Dodging NAC’s Silver Bullet

As the Black Hat conference descends upon Las Vegas this week, presents a series of articles addressing security issues past and present.

LAS VEGAS — Some vendors see network address control technologies as the magic elixir to guaranteeing and promoting a self-defending network.

Ofir Arkin, CTO of security research firm Insightix, thinks that he’s got the proverbial fly in the ointment. Before a capacity crowd presentation at the Black Hat security conference here, Arkin verbally and graphically described how to bypass NAC systems, leaving them useless for their express purpose of keeping bad stuff out of networks.

He kept his presentation non-specific, choosing to discuss approaches to NAC rather than naming specific vendor implementations and potential vulnerabilities.

NAC is a term for a network-based approach to authenticating and enabling access to users and services across a network. Cisco has offered NAC since 2003 as part of its overall self-defending network initiative.

Microsoft offers its own NAC-like features called NAP (Network Address Protection), which are set to appear in Windows Vista.

Juniper Networks  and its Trusted Network Computing (TNC) group offer an alternative approach, which they call Unified Access Control (UAC).

Typically, NAC requires some form of hardware to help implement it, though NAC vendor InfoExpress has a Dynamic NAC offering (DNAC) that takes a peer-to-peer approach.

Though solutions differ, NAC’s core functions include element detection and authentication, endpoint security assessment, remediation, enforcement, authorization and post-admission protection.

During his presentation, Arkin described various NAC approaches and implementations, which, in his view, have weak points that could be bypassed.

The architecture of a NAC solution, such as the actual placement of the different pieces of a solution, could become a weak spot. In certain deployment cases, gaps in the element detection and enforcement methods could allow for bypass. An attacker could also potentially directly attack the NAC components themselves, Arkin explained.

Arkin’s most vehement criticism of NAC vulnerabilities came in reference to DHCP -based approaches to identifying and admitting network elements.

In a DHCP Proxy-based deployment approach, according to Arkin, detection of elements is at Layer 3 only, which means that nothing on the local subnet that has access to at least the local subnet would not be restricted.

DHCP-based approaches also provide incomplete detection of elements operating on a network. The DHCP NAC implementation approach can also be bypassed by assigning a static IP address. It is also possible to spoof a NAC address and/or an IP address of an exception in order to receive full access.

“It’s really kind of lame,” Arkin said about DHCP-based NAC deployment.

Broadcast listeners — a term for “listening” for different packets on networks such as DHCP requests in order to detect network elements, are also replete with flaws, he continued.

Why? Because the broadcast approach is not able to detect masqueraded elements hiding behind NAT . In such a scenario, a user could connect with one element and then place another unauthorized element behind it. Worse yet, not all elements generate broadcast traffic and as such may well be undetectable.

Arkin did find some bright spots about NAC technologies.

When it is deployed correctly, “802.1x is the best technology that is out there.” He even singled out Cisco’s 802.1x NAC solution as “the best that is out there.”

Arkin praised Cisco’s NAC L2 802.1x system for its ability to prevent elements from connecting to a network before assigned an IP address.

But there’s a catch, he added: Cisco’s solution only works on Cisco equipment.

“Not all equipment may have that (802.1x),” Arkin said. “Not all networking elements can support 802.1x.”

News Around the Web