Student evades Cisco NAC; gets suspended
Cisco adjusts its default settings following student hack
By
Tim Greene
,
NetworkWorld.com
, 04/26/2007
- Share/Email
- Tweet This
- Print
A default setting in Cisco NAC gear allowed a University of Portland student to dodge a security scan by Cisco’s NAC software agent and get on the school
network.
The exploit was the work of a sophomore who was suspended for doing it, and further use of the weakness has been blocked by
changing a setting on the Cisco Clean Access box involved, according to Cisco.
By default, the device allows access to endpoints for which a “null” entry is made when the endpoint is queried about its
operating system at login. With software version 4.1.1 of the Clean Access platform, the default has been changed to deny
access for endpoints with null entries for operating system.
The initial allow-access default was in place so users with devices such as handhelds that can’t be scanned by the agent could
gain access to the network, Cisco says.
The student’s exploit fooled the Clean Access device into not requiring an endpoint scan.
That is different from and less complicated than sending false scan results to the device, a weakness exploited and demonstrated by security experts at the Black Hat Conference in Amsterdam earlier this year (watch the video).
Even when it works, endpoint scanning doesn’t guarantee that the devices scanned are healthy, experts say, so customers of
this class of NAC device should be aware of exactly what they can do to protect networks, experts say.
“The number one thing you learn in security is that there’s no such thing as client-based security,” says Ofir Arkin, CTO
of NAC vendor Insightix, who outlined the vulnerabilities of various NAC schemes at the Black Hat Conference in Las Vegas last year.
When software on a machine reports on the state of the machine, it is possible to write a separate agent that can spoof the
responses of an actual agent, he says. Or a user could install the agent on a virtual machine that complies with the security
posture set by the NAC policy, then switch to a separate non-compliant machine once admitted to the network, he says.
Steve Hanna, a distinguished engineer at Juniper and leader of IETF and Trusted Computing Group efforts to standardize NAC, says hardware-based
checks of endpoints are best. He advocates the use of Trusted Platform Module chips in PCs that creates a mathematical hash
of the machine’s configuration and can alert users to any deviation from known acceptable configurations.
Another viable alternative is to monitor the behavior of devices once they have gained network access to make sure they behave
in accordance with acceptable-use policies, Hanna says.
In the University of Portland case, the student responsible was suspended for the remainder of the current semester and the next semester.
Comments (8)
Re: Student evades Cisco NAC; gets suspendedBy Anonymous on April 27, 2007, 5:12 amoh dear, another case of "you've embarrassed us, you must pay!" Re: Student evades Cisco NAC; gets suspended
Reply | Read entire comment
Student evades Cisco NAC; gets suspended...By Shane Bren on April 27, 2007, 8:58 amAs long as he did not do anything malicious they should have congratulated him instead of suspending him! It is guys like this that Cisco should be hiring so these...
Reply | Read entire comment
what about other OSs?By Alan Shimel on April 27, 2007, 9:58 amtim, my biggest question around this is what about other OS's that cannot be tested by Clean Access. Are they all denied access now with the change of the default...
Reply | Read entire comment
Easier methodBy JoeF on April 27, 2007, 2:01 pmThere is a way easier method to fool Cisco NAC: Make it think it is talking to a non-Windows machine. See http://www.securityfocus.com/archive/1/444424/30/0/threaded (Disclosure:...
Reply | Read entire comment
Student evades Cisco NACBy Tom Jones on May 2, 2007, 4:14 pmAll the student needs to do is set their browser agent to LINUX and they will bypass all scanning. Very easy to do.
Reply | Read entire comment
Student should be suspendedBy Anonymous on May 2, 2007, 5:03 pmIf the student would have disclosed the vulnerability to cisco and the university authorities when he discovered it, rather than abusing the flaw for 7 months, then...
Reply | Read entire comment
View all comments