Don’t rely upon 802.1X to secure your wired networks!

Steve Riley gave a fasinating session @ IT Forum where he commented that 802.1X for wired networks would not solve as many security problems as people perceive.

802.1X does NOT authenticate each packet (unlike IPSEC ESP-null) and hence WITH PHYSICAL ACCESS to the wires it’s possible for a hacker to place a hub between the 802.1X authenticating switch and a legitimate user.

The legitimate user’s system will be forced to reauthenticate to the switch once the cables are reconnected (with the HUB inline) at which point the malicious user could connect through the switch with ICMP & UDP traffic though not with TCP. Of course once able to use ICMP & UDP then they could escalate their access with a wide range of traditional hacking methods.

That’s not to say that 802.1X authn is a bad thing – it’s effective for wireless networks as dynamic encryption keys are used for each node. 802.1X is still a useful technology for wired networks as it does make it harder for the attacker. The point to this article is that like all other security technologies this is NOT a silver bullet – many people seem to expect it to be so.

Comments (4)

  1. Sertan Kolat says:

    since it is possible to limit the number of MAC addresses per port, it seems that this hub method may not work at those situations. am I missing something?

  2. Steve Riley says:

    For the attack to succeed, the attack computer plugged into the hub must be spoofing the MAC and IP addresses of the victim computer. This, of course, is trivial to do.

  3. Mark G1 says:

    lol… Seriously think about this attack. First it requires physical access to the cables. I’m pretty sure I’d notice a hacker under my desk with a hub and a laptop. If the hacker is in my data closet, I have a lot more to worry about. Second, I (the authorized users) lose my connection while the hub is put in place and am forced to reauth. At this point, the hackers uses my MAC addy to do his evil. This effectivly provides DoS against me. I’m pretty sure I’d also notice not being able to access any network recources.

    The theoretical attack is there, but real world it is tough.

    This article seems to have an axe to grind against 802.1x or maybe against someone who is claiming 802.1x is "the silver bullet". I am in 100% agreeance that it is not the silver bullet. There isn’t and never willbe silver bullet, depth in defence is the key. 802.1x is a great technology all in all.



  4. Steve Lamb says:

    Mark> I agree that physical access is required though in many large corporates it’s pretty easy to get access to the cables without being obvious to the user. Yes – this is a problem in it’s own right. & Yes it’s hardly a stealthy attack given that a DoS attack must be mounted against the legitimate user.

    I don’t have an axe to grind against 802.1x – it’s a great technology when used as a component in a defence in depth security architecture.