Hackers Whack Cisco's NAC

Carl Weinschenk

The network access control (NAC) sector, which is creating a lot of buzz in security circles, is so unsettled that vendors don't even agree on what the acronym stands for. Most of the industry uses "network access control," while Cisco -- whose NAC just got whacked -- labels it "network admission control."


NAC -- no matter what the name stands for -- is an emerging means of ensuring that an endpoint requesting admission to a network is the device it claims to be and that its security is up to date. Further, NACs make sure that the device is given only access to the corporate assets to which it is entitled.


More important than quibbles over a name are two flaws in Cisco's NAC that were reported in Dark Reading. The piece says that one of the flaws, which were unveiled at the Black Hat Europe conference last week by researchers from ERNW GmbH, will be closed by the new 802.1x security protocol.


The other flaw, which was hinted at in this earlier eWEEK story, seems to be more dangerous. The researchers found a way for the remote device to lie to the admission control server (ACS) that is mediating its entry into the network. The story, which provides a lot of details on what the hackers have done, says it's theoretically possible that the exploit will work on any NAC. Others, however, have not yet been tested.


There are two approaches to NAC verification. In one approach, the client is trusted to report its own configuration to the ACS. In the other, verification is done by a third-party device. The latter category wouldn't be affected by the exploit, the piece says. The story doesn't say which approach predominates.


There are key questions that planners must ask, after the flaw is verified as real: Can Cisco alleviate the problem, or is the approach so ingrained that Cisco's entire NAC line is endangered? Which other vendors' NACs are vulnerable? Are there other fundamental differences between various vendors' NACs?


Clearly, NAC shows a lot of promise. However, these are ambitious and immature devices that appear to differ from each other in significant ways. Planners should insist on exhaustive analysis -- even more exhaustive than usual -- before settling on a vendor's product.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.