is verified when they
attempt to access a network resource and confirm that it is the real entity which it claims.
Authentication typically uses userid/passsword combination for authenticating users.
Authorization
Authorization is the process after authentication used for determining whether a user who tries to
access any device, data or execute a command has the permission to access that device, data or
execute a command.
Accounting
Accounting can be defined as tracking of data, access, usage, events or network resources.
Accounting is logging, auditing, and monitoring of data, access, usage, events of network
resources.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-3 Hardening the Switch
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that enables
network switches/routers to communicate with a central server to authenticate users and authorize
their access to the requested system or service.
Login Authentication
Mode {localonly, radius_local, radius_then_local)
Sets the method used to authenticate a user's login.
localonly - Authenticates a local user's login only.
radius_local - Authenticates a RADIUS user's login first. If radius server is unreachable then the
system authenticates a local user's login.
radius_then_local - Authenticates a RADIUS user's login first. If failed, the system authenticates a
local user's login.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-4 Hardening the Switch
User Accounts
User Name (default) Password (default) Privilege
Guest guest view only
Operator operator view / reset alarms / statistic / logs
Admin admin full access

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-5 Hardening the Switch
Brute Force Attack
RUGGEDCOM ROX II features a Brute Force Attack (BFA) protection mechanism to prevent
attacks via the CLI, Web interface and NETCONF. This mechanism analyzes the behavior of
external hosts trying to access the SSH port, specifically the number of failed logins. After 15 failed
login attempts, the IP address of the host will be blocked for 720 seconds or 12 minutes. The range
of 15 failed login attempts exists to take into account various methods of accessing the device,
notably when the same or different ports are used across a series of failed logins.
Default: Enabled

Note: Failed logins must happen within 10 minutes of each other to be considered malicious
behavior.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-6 Hardening the Switch
Industrial Networks Education Security in Industrial Networks
Siemens AG © 2016. All rights reserved 2-7 Hardening the Switch
Securing the network
• Starts with Physical security
• Includes Management Login (Device Access)
• Includes authenticating LAN users (Network Access)
• May include encryption, although this is resource intensive, and only necessary for ultra-high
security environments
• This is as much a business policy decision as it is an IT decision
• May have legal & regulatory implications (SOX --Sarbanes-Oxley Act--, NERC CIP, etc)

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-8 Hardening the Switch
802.1x Port-based authentication:
802.1x is port-based, layer 2 (MAC Address layer) authentication on IEEE 802 networks. It uses
EAP (Extensible Authentication Protocol) for implementation.
Overview:
• Developed to address security issues of WLANs
• Port-based network access control protocol
• Authenticates & controls device access to the LAN
• A user-side device is granted LAN access only when it passes authentication
• Authentication failure result in disconnection
• Client/Server Model with 3 entities: Supplicant, Authenticator and Authentication server

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2-9 Hardening the Switch
1) The supplicant system is an entity residing at one end of the LAN segment and is
authenticated by the authenticator system connected to the other end of the LAN segment. The
supplicant system is usually a user terminal device.
802.1x authentication is initiated when a user launches client program on the supplicant
system. Note that the client program must support the EAPoL (extensible authentication
protocol over LANs).
2) The authenticator system authenticates the supplicant system. The authenticator system is
usually an 802.1x capable network device. It provides the port for the supplicant system to
access the LAN.
3) The authentication server system is an entity that provides authentication service to the
authenticator system. Normally in the form of a RADIUS server, the authentication server
system serves to perform AAA (authentication, authorization, and accounting).

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 10 Hardening the Switch
EAP over LAN (EAPoL)
EAPoL is a method to transport EAP packets between supplicant and an authenticator directly over LAN
MAC service.
Authentication Process and Message Exchange
During bootup, if the Supplicant does not receive EAP-Request/Identity message from the Authenticator, the
Supplicant initiates authentication by sending the EAPOL-Start frame, which prompts the switch to request
the Supplicant's identity. If the Authenticator port connected to the Supplicant is not configured with dot1x
port-control auto command, the Authenticator will not allow any EAPOL frames to pass through it and the
port will remain in Unauthorized state.

The Supplicant and the Authenticator begin the conversation by negotiating the use of EAP. Once EAP is
negotiated, the Authenticator sends an EAP-Request/Identity message to the Supplicant. The Supplicant
supplies the EAP-Response/Identity message indicating to the Authenticator that it should proceed with
authentication.
The Authenticator acts as a pass-through and encapsulates the EAP-Response within an EAP-message
attribute sent to the Authentication Server (RADIUS Server) within a RADIUS Access-Request message.

On receiving an Access-Request message, the RADIUS server responds with an Access-

Challenge message containing EAP-Message attribute. If the RADIUS server does not support EAP, it sends
an Access-Reject message.The Authenticator receives the Access-Challenge message, decapsulates the
packet and passes onto the Supplicant as an EAP-Request/Auth message. The Supplicant responds back
with an EAP-Response/Auth message to the Authenticator. The Authenticator encapsulates it with
an Access-Request packet containing EAP-Message attributes and passes onto the RADIUS Server. The
RADIUS Server decapsulates the packet and obtains the EAP-Message attribute. It responds back with
an Access-Accept packet. The Authenticator decapsulates and forwards the EAP-Success message to the
Supplicant.

The authentication process at this stage is completed and the port state changes to Authorized. The port
state changes to Unauthorized when the link state on the port changes from UP to DOWN, or, the
Authenticator receives an EAPOL-Logoff message.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 11 Hardening the Switch
Security Mode
Synopsis: { Off, per_macaddress, dot1X, dot1x/MAC-Auth }
Default: Off
Enables or disables the security feature for the port. The following port access control types are
available:
1) Static MAC address based. With this method, authorized MAC address(es) should be
configured in the static MAC address table. If some MAC addresses are not known in advance
(or which port they are going to reside behind is unknown), there is still an option to configure
the switch to auto-learn a certain number of MAC addresses.
2) IEEE 802.1X standard authentication.
3) IEEE 802.1X with MAC Authentication, also known as MAC-Authentication Bypass. With this
method, the device can authenticate clients based on the client's MAC address, if IEEE 802.1X
authentication times out.
Auto Learn
Default: 0
The maximum number of MAC addresses that can be dynamically learned on the port. If there are
static addresses configured on the port, the actual number of addresses allowed to be learned is
this number minus the number of the static MAC addresses.
Shutdown Time
How long to shut down an interface if a security violation occurs.
Shutdown Enable
Enables/disables administative shutdown if a security violation occurs.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 12 Hardening the Switch
Security Mode
Synopsis: { Off, per_macaddress, dot1X, dot1x/MAC-Auth }
Default: Off
Enables or disables the security feature for the port. The following port access control types are
available:
Static MAC address based
With this method, authorized MAC address(es) should be configured in the Static MAC Address
table. If some MAC addresses are not known in advance (or it is unknown behind which port they
are going to reside), there is still an option to configure the switch to auto-learn certain number of
MAC addresses. Once learned, they don't age out; they can only be removed from the static MAC
table by user.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 13 Hardening the Switch
IEEE dot1X Authentication standard authentication mechanism for port-based network access
control and provides a means of authenticating and authorizing devices attached to LAN ports.

Assigning VLANs with Tunnel Attributes

RUGGEDCOM ROXII supports assigning a VLAN to the authorized port using tunnel attributes, as
defined in RFC 3580 when the Port Security mode is set to 802.1x or 802.1x/MAC-Auth.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 14 Hardening the Switch
IEEE dot1X with MAC-Authentication, also known as MAC-Authentication Bypass.
With this option, the device can authenticate clients based on the client's MAC address, if IEEE
dot1X authentication times out.

Assigning VLANs with Tunnel Attributes

RUGGEDCOM ROXII supports assigning a VLAN to the authorized port using tunnel attributes, as
defined in RFC 3580 when the Port Security mode is set to 802.1x or 802.1x/MAC-Auth.

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 15 Hardening the Switch
RADIUS
RADIUS server is used to minimize the efforts involved in administrating users and specifying user
rights as it facilitates querying a centralized RADIUS database.
Adding a user to the network will not require adding it to all network elements, it is enough just to
add it to the centralized database.
Changing the admin password is not a challenge anymore as you do not have to login to each
device and change it. Just a single entry on the radius server needs to be changed as all network
elements are referring to the same database for authentication.
Configuration
• IP address of Primary/Secondary RADIUS Server
• Port Number to use to communicate with the radius server for authentication
• Authentication Key as a shared secret between the switch and the RADIUS server

Industrial Networks Education Security in Industrial Networks

Siemens AG © 2016. All rights reserved 2 - 16 Hardening the Switch