Don't rely upon 802.1X to secure your wired networks!

Steve Riley gave a fasinating session @ IT Forum where he commented that 802.1X for wired networks would not solve as many security problems as people perceive.

802.1X does NOT authenticate each packet (unlike IPSEC ESP-null) and hence WITH PHYSICAL ACCESS to the wires it's possible for a hacker to place a hub between the 802.1X authenticating switch and a legitimate user.

The legitimate user's system will be forced to reauthenticate to the switch once the cables are reconnected (with the HUB inline) at which point the malicious user could connect through the switch with ICMP & UDP traffic though not with TCP. Of course once able to use ICMP & UDP then they could escalate their access with a wide range of traditional hacking methods.

That's not to say that 802.1X authn is a bad thing - it's effective for wireless networks as dynamic encryption keys are used for each node. 802.1X is still a useful technology for wired networks as it does make it harder for the attacker. The point to this article is that like all other security technologies this is NOT a silver bullet - many people seem to expect it to be so.