News Stay informed about the latest enterprise technology news and product updates.

Hackers have knack for beating NAC systems

Black Hat: Network access control systems are widely used by enterprises to remediate client access to internal networks, but experts say many NAC systems can be easily bypassed.

LAS VEGAS -- Network access control (NAC) frameworks have been the darlings of the security industry for some time, but speakers, attendees and researchers at the Black Hat USA 2006 conference say many of these systems can be easily bypassed and should not be viewed as anything other than one more layer of defense.

Black Hat USA 2006

Check out's special coverage of Black Hat USA 2006 as reporters from and Information Security magazine post the latest news and tidbits from Las Vegas.
NAC systems are designed to enforce security policy at the outer edge of an enterprise network and prevent client computers that fail to comply with corporate policies from gaining access to network resources. Most such offerings rely on Dynamic Host Configuration Protocol (DHCP) servers to control which machines are assigned IP addresses and which are alternatively shunted off to a quarantine server for remediation or repair. Unfortunately, experts say, DHCP is perhaps NAC's weakest link.

"Anyone familiar with a network can assign his own static IP address and bypass the quarantine system," Ofir Arkin, CTO of Insightix Ltd., a security vendor based in Framingham, Mass., said during a session on vulnerabilities in NAC systems. "Once you have an IP address, you can attack other devices."

Despite the common use of DHCP among vendors to assess the status and identity of a endpoint device, Arkin pointed out that an attacker who knows a bit about the network's architecture could use trial and error to guess an unassigned IP address and assign it to his or her own machine, thus tricking the system into allowing it to connect to the network.

The use of DHCP servers as security devices has other inherent problems. For example, not all client devices use DHCP, Arkin said, and the DHCP would therefore never see those machines when they attempt to connect to the network. And, he added that devices that are moved onto a separate quarantine VLAN or subnet can then attack the other devices on the same subnet.

More on NAC

Cisco unveils steps toward self-defending network

Nyxem's lessons can't be ignored

Report suggests security practices lag behind requirements

Property firm has grounded view of network security

"The easy way to deploy a NAC system is with a DHCP proxy in front, but that's not necessarily the most secure way," Arkin said. Insightix sells a NAC system that enforces security policies at Layer 2 instead of Layer 3, which is where most other products do their work.

The proprietary nature of many NAC offerings can also cause problems, Arkin said, as different vendors often implement protocols and technologies in different ways. Arkin pointed specifically to 802.1x, the strong authentication standard, which Cisco has implemented in much of its gear as part of its NAC solution. The standard can only be used to authenticate machines that support 802.1x, and by default it only authenticates each machine at the beginning of a session.

Major vendors, such as Microsoft, Juniper Networks Inc., McAfee Inc. and Cisco Systems Inc., along with a host of smaller companies, including Senforce Technologies Inc., Elemental Security Inc., and Lockdown Networks Inc., are selling NAC systems in various configurations and levels of maturity. Microsoft will deliver most of its offering when Vista debuts later this year, and the rest will be part of Longhorn, the next version of Windows Server, due in the second half of 2007. Cisco, meanwhile, has rolled out much of its NAC solution, which relies exclusively on Cisco routers, switches and other gear.

Some researchers say that while the idea behind NAC is a good one, it never will be the panacea that many vendors and experts have played it up to be.

"There are so many ways to get around those systems, it's not even really challenging," said Marc Maiffret, chief hacking officer at eEye Digital Security Inc. in Aliso Viejo, Calif. "Microsoft, Cisco, everyone is telling you this stuff is the answer. But the reality is that if you don't buy all of their gear, it doesn't work. And if you know anything about the way networks work, you can get around them anyway."

Dig Deeper on Secure remote access

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.