Todays NAC Remains Vulnerable to Attack

Experts say currently available Network Admission Control systems do not provide adequate security.

According to the latest figures from Forrester Research, some 40 percent of all enterprises in North America will have some form of Network Admission Control in place by the end of 2006, as businesses seek more effective ways to identify devices connecting to their networks and to enforce IT security policies.

The systems are available today from a wide range of technology vendors including Cisco Systems, Insightix, Nortel Networks and StillSecure, with Microsoft planning to launch its NAP (Network Access Protection) products in 2007.

Despite the benefits offered by the systems, however, industry experts say that the tools are far from complete and, by themselves, do not yet provide an adequate level of security for companies to depend on.

The most outspoken critic of NAC security has been Ofir Arkin, chief technology officer of Insightix, based in Raanana, Israel. Arkin presented his methods for bypassing the technologies in early August at the annual Black Hat hacker convention in Las Vegas.

Arkin maintains that, despite his public warnings and other software vendors concessions that NAC is not yet foolproof, many companies are adopting the technologies without understanding the risks involved.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"I believe that many companies may be entertaining a false sense of security because they dont understand all the implications and potential weak points," said Arkin. "And its not that NAC is immature, its just that people need to understand what it gives you and what it doesnt; some technologies out there promise full protection based on their NAC capabilities, and, in most cases, that isnt really accurate."

Arkin has outlined a series of weaknesses that he believes exist in current NAC installations. Among those vulnerabilities is the ability for outsiders to dupe NAC systems so-called IP sniffers, which are used to scan data packets passing through the products monitoring tools to validate information about devices connecting to a network.

Common loopholes that let devices communicate inside their network segment without sending IP traffic through a monitoring point could allow for virus infections or for a device to gain access to unauthorized areas of a companys network, Arkin contends.

Other NAC vulnerabilities cited by Arkin include the ability for devices to circumvent the systems DHCP (Dynamic Host Configuration Protocol) proxies, broadcast listeners, SNMP traps and various forms of client-based applications, all of which are used to determine whether a device should be granted access to a network or denied.

Other vendors agree that NAC systems still are vulnerable to attacks against those components. Companies should be using NAC to help improve their ability to keep unwanted parties off their networks, but they shouldnt believe that the technologies can stand alone in completing the task, said Alan Shimel, chief strategy officer for StillSecure, in Superior, Colo.

/zimages/4/28571.gifNAC systems are all the rage at Interop. Click here to read more.

"The way companies should look at it is that NAC is going to vastly improve their ability to control network access, but that its no panacea," said Shimel. "Compared to the systems companies have been using for the same purposes up until now, it is far superior, but we wouldnt subscribe to the notion that NAC is a silver bullet; theres still a lot of work that needs to be done."

Experts maintain that industry standards such as IEEE 802.1x are key to developing NAC into systems that can provide the sort of comprehensive network protection that is already associated with the technologies. The advancement of the standard for port-based NAC technologies—used to authenticate devices attached to wired or wireless networks—will allow for higher levels of interoperability among NAC products and increase companies ability to garner consistent security reports from the systems, industry analysts say.

"The industry consensus is that 802.1x is the most solid security standard for authentication and access control. It works at a Layer 2 level, and all the authentication mechanisms go to work before any type of network access is granted," said Andrew Braunberg, an analyst with Current Analysis, in Sterling, Va. "Thats the most bulletproof NAC security method in use today, but there are still big headaches in getting everything compliant with 802.1x."

Part of the problem is that companies are approaching the technology as a security project, when in essence the products available today are still more oriented toward network management, Braunberg contends.

"People are forgetting that NAC isnt really designed as a security solution; its a systems management solution that was created to allow endpoints to leverage network security tools," he said. "NAC really operates in a configuration and management function. In a lot of ways, it should be thought of as adding a management and control overlay that aids security, but not as a security solution."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.