We've heard that 802.1x is vulnerable to an attacker inserting a hub between an authorized computer and the edge switch. Is that true?
Yes, but it's more complicated than simply inserting a hub. Here's the attack sequence. The attacker gains physical access to the network receptacle where the trusted computer connects to the network, and inserts a hub. (A hub is used rather than a switch because hubs are invisible to switches.) Once the trusted computer is reconnected, the edge switch challenges the trusted computer, which re-authenticates itself. Then the switch opens the port to the rest of the network. Next, the attacker uses a network sniffer to capture some packets sent across the hub to and from the trusted computer, and from those packets learns the MAC address of the trusted computer. Then the attacker configures a rogue computer to assume that MAC address and is now able to communicate through the switch port without the switch realizing what's happening. However, as long as the trusted computer remains connected, the attacker might have a problem because the trusted computer kills TCP connections initiated by the rogue computer. (TCP automatically resets connections it doesn't recognize.) The attacker can disconnect the trusted computer from the hub to solve the problem, but that might eventually lead to discovery because the trusted computer would no longer be communicating. 50306
