1.7: Deploy Port Level Access Control
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Devices |
Protect |
2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Assumptions
Use of an 802.1x network design to control network access
The 802.1x system can query the endpoint inventory system
The CMDB is a separate entity from the authentication server.
Inputs
List of 802.1x authenticators
List of 802.1x authentication servers (i.e. RADIUS/Diameter servers)
List of CMDB servers
Operations
For each 802.1x authenticator, ensure proper configuration
For each 802.1x authentication server, ensure proper configuration, including connection to at least one CMDB server
Measures
M1 = Boolean: 802.1x authenticators are in use
M2 = Boolean: 802.1x authentication servers are in use
M3 = List of inappropriately configured 802.1x authenticators
M4 = Count of M3
M5 = List of appropriately configured 802.1x authenticators
M6 = Count of M5
M7 = List of inappropriately configured 802.1x authentication servers
M8 = Count of M7
M9 = List of appropriately configured 802.1x authentication servers
M10 = Count of M9
M11 = Count of 802.1x authentication servers (from Input 2)
M12 = Count of 802.1x authenticators (from Input 1)
Metrics
802.1x Deployment
Metric |
Is 802.1x deployed?
|
Calculation |
|
Authenticator Coverage
Metric |
Ratio of improperly configured 802.1x authenticators to total number of 802.1x
authenticators
|
Calculation |
|
Authentication Server Coverage
Metric |
Ratio of improperly configured 802.1x authentication servers to total number of
802.1x authentication servers
|
Calculation |
|