7

The talk DEFCON talk "A Bridge Too Far" details a means to bypass wired 802.1x network access controls by setting up a transparent bridge between a genuine machine and the network. Once authentication is performed, the transparent bridge is free to tamper with and inject traffic.

Are there controls that can be put in place to mitigate this risk?

Cybergibbons
  • 171
  • 1
  • 4
  • 1
    Besides the answers below, see [this question](https://networkengineering.stackexchange.com/q/22247/8499) and answers. – Ron Maupin Sep 30 '18 at 15:15
  • Note, this is exactly what Uverse (fiber) users do to bypass the AT&T required router: clone the MAC, and proxy all the eap stuff. – Ricky Sep 30 '18 at 18:56
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. – Ron Maupin Jan 03 '21 at 21:50

2 Answers2

9

Frankly, no.

802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.

802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.

Another approach (thx Ricky) is to forgo port-level security completely and instead rely on VPN connections you build on top of your physical network, basically moving the security up the stack. While this can be made very secure and backward compatible with just about any infrastructure, it may introduce bottlenecks at the VPN router(s) and their links.

Zac67
  • 81,287
  • 3
  • 67
  • 131
  • 3
    Exactly why MACSec was created. If you can't do macsec, roll your own with per-host VPN, and ACLs to prevent comms with anything else. – Ricky Sep 30 '18 at 18:51
5

Welcome to Network Engineering! You might want to ask this on Information Security SE, but here are a few thoughts:

  1. If one has physical access to the network, an attacker can do lots of things. Attacking 802.1x is just one.
  2. The presentation lists some mitigation techniques, but they all rely on careful monitoring of network traffic -- something rarely done except on the most secure networks.
  3. Since it's really a physical attack, the best defense is physical security.
  4. If 802.1x is used correctly, this attack has minimal effect. Yes, you can hide your attack box behind the printer and gain access, but the printer VLAN should have limited access anyway (no initiating connections). Any attempts to start probing should generate alerts.
  5. 802.1ae might be another way to stop it, but it's not common.
  6. Finally, I think the risk is overstated. Physical attacks are hard, expensive, and very risky. That's why they're very rare.
Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
  • 3
    For number 6, I actually saw a kit a couple of years ago with a Raspberry PI , or look-alike, that had the code already loaded to perform the exact attack detailed in the article, allowing someone to install it inline behind a host, and it would allow someone to use Wi-Fi to get on the network. I pointed this out to our Security folks, and they kind of freaked out, but decided it was too hard for a casual hacker, even though it was merely plugging a device inline. – Ron Maupin Sep 30 '18 at 15:14
  • We see physical attacks against networks carried out often enough to worry about them (under specific conditions) https://arstechnica.com/tech-policy/2014/04/bank-robbers-use-kvm-switch-and-3g-router-to-steal-money/ – Cybergibbons Sep 30 '18 at 15:49
  • 2
    Yes, I've also seen devices like rPI's or others. Attacks do happen, but I stand by my opinion they're rare compared to remote attacks. And as the article linked by @Cybergibbons shows, attackers are more likely to get caught. – Ron Trunk Sep 30 '18 at 15:59
  • 1
    802.1X was intended to attack against physical attacks - it fails to do so at a pretty low level. – Zac67 Oct 01 '18 at 05:05
  • At some conference I saw a talk about a device that takes this a step further: you seamlessly cut into an existing ethernet cable. Add to that the carelessness of routing lumps of ethernet cables through public restrooms in some government agencies and you have a real security problem for those who are determined to get you. – PlasmaHH Oct 01 '18 at 08:03