Extreme switch upgrade foils NAC-workaround exploit, company says

Extreme Networks says it has switch software that stops a simple, yet dangerous hack used to surmount many common network access technologies used on LANs.

The vendor’s updated switch operating system — ExtremeXOS —includes a feature that stops malicious users from configuring a PC or laptop with a static IP address in order to circumvent network access control technology installed to protect an enterprise network, Extreme says.

Many NAC technology products operate this way: users gain access to the LAN by authenticating to the network at Layer 2, using the 802.1X protocol. If authentication fails, the users connection are routed to a secure virtual LAN segment, which offers limited network access. (Users may also get an opportunity to upgrade antivirus or PC operating system patches, if a user’s access was denied because these files were out of date.)

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Extreme Networks says it has switch software that stops a simple, yet dangerous hack used to surmount many common network access technologies used on LANs.

The vendor’s updated switch operating system — ExtremeXOS —includes a feature that stops malicious users from configuring a PC or laptop with a static IP address in order to circumvent network access control technology installed to protect an enterprise network, Extreme says.

Many NAC technology products operate this way: users gain access to the LAN by authenticating to the network at Layer 2, using the 802.1X protocol. If authentication fails, the users connection are routed to a secure virtual LAN segment, which offers limited network access. (Users may also get an opportunity to upgrade antivirus or PC operating system patches, if a user’s access was denied because these files were out of date.)

Users could get around this by configuring their machines with a static IP addresses in the IP address range used by the company. Extreme says its ExtremeXOS software is able to identify IP addresses on the network that were not dispensed by a legitimate enterprise DHCP server and shut down those connections.

ExtremeXOS operating system works on Extreme’s BlackDiamond 12K core switches, and its Summit X450 LAN edge/aggregation layer switches. ExtremeXOS 11.6 is free to Extreme switch customers with updated support contracts, the vendor says.

Read more about lans & wans in Network World's LANs & WANs section.