A default setting in Cisco NAC gear allowed a University of Portland student to dodge a security scan by Cisco’s NAC software agent and get on the school network.

The exploit was the work of a sophomore who was suspended for doing it, and further use of the weakness has been blocked by changing a setting on the Cisco Clean Access box involved, according to Cisco.

By default, the device allows access to endpoints for which a “null” entry is made when the endpoint is queried about its operating system at login. With software version 4.1.1 of the Clean Access platform, the default has been changed to deny access for endpoints with null entries for operating system.

The initial allow-access default was in place so users with devices such as handhelds that can’t be scanned by the agent could gain access to the network, Cisco says.

The student’s exploit fooled the Clean Access device into not requiring an endpoint scan.

That is different from and less complicated than sending false scan results to the device, a weakness exploited and demonstrated by security experts at the Black Hat Conference in Amsterdam earlier this year (watch the video).

Even when it works, endpoint scanning doesn’t guarantee that the devices scanned are healthy, experts say, so customers of this class of NAC device should be aware of exactly what they can do to protect networks, experts say.

“The number one thing you learn in security is that there’s no such thing as client-based security,” says Ofir Arkin, CTO of NAC vendor Insightix, who outlined the vulnerabilities of various NAC schemes at the Black Hat Conference in Las Vegas last year.

When software on a machine reports on the state of the machine, it is possible to write a separate agent that can spoof the responses of an actual agent, he says. Or a user could install the agent on a virtual machine that complies with the security posture set by the NAC policy, then switch to a separate non-compliant machine once admitted to the network, he says.

Steve Hanna, a distinguished engineer at Juniper and leader of IETF and Trusted Computing Group efforts to standardize NAC, says hardware-based checks of endpoints are best. He advocates the use of Trusted Platform Module chips in PCs that creates a mathematical hash of the machine’s configuration and can alert users to any deviation from known acceptable configurations.

Whitepapers

• The Trend from UNIX to Linux in SAP(r) Data Centers
• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology

View more SECURITY whitepapers

Webcasts

• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports