Task 1: Do the following review questions:

5.1 Provide a brief definition of network access control.

 Network access control, or NAC, solutions support network visibility and access management
through policy enforcement on devices and users of corporate networks.

5.2 What is an EAP?

 Extensible Authentication Protocol (EAP) is used to pass the authentication information between
the supplicant (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). The
EAP type actually handles and defines the authentication. The access point acting as authenticator
is only a proxy to allow the supplicant and the authentication server to communicate.

5.3 List and briefly define four EAP authentication methods.

 EAP-MD-5 (Message Digest) Challenge is an EAP authentication type that provides base-level
EAP support. EAP-MD-5 is typically not recommended for Wi-Fi LAN implementations because it
may allow the user's password to be derived. It provides for only one-way authentication - there's
no mutual authentication of Wi-Fi client and the network. And very importantly it doesn't provide a
means to derive dynamic, per session wired equivalent privacy (WEP) keys.
 EAP-TLS (Transport Layer Security) provides for certificate-based and mutual authentication of
the client and the network. It relies on client-side and server-side certificates to perform
authentication and can be used to dynamically generate user-based and session-based WEP keys
to secure subsequent communications between the WLAN client and the access point. One
drawback of EAP-TLS is that certificates must be managed on both the client and server side. For
a large WLAN installation, this could be a very cumbersome task.
 EAP-TTLS (Tunneled Transport Layer Security) was developed by Funk Software* and
Certicom*, as an extension of EAP-TLS. This security method provides for certificate-based, mutual
authentication of the client and network through an encrypted channel (or tunnel), as well as a
means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires
only server-side certificates.
 EAP-FAST (Flexible Authentication via Secure Tunneling) was developed by Cisco*. Instead
of using a certificate to achieve mutual authentication. EAP-FAST authenticates by means of a
PAC (Protected Access Credential) which can be managed dynamically by the authentication
server. The PAC can be provisioned (distributed one time) to the client either manually or
automatically. Manual provisioning is delivery to the client via disk or a secured network distribution
method. Automatic provisioning is an in-band, over the air, distribution.

5.4 What is EAPOL?

 EAPoL, similar to EAP, is a simple encapsulation that can run over any LAN. The same three main
components are defined in EAP and EAPoL to accomplish the authentication conversation. The
figure shows how these LAN components are connected in a wired environment .
5.5 What is the function of IEEE 802.1X?
 The IEEE 802.1X standard defines how to provide authentication for devices trying to connect
with other devices on LANs or wireless LANs.

5.6 Define cloud computing.

 Cloud computing is the delivery of different services through the Internet. These resources include
tools and applications like data storage, servers, databases, networking, and software. Rather than
keeping files on a proprietary hard drive or local storage device, cloud-based storage makes it
possible to save them to a remote database. As long as an electronic device has access to the
web, it has access to the data and the software programs to run it.

5.7 List and briefly define three cloud service models.

i. Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure2. The applications are accessible from various
client devices through either a thin client interface, such as a web browser (e.g., web-based
email), or a program interface. The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or even individual
application capabilities, with the possible exception of limited user-specific application
configuration settings.
ii. Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the
cloud infrastructure consumer-created or acquired applications created using
programming languages, libraries, services, and tools supported by the provider.3 The
consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, or storage, but has control over the deployed applications and
possibly configuration settings for the application-hosting environment.
iii. Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision
processing, storage, networks, and other fundamental computing resources where the
consumer is able to deploy and run arbitrary software, which can include operating systems
and applications. The consumer does not manage or control the underlying cloud
infrastructure but has control over operating systems, storage, and deployed applications; and
possibly limited control of select networking components (e.g., host firewalls)

5.8 What is the cloud computing reference architecture?

 Cloud Reference Architecture addresses the concerns of the key stakeholders by defining the
architecture capabilities and roadmap aligned with the business goals and architecture vision.
5.9 Describe some of the main cloud-specific security threats.

a. Data breaches
b. Weak identity, credential and access management
c. Insecure interfaces and APIs
d. System and application vulnerability
e. Account hijacking
f. Malicious insiders
g. Advanced persistent threats
h. Data loss
i. Insufficient due diligence

Task 2(Discussion board): In no less than 250 words, explain why a network engineer
would enable IEEE802.1X on a Cisco switch port. Give a scenario where this would be
relevant. Also write down the IOS configuration to enable it on a switchport.

802.1X offers phenomenal perceivability and secure, character based access control at the system edge.
With the suitable plan and well-picked parts, you can address the issues of your security arrangement while
limiting the effect to your foundation and end clients.

The requirement for secure system get to has never been more noteworthy. Experts, contractual workers,
and visitors currently expect access to organize assets over an indistinguishable LAN associations from
standard representatives, who may themselves bring unmanaged gadgets into the working environment.
As information systems turn out to be progressively crucial in everyday business activities, the likelihood
that unapproved individuals or gadgets will access controlled or secret data additionally increments. The
best and most secure answer for powerlessness at the entrance edge is to use the insight of the system.

802.1X is an IEEE standard for media-level (Layer 2) get to control, offering the capacity to allow or deny
organize network in view of the character of the end client or gadget.

802.1X offers the accompanying advantages on wired systems:

• Visibility—802.1X gives more prominent perceivability into the system on the grounds that the verification
procedure gives an approach to connect a username with an IP address, MAC address, switch, and port.
This perceivability is helpful for security reviews, organize crime scene investigation, arrange utilize insights,
and investigating.

• Security—802.1X is the most grounded technique for validation and ought to be utilized for overseen
resources that help a 802.1X supplicant. 802.1X acts at Layer 2 in the system, enabling you to control
arrange access at the entrance edge.

• Identity-based administrations—802.1X empowers you to use a verified personality to progressively

convey altered administrations. For instance, a client may be approved into a particular VLAN or appointed
a one of a kind access list that awards suitable access for that client.

• Transparency—In numerous cases, 802.1X can be sent in a way that is straightforward to the end client.

• User and gadget verification—802.1X can be utilized to verify gadgets and clients.
Switch(config)# interface gig0/2

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 1

Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31

Switch(config-if)# switchport port-security violation shutdown

Switch(config-if)#end