In previous entries we’ve looked at how easy it is to attack networks secured with Profiling, MAC Address authentication and/or 802.1X, especially if you have access to a device that is known to work.
So how then, if you can get around even EAP-TLS security on a LAN, do you really secure an Access Layer network?
802.1ae MAC sec
In short terms, 802.1ae is for wired networks, what WPA2 is for Wireless networks.
All of the methods of securing a network that we’ve looked at so far provide (varying levels of) authenticated network access, but do nothing to protect the traffic post-authentication, which, because MAC Addresses are so easily spoofed, potentially leaves big holes in your network’s security.
With MAC sec enabled networks and Clients, once the device has been authenticated through an EAP method (like PEAP or EAP-TLS), traffic is encrypted between the NIC of the Client and the Switchport, typically using GCM-AES-128 or GCM-AES-256. Because the encryption negotiation process is secure, even if an attacker spoofs a MAC address and sniffs all of the traffic between a known good device and the network, they will not be able to decipher the encryption keys and they will not be able to gain access to the network. This is, to my knowledge, the only way to guarantee (as far as anybody in IT can guarantee anything) that only valid devices can access the network.
Unfortunately, despite having been available for quite some time, support for MAC sec is somewhat limited. There is currently no native support for MAC sec in Windows so Microsoft Users need a third party supplicant like the Cisco AnyConnect Agent. MAC sec is supported in Linux though, from kernel 4.6 onwards (I think!). 802.1ae also requires a suitable Client NIC & drivers, and a LAN Switch and RADIUS Server that support 802.1ae.