RealTime IT News

An Extreme Solution for NAC

Extreme Networks wants to put the lid back on the security issues that were blown off the Dynamic Host Configuration Protocol , a security approach to assigning dynamic IP addresses to devices on a network.

Last summer at the Black Hat Conference, Insightix CTO Ofir Arkin explained how DHCP-based approaches provide incomplete detection of elements operating on a network. The DHCP NAC implementation approach can also be bypassed by assigning a static IP address, he added.

Now, Extreme Networks wants to help with the release of a new networking operating system ExtremeXOS 11.6, the proprietary embedded networking operating system that runs on Extreme Networks' switches and other networking equipment.

With ExtremeXOS 11.6, the company is claiming that DHCP-based methods of enforcement can be done securely by offering users another alternative to the the port-based 802.1x protocol, which is sometimes difficult to implement and typically more costly.

"We absolutely are proponents of 802.1x , but we also realize it's maybe not for everybody," Tim Bardzil, product manager at Extreme Networks, told internetnews.com. "What we're saying now is that we can provide equivalent switch level enforcement for port level enforcement regardless of whether the customer chooses DHCP or 802.1x."

Bardzil explained that switches are already aware of DHCP traffic but all they normally do is just let it pass through. With ExtremeX06 11.6, rather than just forwarding it along, it peeks inside the packet and sees the IP address that is being assigned to a particular end point.

Then, what ExtremeXOS will do on the port is create a dynamic ACL (Access Control List). That means the system is saying, for example, that if you see traffic coming from this particular end point and it does not have the proper address from the DHCP server, then drop that traffic.

Even without Arkin's direct comments on the Extreme Networks solution (he was not available for comment on this product release), his Black Hat presentation did serve as somewhat of an impetus for the creation of the solution in the first place, Extreme Networks' Bardzil said. "The news [by then] made its way out to end customers and we have run into customers that have asked or their requirements state that they need port level security."

Bardzil admitted, however, that not all the issues with DHCP have been plugged but he argued that ExtremeXOS 11.6 does plug the major issues. Extreme Networks also has an OEM relationship with NAC vendor Still Secure and rebrands its Safe Access NAC product as Extreme Networks CentrantAG.

Within the CentrantAG product, additional checks are provided for DHCP security, including making sure that an endpoint isn't using internet connection sharing or using any sort of bridge that could allow it to bypass DHCP enforcement.

Beyond improvements to DHCP based NAC deployments, ExtremeXOS 11.6 also improves on its Microsoft NAP (Network Access Protection) capabilities. NAP is Microsoft's brand of NAC and though it is not yet publicly available it already has 100 industry partners . One of those partners is Extreme Networks.