Researchers: NAC Experiencing Growing Pains
The vulnerabilities stem from the fact that many companies don't have enough information about what devices are connected to their networks, how they're running and operating, and what changes are occurring within them, said John Stewart, chief security officer at Cisco and head of the San Jose, Calif.-based vendor's security-related groups.
"The concept of having devices join a network in which they are posture-assessed and given access to the network in a granular way is still in its infancy," said Stewart.
NAC protects corporate networks by scanning PCs for malware, ensuring that patches and software up to date before allowing users to access the network, and quarantining infected or noncompliant machines.
Ofir Arkin, CTO and co-founder of Insightix, an Israel-based NAC startup, gave a presentation at this week's Black Hat conference in Las Vegas outlining the various technologies behind today's NAC solutions and methods for circumventing their security measures. "The lack of common criteria for NAC has led to vendors adopting different approaches to the technology," said Arkin.
NAC solutions based on the Dynamic Host Configuration Protocol (DHCP) make it easy for companies to deploy the technology today, said Arkin. However, DHCP -- which assigns IP addresses as each individual user is authenticated -- can be bypassed by a user inside the network assigning themselves a static IP address, he added.
Another drawback of DHCP-based NAC solutions is that they require agent software that often exists only for Windows, said Arkin.
Chris Labatt-Simon, president and CEO of D&D Consulting, Albany, N.Y., recommends combining NAC with a one-time password, or biometric authentication, to provide more security than just a static password. "A strong authentication policy is necessary to ensure the validity and the identity of a user accessing a network," said Labatt-Simon.
Unlike Layer 3 DHCP-based solutions, Cisco's 802.1x-based NAC solutions provide stronger security because it operates at Layer 2, Arkin said. When 802.1x authentication is implemented on switches or embedded in network infrastructure, it can prevent network devices from connecting even before they're assigned an IP address, said Arkin.
However, the drawback of Cisco's 802.1x-based NAC solution is that it only works on Cisco infrastructure, and solutions can be difficult to manage because all network devices must be configured to use 802.1x, Arkin added.
Companies should be aware that NAC is an emerging technology and take time to assess its impact on their networks, Stewart said. "I believe the benefits of NAC are going to outweigh the risks, because most companies are going to put solutions in learning mode as opposed to enforcement mode," said Stewart.