802.1x & NAC Observation

Thu, Oct 19, 2006

Alan from StillSecure slaps Ofir Arkin and Insightix pretty hard on their use of ARP spoofing and SNMP for NAC. Alan does a good job of pointing out that these methods have flaws. He doesn’t come out and say it but 802.1x is a more secure choice. The methods mentioned do have their shortcomings. However based on my experience, so does 802.1x. It’s called adoption rate.

It seems hard enough to get companies to stop using flat networks and segment them with VLAN’s. Now go tell Mr. Network Admin he has to enable 802.1x on his switches (if it is supported), on top of VLANs. Been there and it’s not as easy as it may sound. Alan even mentions this in a different post here. That’s why you see people accepting technologies like Microsoft’s NAP that uses DHCP for NAC, arguably the most insecure and easiest to bypass. It’s relatively cheap and requires minimal (if any) network configuration as compared to an 802.1x solution from StillSecure, Vernier, Lockdown, etc.

Don’t get me wrong. I think that an 802.1x based NAC solution is the most secure solution without question. I’m just pointing out why I think there is a market for products that use what may be less secure methods of implementing NAC.

–Chris

Technorati Tags: NAC, Network Access Control, StillSecure, ARP spoofing, 802.1x

Popularity: 17% [?]

This post was written by:

Chris Harrington - who has written 159 posts on InfoSecPodcast.com.

Contact the author

2 Comments For This Post

Alan Shimel Says:
October 19th, 2006 at 9:48 pm

Chris – I half agree with you and half disagree. The biggest thing though is you are coming in half way through this. I did not go up in front of the world at Black Hat and present how all the other NAC solutions could be bypassed and then come out with one that is at best no better. I am going to more fully respond to this on my blog at http;//www.stillsecureafteralltheseyears.com

Chris Harrington Says:
October 19th, 2006 at 11:31 pm

Alan – Thanks for the note. I am definitely not defending their behaviour. You can’t criticize one one method and then hype a solution that is marginally better, especially using that venue. The point I was making is that I understand why people develop and market solutions using lesser technologies. I think there may be times when for what ever reason (simplicity, cost, etc.)a non-802.1x solution may be a valid option.

Thanks for the clarification on MS NAP using IPSec. I was not aware of it.

–Chris

Alan Shimel Says:
October 19th, 2006 at 9:48 pm
Chris – I half agree with you and half disagree. The biggest thing though is you are coming in half way through this. I did not go up in front of the world at Black Hat and present how all the other NAC solutions could be bypassed and then come out with one that is at best no better. I am going to more fully respond to this on my blog at http;//www.stillsecureafteralltheseyears.com
Chris Harrington Says:
October 19th, 2006 at 11:31 pm
Alan – Thanks for the note. I am definitely not defending their behaviour. You can’t criticize one one method and then hype a solution that is marginally better, especially using that venue. The point I was making is that I understand why people develop and market solutions using lesser technologies. I think there may be times when for what ever reason (simplicity, cost, etc.)a non-802.1x solution may be a valid option.

Thanks for the clarification on MS NAP using IPSec. I was not aware of it.

–Chris

1 Trackbacks For This Post

StillSecure, After All These Years Says:
October 19th, 2006 at 10:01 pm
There is more than one way to skin a NAC…

…

InfoSecPodcast.com