Student evades Cisco NAC; gets suspended

A default setting in Cisco NAC gear allowed a University of Portland student to dodge a security scan by Cisco’s NAC software agent and get on the school network.

The exploit was the work of a sophomore who was suspended for doing it, and further use of the weakness has been blocked by changing a setting on the Cisco Clean Access box involved, according to Cisco.

By default, the device allows access to endpoints for which a “null” entry is made when the endpoint is queried about its operating system at login. With software version 4.1.1 of the Clean Access platform, the default has been changed to deny access for endpoints with null entries for operating system.

The initial allow-access default was in place so users with devices such as handhelds that can’t be scanned by the agent could gain access to the network, Cisco says.

The student’s exploit fooled the Clean Access device into not requiring an endpoint scan.

That is different from and less complicated than sending false scan results to the device, a weakness exploited and demonstrated by security experts at the Black Hat Conference in Amsterdam earlier this year (watch the video).

Even when it works, endpoint scanning doesn’t guarantee that the devices scanned are healthy, experts say, so customers of this class of NAC device should be aware of exactly what they can do to protect networks, experts say.

“The number one thing you learn in security is that there’s no such thing as client-based security,” says Ofir Arkin, CTO of NAC vendor Insightix, who outlined the vulnerabilities of various NAC schemes at the Black Hat Conference in Las Vegas last year.

When software on a machine reports on the state of the machine, it is possible to write a separate agent that can spoof the responses of an actual agent, he says. Or a user could install the agent on a virtual machine that complies with the security posture set by the NAC policy, then switch to a separate non-compliant machine once admitted to the network, he says.

Steve Hanna, a distinguished engineer at Juniper and leader of IETF and Trusted Computing Group efforts to standardize NAC, says hardware-based checks of endpoints are best. He advocates the use of Trusted Platform Module chips in PCs that creates a mathematical hash of the machine’s configuration and can alert users to any deviation from known acceptable configurations.

Another viable alternative is to monitor the behavior of devices once they have gained network access to make sure they behave in accordance with acceptable-use policies, Hanna says.

In the University of Portland case, the student responsible was suspended for the remainder of the current semester and the next semester.