ARLINGTON, Va. -- According to a network access control expert, NAC
implementations are often more difficult than they need to be
because companies don't have a good understanding of their
networks, in turn opening the door for opportunistic attackers.
 | | | | | Most NAC solutions on the market
today can be bypassed.
Ofir Arkin,
chief technology
officerInsightix |
| | | | | |
| |
|
Flaws exist in almost every part of a NAC implementation, allowing
a digital miscreant the ability to bypass most access control
walls, said Ofir Arkin, chief technology officer of Framingham,
Mass.-based Insightix, a NAC vendor. Arkin told security pros at
the Black Hat DC conference that careful planning is essential
before implementing any part of NAC.
"Before deploying anything, a perfect understanding on what the
network looks like is essential," Arkin said. "Most NAC solutions
on the market today can be bypassed."
An area ripe for attack, Arkin said, is with element detection
and the quarantine server used by Dynamic Host Configuration
Protocol (DHCP) server. The DHCP server scans and checks machines
and devices attempting to log on to a network; it either assigns
them a unique IP address or places them in quarantine if the device
fails to meet certain security protocols.
"The problem is that the quarantine holds soft targets," Arkin
said. "I can infect [elements] or penetrate them while they're in
quarantine."
Agent-based NAC, which uses software on endpoint devices, is
also an area with problems, Arkin said. It often takes too long to
implement, he said, and results in client issues.
"It's a good solution but it must be implemented properly,"
Arkin said.
Arkin's message was similar to the one he offered attendees at
Black Hat USA 2006, when he said that NAC should not be viewed as
anything other than an
additional layer of defense.
He said zero-day flaws pose the single biggest threat to
corporate IT networks, and while many companies work diligently on
their patch management processes to keep all the holes plugged,
it's always difficult to keep everything patched.
"It's not about being bulletproof for everything," he said. "At
the end of the day, we're all about risk mitigation."
NAC tools are used to scan an entire corporate network to
connect and identify devices and enforce security policies. Smaller
devices, such as smartphones, are adding to the complexity of most
corporate networks, and NAC is designed to help reduce some of that
complexity.
Security pros agree that NAC technology is still in its infancy,
and companies should be cautious when examining NAC products. Quite
often, convincing marketing campaigns by vendors saying that NAC
products are an easy way to control the network often causes many
flaws to go unnoticed, said Marcus Badley, a senior security
engineer with Union City, Calif.-based DeVine Consulting.
"The marketing message is what blinds them," Badley said.
"There's never been a magic bullet solution. In many cases
companies are implementing poorly because they don't have the
knowledge-base and experienced staff to handle network problems."
Badley was one of dozens of security pros who watched Arkin
demonstrate that both Cisco Systems Inc.'s Network Admission
Control (NAC) and Microsoft's Network Access Protection (NAP)
technologies are often poorly implemented. Cisco and Microsoft are
building interoperability between their approaches. "Right now
we've got a confused marketplace, but I expect the situation to
improve," Badley said. "Companies are moving forward with projects.
It's about whether they're implementing them right."