Red flag raised over NAC security

Network access control technology has been promoted as the savior of beleaguered enterprise networks, but enterprise IT managers who are hanging their hat on client health screening should think again, according to security expert Ofir Arkin of Insightix.

In a presentation at this year's Black Hat Briefings conference in Las Vegas, Arkin raised questions about the efficacy of NAC technologies from vendors such as Cisco, Microsoft, and Symantec, saying the current generation of NAC solutions are riddled with holes that make it easy for hackers to circumvent their protections.

A Cisco executive acknowledged that the technology has a way to go before it provides comprehensive protection.

In a wide ranging presentation that mostly avoided dissections of specific products, Arkin said that, across the board, NAC solutions have holes or vulnerabilities in their protections that could be used by malicious hackers to gain entry to NAC-protected networks.

For example, NAC solutions that use DHCP (Dynamic Host Configuration Protocol) proxy servers to enforce security policy do nothing to stop machines that obtain static IP addresses for their network connections, rather than using DHCP. That makes significant portions of enterprise networks invisible to the NAC access control products, Arkin said.

NAC solutions that enforce access through network switches, such as Cisco Systems' Network Admission Control, also have weaknesses, he said.

For example, Cisco's NAC technology is specific to their switches and routers, but enterprises often use a mixture of switching and routing gear. Hackers can find their way into an enterprise network simply by finding and connecting through an unmanaged switch, he said.

Hackers can also spoof MAC and IP addresses for "known" systems that are allowed access, he said.

NAC solutions that rely on the 802.1x protocol to enforce access policies before systems are assigned an IP address provide tighter control, but don't cover devices that don't support the 802.1x protocol, such as legacy hardware, printers and other devices, he said.

Other security experts at Black Hat also expressed doubts about the NAC paradigm. Marc Maiffret of eEYE Digital Security, whose vulnerability scanning tools work with Cisco's NAC and other solutions, said that NAC systems that rely on antivirus software to report on the "health" of a system are suspect at a time when critical security holes are being reported in products from Symantec, McAfee and other vendors.

Malicious hackers could use exploits of antivirus software, Web browsers or other desktop software to make infected clients appear to be adequately patched and have up to date antivirus definitions, he said.

Asked about Arkin's presentation, Cisco CSO John Stewart acknowledged that NAC technology is in its infancy and has a way to go before it will provide comprehensive security.

"The technology's immature. But [NAC] will increase my capability to keep my network in good condition. Can it be maneuvered to have false data? Yes. Would it be completely the case that every device on my network will provide false data? Unlikely."

"It's inherently going to be found that there are weaknesses. But I think that's the wrong thing to focus on. We want to address the weaknesses but focus on the benefits," Stewart said.