"Before deploying anything, a perfect understanding on what the network looks like is essential," Arkin said. "Most NAC solutions on the market today can be bypassed."
An area ripe for attack, Arkin said, is with element detection and the quarantine server used by Dynamic Host Configuration Protocol (DHCP) server. The DHCP server scans and checks machines and devices attempting to log on to a network; it either assigns them a unique IP address or places them in quarantine if the device fails to meet certain security protocols.
"The problem is that the quarantine holds soft targets," Arkin said. "I can infect [elements] or penetrate them while they're in quarantine."
Agent-based NAC, which uses software on endpoint devices, is also an area with problems, Arkin said. It often takes too long to implement, he said, and results in client issues.
"It's a good solution but it must be implemented properly," Arkin said.
Arkin's message was similar to the one he offered attendees at Black Hat USA 2006, when he said that NAC should not be viewed as anything other than an additional layer of defense.
He said zero-day flaws pose the single biggest threat to corporate IT networks, and while many companies work diligently on their patch management processes to keep all the holes plugged, it's always difficult to keep everything patched.
"It's not about being bulletproof for everything," he said. "At the end of the day, we're all about risk mitigation."
NAC tools are used to scan an entire corporate network to connect and identify devices and enforce security policies. Smaller devices, such as smartphones, are adding to the complexity of most corporate networks, and NAC is designed to help reduce some of that complexity.
Security pros agree that NAC technology is still in its infancy, and companies should be cautious when examining NAC products. Quite often, convincing marketing campaigns by vendors saying that NAC products are an easy way to control the network often causes many flaws to go unnoticed, said Marcus Badley, a senior security engineer with Union City, Calif.-based DeVine Consulting.
"The marketing message is what blinds them," Badley said. "There's never been a magic bullet solution. In many cases companies are implementing poorly because they don't have the knowledge-base and experienced staff to handle network problems." Badley was one of dozens of security pros who watched Arkin demonstrate that both Cisco Systems Inc.'s Network Admission Control (NAC) and Microsoft's Network Access Protection (NAP) technologies are often poorly implemented. Cisco and Microsoft are building interoperability between their approaches. "Right now we've got a confused marketplace, but I expect the situation to improve," Badley said. "Companies are moving forward with projects. It's about whether they're implementing them right."