Mitigating 802.1x bypass by transparent bridging

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

The talk DEFCON talk "A Bridge Too Far" details a means to bypass wired 802.1x network access controls by setting up a transparent bridge between a genuine machine and the network. Once authentication is performed, the transparent bridge is free to tamper with and inject traffic.

Are there controls that can be put in place to mitigate this risk?

security ieee-802.1x

share|improve this question

asked 1 hour ago

Cybergibbons

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

The talk DEFCON talk "A Bridge Too Far" details a means to bypass wired 802.1x network access controls by setting up a transparent bridge between a genuine machine and the network. Once authentication is performed, the transparent bridge is free to tamper with and inject traffic.

Are there controls that can be put in place to mitigate this risk?

security ieee-802.1x

share|improve this question

asked 1 hour ago

Cybergibbons

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

The talk DEFCON talk "A Bridge Too Far" details a means to bypass wired 802.1x network access controls by setting up a transparent bridge between a genuine machine and the network. Once authentication is performed, the transparent bridge is free to tamper with and inject traffic.

Are there controls that can be put in place to mitigate this risk?

security ieee-802.1x

share|improve this question

asked 1 hour ago

Cybergibbons

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

The talk DEFCON talk "A Bridge Too Far" details a means to bypass wired 802.1x network access controls by setting up a transparent bridge between a genuine machine and the network. Once authentication is performed, the transparent bridge is free to tamper with and inject traffic.

Are there controls that can be put in place to mitigate this risk?

security ieee-802.1x

security ieee-802.1x

share|improve this question

asked 1 hour ago

Cybergibbons

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 1 hour ago

Cybergibbons

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 1 hour ago

Cybergibbons

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 1 hour ago

Cybergibbons

1093

asked 1 hour ago

Cybergibbons

1093

1093

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Cybergibbons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote

Frankly, no.

802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.

802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.

share|improve this answer

answered 25 mins ago

Zac67

20.3k21047

add a comment | 

up vote
1
down vote

Welcome to Network Engineering! You might want to ask this on Information Security SE, but here are a few thoughts:

1. If one has physical access to the network, an attacker can do lots
   of things. Attacking 802.1x is just one.


2. The presentation lists some mitigation techniques, but they all rely
   on careful monitoring of network traffic -- something rarely done
   except on the most secure networks.


3. Since it's really a physical attack, the best defense is physical
   security.


4. If 802.1x is used correctly, this attack has minimal effect. Yes,
   you can hide your attack box behind the printer and gain access, but
   the printer VLAN should have limited access anyway (no initiating
   connections). Any attempts to start probing should generate alerts.


5. 802.1ae might be another way to stop it, but it's not common.


6. Finally, I think the risk is overstated. Physical attacks are hard,
   expensive, and very risky. That's why they're very rare.

share|improve this answer

answered 13 mins ago

Ron Trunk

31.6k22668

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Cybergibbons is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53635%2fmitigating-802-1x-bypass-by-transparent-bridging%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

Frankly, no.

802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.

802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.

share|improve this answer

answered 25 mins ago

Zac67

20.3k21047

add a comment | 

up vote
2
down vote

Frankly, no.

802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.

802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.

share|improve this answer

answered 25 mins ago

Zac67

20.3k21047

add a comment | 

up vote
2
down vote

up vote
2
down vote

Frankly, no.

802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.

802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.

share|improve this answer

answered 25 mins ago

Zac67

20.3k21047

Frankly, no.

802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.

802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.

share|improve this answer

answered 25 mins ago

Zac67

20.3k21047

share|improve this answer

share|improve this answer

answered 25 mins ago

Zac67

20.3k21047

answered 25 mins ago

Zac67

20.3k21047

answered 25 mins ago

Zac67

20.3k21047

20.3k21047

add a comment | 

add a comment | 

up vote
1
down vote

Welcome to Network Engineering! You might want to ask this on Information Security SE, but here are a few thoughts:

1. If one has physical access to the network, an attacker can do lots
   of things. Attacking 802.1x is just one.


2. The presentation lists some mitigation techniques, but they all rely
   on careful monitoring of network traffic -- something rarely done
   except on the most secure networks.


3. Since it's really a physical attack, the best defense is physical
   security.


4. If 802.1x is used correctly, this attack has minimal effect. Yes,
   you can hide your attack box behind the printer and gain access, but
   the printer VLAN should have limited access anyway (no initiating
   connections). Any attempts to start probing should generate alerts.


5. 802.1ae might be another way to stop it, but it's not common.


6. Finally, I think the risk is overstated. Physical attacks are hard,
   expensive, and very risky. That's why they're very rare.

share|improve this answer

answered 13 mins ago

Ron Trunk

31.6k22668

add a comment | 

up vote
1
down vote

Welcome to Network Engineering! You might want to ask this on Information Security SE, but here are a few thoughts:

1. If one has physical access to the network, an attacker can do lots
   of things. Attacking 802.1x is just one.


2. The presentation lists some mitigation techniques, but they all rely
   on careful monitoring of network traffic -- something rarely done
   except on the most secure networks.


3. Since it's really a physical attack, the best defense is physical
   security.


4. If 802.1x is used correctly, this attack has minimal effect. Yes,
   you can hide your attack box behind the printer and gain access, but
   the printer VLAN should have limited access anyway (no initiating
   connections). Any attempts to start probing should generate alerts.


5. 802.1ae might be another way to stop it, but it's not common.


6. Finally, I think the risk is overstated. Physical attacks are hard,
   expensive, and very risky. That's why they're very rare.

share|improve this answer

answered 13 mins ago

Ron Trunk

31.6k22668

add a comment | 

up vote
1
down vote

up vote
1
down vote

Welcome to Network Engineering! You might want to ask this on Information Security SE, but here are a few thoughts:

1. If one has physical access to the network, an attacker can do lots
   of things. Attacking 802.1x is just one.


2. The presentation lists some mitigation techniques, but they all rely
   on careful monitoring of network traffic -- something rarely done
   except on the most secure networks.


3. Since it's really a physical attack, the best defense is physical
   security.


4. If 802.1x is used correctly, this attack has minimal effect. Yes,
   you can hide your attack box behind the printer and gain access, but
   the printer VLAN should have limited access anyway (no initiating
   connections). Any attempts to start probing should generate alerts.


5. 802.1ae might be another way to stop it, but it's not common.


6. Finally, I think the risk is overstated. Physical attacks are hard,
   expensive, and very risky. That's why they're very rare.

share|improve this answer

answered 13 mins ago

Ron Trunk

31.6k22668

Welcome to Network Engineering! You might want to ask this on Information Security SE, but here are a few thoughts:

1. If one has physical access to the network, an attacker can do lots
   of things. Attacking 802.1x is just one.


2. The presentation lists some mitigation techniques, but they all rely
   on careful monitoring of network traffic -- something rarely done
   except on the most secure networks.


3. Since it's really a physical attack, the best defense is physical
   security.


4. If 802.1x is used correctly, this attack has minimal effect. Yes,
   you can hide your attack box behind the printer and gain access, but
   the printer VLAN should have limited access anyway (no initiating
   connections). Any attempts to start probing should generate alerts.


5. 802.1ae might be another way to stop it, but it's not common.


6. Finally, I think the risk is overstated. Physical attacks are hard,
   expensive, and very risky. That's why they're very rare.

share|improve this answer

answered 13 mins ago

Ron Trunk

31.6k22668

share|improve this answer

share|improve this answer

answered 13 mins ago

Ron Trunk

31.6k22668

answered 13 mins ago

Ron Trunk

31.6k22668

answered 13 mins ago

Ron Trunk

31.6k22668

31.6k22668

add a comment | 

add a comment | 

Cybergibbons is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Cybergibbons is a new contributor. Be nice, and check out our Code of Conduct.

Cybergibbons is a new contributor. Be nice, and check out our Code of Conduct.

Cybergibbons is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53635%2fmitigating-802-1x-bypass-by-transparent-bridging%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email