Extreme Networks wants to put the lid back on the security issues that were blown off the Dynamic Host Configuration Protocol
Last summer at the Black Hat Conference, Insightix CTO Ofir Arkin explained how DHCP-based approaches provide incomplete detection of elements operating on a network. The DHCP NAC implementation approach can also be bypassed by assigning a static IP address, he added.
Now, Extreme Networks wants to help with the release of a new networking operating system ExtremeXOS 11.6, the proprietary embedded networking operating system that runs on Extreme Networks’ switches and other networking equipment.
With ExtremeXOS 11.6, the company is claiming that DHCP-based methods
of enforcement can be done securely by offering users another alternative to
the the port-based 802.1x protocol, which is sometimes difficult to implement and typically more costly.
“We absolutely are proponents of 802.1x , but we also realize it’s maybe not
for everybody,” Tim Bardzil, product manager at Extreme Networks, told
internetnews.com. “What we’re saying now is that we can provide
equivalent switch level enforcement for port level enforcement regardless of
whether the customer chooses DHCP or 802.1x.”
Bardzil explained that switches are already aware of DHCP traffic but all
they normally do is just let it pass through. With ExtremeX06 11.6, rather
than just forwarding it along, it peeks inside the packet and sees
the IP address that is being assigned to a particular end point.
Then, what ExtremeXOS will do on the port is create a dynamic ACL (Access Control
List). That means the system is saying, for example, that if you see traffic coming from this particular end point and it does not have the proper address from the DHCP server, then drop that traffic.
Even without Arkin’s direct comments on the Extreme Networks solution (he was not available for comment on this product release), his
Black Hat presentation did serve as somewhat of an impetus for the creation
of the solution in the first place, Extreme Networks’ Bardzil said. “The news [by then] made its way out to end customers and we have run into customers that have asked or their
requirements state that they need port level security.”
Bardzil admitted, however, that not all the issues with DHCP have been plugged
but he argued that ExtremeXOS 11.6 does plug the major issues. Extreme
Networks also has an OEM relationship with NAC vendor Still Secure
and rebrands its Safe Access NAC product as Extreme Networks
Within the CentrantAG product, additional checks are provided for
DHCP security, including making sure that an endpoint isn’t using internet
connection sharing or using any sort of bridge that could allow it to bypass
Beyond improvements to DHCP based NAC deployments, ExtremeXOS 11.6 also
improves on its Microsoft NAP (Network Access Protection) capabilities. NAP
is Microsoft’s brand of NAC and though it is not yet publicly available it
has 100 industry partners . One of those partners is Extreme Networks.