NAC Under Attack At Black Hat (Again)

Network Access Control (NAC) continues to be one of the most hyped and talked about networking security technology approaches. NAC offers the promise of secure pre- and post-admission control, ensuring that only the good guys are on your network.

At Black Hat 2006, Insightix CTO Ofir Arkin debunked the myth that NAC is a silver bullet for network security.

This year, he’s back, along with at least one other security research group claiming that NAC is still insecure and can be exploited when perpetrators know what to look for.

“I took all the material of last year and looked for new innovations from last year to this date,” Arkin told “Not a lot has changed in the last year — just the awareness.”
Moreover, some of the same basic approaches to bypassing NAC that Arkin revealed in 2006 are still very much valid in 2007.

To date perhaps the biggest change in the NAC landscape in 2007 has been the announcement that Microsoft’s NAP will interoperate with the Trusted Computing Group’s Trusted Network Connect (TNC).

Arkin noted that the new interoperability doesn’t open up additional risks. However, Arkin said he does see a potential issue with TNC in that there are a lot of moving parts and multiple vendors, which could pose some risks from a complexity and implementation point of view.

Arkin isn’t particular about picking on NAC vendors big or small. From his point of view, there are multiple vendors with multiple risks that he intends to discuss.

However, Dror-John Roecher, a senior security consultant for ERNW GmbH, plans to single out Cisco’s NAC architecture in his Black Hat presentation titled, “NACAttack.”

At Black Hat 2005, Cisco officials made a controversial move to stop a Black Hat presentation about a exploit of its technology.

Cisco spokesperson Kevin R. Petschow told that Cisco will not attempt to stop Roecher’s NACAttack presentation. Petschow could not confirm or deny that talk would even be factually correct.

“We’ve not seen or had access to the presentation that is to be given,” Petschow said. “Hence we cannot speak to its accuracy, yet.”

As it turns out, Arkin is familiar with the NACAttack presentation. According to him, Roecher already delivered a talk in Amsterdam that is based on exploit information that Arkin himself first introduced.

“I outlined this attack vector last year,” Arkin said. “Dror has an interesting attack but it works only when you don’t have authentication enabled with Cisco NAC and he circumvents posture validation checks.”

Rather than being concerned that another researcher is basing new attacks on his research, Arkin sees the NACAttack presentation as proof that the attack vectors he outlined last year are still valid and that we might hear about more attack vectors like it in the future.

There are ways to do NAC securely, but vendors aren’t focusing on the right stuff in Arkin’s view.

“It’s a shame that most vendors think that people are only interested in posture validation checks against Windows devices that are part of their domain,” Arkin said. “The elements that we know about are not the ones we have problems with, it’s the ones we don’t know about. ”

In his view, it’s essential for network administrators to have a complete understanding in real time of what they have on their network. Arkin argued that without understanding what is on a network there is no ability to secure it.

“The market is much more educated, the market is much more knowledgeable now,” Arkin said. “People know what they want to have and there are solutions that can provide really secure NAC.”

News Around the Web