Network Access Control (NAC) was one of the most talked about networking technologies of 2006.
Some have positioned it as a silver bullet with the ability to defend a
network against all comers. One man and one company in particular stood out
amid the torrent of NAC hype in 2006 and poked holes in a number of
different approaches to NAC.
Ofir Arkin, the CTO of Insightix, took the podium at the Black Hat conference
last summer and revealed ways that to bypass certain NAC approaches.
Beyond research, Insightix currently has two products, Discovery and
NAC. Discovery “discovers” what elements are on a network while NAC performs
Internetnews.com recently chatted with Arkin about what Insightix is
doing and why standards for NAC aren’t necessarily the key to better
Q: What are some of the things that you don’t like about other network
security products in the market that you’ve made sure to avoid or improve upon at Insightix?
Our first product was Insightix Discovery. When I
was consulting to organizations the biggest issue that I had was to
understand what do I have in order to build the right defenses. Working
without knowing what is on the network and how it looks and what the
infrastructure is doesn’t work. You can’t protect what you’re not aware of.
So our first goal was to provide a solution that gives real-time information
about the IT network. The biggest thing that I saw when I was working as a consultant is that many organizations work in the dark.
They know they need to buy security solutions, but they don’t have the
understanding of what they have. You’d think that it would be trivial to
answer, but we found out that these are non-trivial questions, and the problem
of discovery is something that still needs to be answered.
On NAC, we do believe that in order to provide proper network access control
you first need to understand what you have and be able to identify in real
time any element that tries to connect to the network.
There is a void between what people know and what they don’t know. And that
void is where vulnerabilities and the issues that at the end of the day we
lose sleep over . We need to know what we have in order to be able to have
control over our infrastructure.
Q: Insightix does discovery and NAC. Does that also include threat
management, either directly or via partnership?
We try to do everything home grown.
We do not provide threat management because we are not a threat-management
company. We do not provide vulnerability assessment because we are not a
First and foremost we’re the guys that provide you with the ability to know
your network in real time, and we’re the guys that, on top of that ability, can
keep your network safe in terms of who can access your network and who
can’t, while making sure that they’re compliant with policy. And it’s all
done in real time.
Q: The market is actually a little confused about what NAC is. A
compliance solution? A security solution?
I do think that for most, NAC is a security solution. It needs to make sure
that the elements that we don’t want to be on our network are not on our
networks in real time.
There are companies that cannot provide element detection in real time. But
they try to bend the definition of NAC towards the compliance angle. Because every company that may have some kind of a technology and want to join the NAC bandwagon, they bend the definition.
Q: Do NAC standards matter? Whether it’s TNC, IEEE or otherwise?
I don’t think a standard matters. I think what a solution actually provides
you and how complete it is actually determines if the solution is something
that you need.
With some of the vendors you need rip out your existing infrastructure and
replace it with new equipment if for example you want to support 802.1x.
Is there a real value with 802.1x? Don’t get me wrong 802.1x is a valid
technology and it’s important and I do like it, but it’s only valid if you buy
At the end of the day you have to ask yourself what you want to do. Why do
you need a NAC solution?
You want to know what’s on your network and you want to make sure that the
elements that are on your network are compliant with a policy. Sounds simple
right? But what’s the cost? Will it require me to replace my infrastructure?
How much time will it take to implement? Is the technology used to perform
quarantine powerful enough?
Standards may be
written in the future but how long will it take to become a standard and for
everyone to agree on? You need to see what solutions today can do for you and
how it actually performs and then you can decide if it’s the right solution
for you or not.
Q: At Black Hat you talked specifically about DHCP. is there something else at a top level that really isn’t secure?
DHCP was only the first part of my presentation. Many picked up on that but
I actually talked about 802.1x and basically all of the various approaches
to detect network elements and how they could be bypassed.
In my new version of the presentation I will add more solutions so you’ll be
able to see other solutions that I didn’t mention before.
Q: What is the biggest challenge you face as the CTO of Insightix?
You know sometimes you can’t sleep at night. I’m the co-founder of the
company and it’s important to move the company forward. I’ve got employees;
it’s a baby that grows. It’s actually a dream that takes shape and grows.
I think that the most important thing is to develop the types of things that
are expected from us from our customers’ perspectives. That’s why I go out
and ask customers what they feel they are missing or need more of from the
solutions we provide.
We make sure that the next version will include the type of things that are
still missing. I think that at the end of the day, when you have a listening
ear and you know how to identify what is important you can succeed because
you are fulfilling what your customers and what your channel [are] asking for.
Of course there are many other aspects of the technology that I’m in charge of
that needs to work and it works. I get to play with the technology and to
think about new exciting things, and that’s part of why I choose to take the
I still have time to sit in the lab to do things to innovate and that’s a
key aspect of my role that I most enjoy.