Experts Point to Weaknesses in NAC Security

LAS VEGAS—While Network Admission Control technologies are being heralded as a major step forward in helping to secure corporate IT infrastructures, security researchers contend that the tools remain open to a range of threats.

At the Black Hat Briefings security conference being held here July 31 through Aug. 3, experts identified a slew of potential techniques that hackers can employ to circumvent existing NAC technologies, including those offered by major vendors such as Cisco Systems. Ofir Arkin, chief technology officer at network monitoring software maker Insightix, of Framingham, Mass., highlighted a litany of backdoors and vulnerabilities he claims are present in many NAC installations.

Among the most critical weaknesses applicable to NAC environments are those revolving around the use of DHCPs (Dynamic Host Configuration Protocols), which provide configuration guidelines for devices seeking to access a network. Since DHCP is one of the easiest methods for installing NAC infrastructures—a project that remains admittedly tough for even the most mature IT organizations—attacks against the technique, including the use of static IPs (Internet Protocols) by attackers to secretly gain access to a network, are a widespread issue, Arkin said.

“At the end of the day, when you’re looking at companies using DHCP, many also have other address bases for servers and different types of end users, and someone can easily bypass such a system by assigning a static IP address to their machine,” Arkin said. “And the detection element [of DHCP] only scans the network at Layer 3, with no knowledge of the network’s topology. That also leads to the existence of other uncovered venues that could be used to provide access to the network.”

Read the full story on eWEEK.com: Experts Point to Weaknesses in NAC Security

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.