Expert: NAC not a network security cure-all

According to an expert at Black Hat DC, NAC success demands careful planning and a good understanding of the company network; otherwise, implementations can quickly go awry.

ARLINGTON, Va. -- According to a network access control expert, NAC implementations are often more difficult than they need to be because companies don't have a good understanding of their networks, in turn opening the door for opportunistic attackers.

Most NAC solutions on the market today can be bypassed.
Ofir Arkin,
chief technology officerInsightix
Flaws exist in almost every part of a NAC implementation, allowing a digital miscreant the ability to bypass most access control walls, said Ofir Arkin, chief technology officer of Framingham, Mass.-based Insightix, a NAC vendor. Arkin told security pros at the Black Hat DC conference that careful planning is essential before implementing any part of NAC.

"Before deploying anything, a perfect understanding on what the network looks like is essential," Arkin said. "Most NAC solutions on the market today can be bypassed."

An area ripe for attack, Arkin said, is with element detection and the quarantine server used by Dynamic Host Configuration Protocol (DHCP) server. The DHCP server scans and checks machines and devices attempting to log on to a network; it either assigns them a unique IP address or places them in quarantine if the device fails to meet certain security protocols.

"The problem is that the quarantine holds soft targets," Arkin said. "I can infect [elements] or penetrate them while they're in quarantine."

NAC security:
NAC gains traction

Vendors acknowledge NAC-NAP roadmap limits

Hackers have knack for beating NAC systems

NAC boosts security for Sun Microsystems

Integrating security into the network quiz

Agent-based NAC, which uses software on endpoint devices, is also an area with problems, Arkin said. It often takes too long to implement, he said, and results in client issues.

"It's a good solution but it must be implemented properly," Arkin said.

Arkin's message was similar to the one he offered attendees at Black Hat USA 2006, when he said that NAC should not be viewed as anything other than an additional layer of defense.

He said zero-day flaws pose the single biggest threat to corporate IT networks, and while many companies work diligently on their patch management processes to keep all the holes plugged, it's always difficult to keep everything patched.

"It's not about being bulletproof for everything," he said. "At the end of the day, we're all about risk mitigation."

NAC tools are used to scan an entire corporate network to connect and identify devices and enforce security policies. Smaller devices, such as smartphones, are adding to the complexity of most corporate networks, and NAC is designed to help reduce some of that complexity.

Security pros agree that NAC technology is still in its infancy, and companies should be cautious when examining NAC products. Quite often, convincing marketing campaigns by vendors saying that NAC products are an easy way to control the network often causes many flaws to go unnoticed, said Marcus Badley, a senior security engineer with Union City, Calif.-based DeVine Consulting.

"The marketing message is what blinds them," Badley said. "There's never been a magic bullet solution. In many cases companies are implementing poorly because they don't have the knowledge-base and experienced staff to handle network problems." Badley was one of dozens of security pros who watched Arkin demonstrate that both Cisco Systems Inc.'s Network Admission Control (NAC) and Microsoft's Network Access Protection (NAP) technologies are often poorly implemented. Cisco and Microsoft are building interoperability between their approaches. "Right now we've got a confused marketplace, but I expect the situation to improve," Badley said. "Companies are moving forward with projects. It's about whether they're implementing them right."

Read more on IT risk management