- What does Cisco have against Quebec?
- Attrition.org nails another nitwit
- Diary of a deliberately spammed housewife
- Seven cloud-computing security risks
- 20 great Windows open source projects
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Network access control technology has been promoted as the savior of beleaguered enterprise networks, but enterprise IT managers who are hanging their hat on client health screening should think again, according to security expert Ofir Arkin of Insightix.
In a presentation at this year's Black Hat Briefings conference in Las Vegas, Arkin raised questions about the efficacy of NAC technologies from vendors such as Cisco, Microsoft, and Symantec, saying the current generation of NAC solutions are riddled with holes that make it easy for hackers to circumvent their protections.
A Cisco executive acknowledged that the technology has a ways to go before it provides comprehensive protection.
In a wide ranging presentation that mostly avoided dissections of specific products, Ofir said that across the board NAC solutions have holes or vulnerabilities in their protections that could be used by malicious hackers to gain entry to NAC protected networks.
For example, NAC solutions that use DHCP (Dynamic Host Configuration Protocol) proxy servers to enforce security policy do nothing to stop machines that obtain static IP addresses for their network connections, rather than using DHCP. That makes significant portions of enterprise networks invisible to the NAC access control products, Arkin said.
NAC solutions that enforce access through network switches, such as Cisco's Network Admission Control, also have weaknesses, Arkin said.
For example, Cisco's NAC technology is specific to their switches and routers, but enterprises often use a mixture of switching and routing gear. Hackers can find their way into an enterprise network simply by finding and connecting through an unmanaged switch, Arkin said.
Hackers can also spoof MAC and IP addresses for "known" systems that are allowed access, he said.
NAC solutions that rely on the 802.1x protocol to enforce access policies before systems are assigned an IP address provide tighter control, but don't cover devices that don't support the 802.1x protocol, such as legacy hardware, printers and other devices, he said.
Other security experts at Black Hat also expressed doubts about the NAC paradigm. Marc Maiffret of eEYE Digital Security, whose vulnerability scanning tools work with Cisco's NAC and other solutions, said that NAC systems that rely on antivirus software to report on the "health" of a system are suspect at a time when critical security holes are being reported in products from Symantec, McAfee and other vendors.
Rss FeedRss Feed
3com 5500g is really very fast! - Anonymous
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comment