Erez Kalman

It’s time for NAC to take a NAP

/in , /by

Disclaimer: This article is an editorial opinion and is not exhaustive of all technologies and techniques in the market and is intended to cause the reader to better explore the need and not take decisions soley based on it’s content.

NAC (Network Access Control) / NAP (Network Access Protection) technologies is various different methods of operation

have existed for a quite a long time.

Their basis is to identify a new networking device based on an event, such as:

  • DHCP (New IP request)
  • DNS (Query)
  • MAC (various types of broadcasts such as ARP and other methods)
  • Gateway (new traffic traversing a gateway)

But guess what all these have in common… they can all be easily circumvented quite easily! That’s annoying as the price (CAPEX and OPEX) of operating a NAC is high (at least when rolling it our), I believe the ROI for NAC is very low. Here are some examples of how various NAC’s can be bypassed:

  • Configure a cheap network router:
    • NAT (with PAT) enabled
    • Router all WAN traffic to port I
    • Connect valid computer to port I
    • After computer I has network access, connect anything to the other ports (and enjoy!)
    • If you want it to be harder to identify the router – spoof the MAC by cloning the WAN MAC to the MAC of the computer connected to port I before connecting the router to the network (via the WAN port)
  • Use a network hub and disable ARP requestes on your NIC (Network Interface Card) and OS (Operating System)

But hey.. there are “better” solutions:

  • 802.1x – You still need to whitelist some devices allowing the previous attacks to work, EAP packets can be forwarded (in the first attack above) thus bypassing 802.1x
  • Signing traffic – an excellent solution but may require network equipment change and still requires whitelisting…

“But my NAC performs device fingerprinting!” – And what fingerprinting does it do? Check which ports are open? Check the header / echo response? Crawl the SNMB? These are all very easy to bypass and again the first attack above still bypasses it as the NAC will examine the actual corporate computer!

“So what are you saying?” – NAC is effective against casual connections to the network, it will not prevent an attacker. Now deceide how much you want to invest and your planned ROI.

This post is also available in: Italiano Türkçe