NAC, VoIP security draw questions at Black Hat

Jericho Forum of enterprise customers to issue white paper on network access-control concerns.

LAS VEGAS - At the Black Hat conference this week, security researchers drew attention to shortcomings in network access control and VoIP products, voicing criticisms that rang true to some enterprise network customers.

The range of NAC products on the market today to enforce endpoint security policy have fundamental design weaknesses that would let attackers bypass them through spoofing, inserting rogue servers and other methods, said Ofir Arkin, CTO at Insightix, during his presentation at the conference.

A NAC product "must be able to detect a new element connecting to the network and have the ability to verify whether or not it complies with a defined security policy," said Arkin, who categorized the NAC products today as agent-based DHCP proxy, broadcast listeners that use remote scans to identify network devices and 802.1X-based clients.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

LAS VEGAS - At the Black Hat conference this week, security researchers drew attention to shortcomings in network access control and VoIP products, voicing criticisms that rang true to some enterprise network customers.

The range of NAC products on the market today to enforce endpoint security policy have fundamental design weaknesses that would let attackers bypass them through spoofing, inserting rogue servers and other methods, said Ofir Arkin, CTO at Insightix, during his presentation at the conference.

A NAC product "must be able to detect a new element connecting to the network and have the ability to verify whether or not it complies with a defined security policy," said Arkin, who categorized the NAC products today as agent-based DHCP proxy, broadcast listeners that use remote scans to identify network devices and 802.1X-based clients.

While mentioning only Cisco and Symantec NAC products by name, he detailed various attacks based on masquerading and spoofing that could foil detection across a wide range of products. He also noted that most products rely on agent software running on Windows or on proprietary switches and other equipment, which makes NAC hard to deploy in large organizations and incomplete in terms of monitored devices.