Weak networks need NAC bypass

Confusion reigns due to lack of clear definitions

The majority of current network access control (NAC) solutions fail to address basic security problems, and the proprietary approach adopted by Cisco, Microsoft and the Trusted Computing Group is blocking the development of a certified, interoperable NAC standard.

Ofir Arkin, chief technology officer (CTO) at network security specialist Insightix, says that the lack of a clear definition of what NAC is and does is confusing potential customers, and allowing vendors to tag the NAC label onto a broad range of products that do not merit the description.

Host admission control schemes are designed to protect enterprise networks by allowing or denying network access to PCs, laptops and other devices based on the health and security status of those machines.

The best-known examples are Cisco’s Network Access Control (NAC), Microsoft’s Network Access Protection (NAP), and the TCG’s Trusted Network Connect (TNC), but a host of other software vendors are jumping on the NAC bandwagon, including Symantec and Sygate.

‘Each of the Cisco, Microsoft and TCG initiatives are trying to put more and more companies onto their approach, rather than thinking about how to work out a mutual standard or work together,’ said Arkin.

‘Cisco concluded in 2003 about how NAC should work, but you can call anything a NAC solution – the problem is what it is doing and whether it has the type of components that a NAC solution should have.’

Arkin says most NAC solutions fall at the first hurdle through their inability to keep real time conceptual information about the network, which means that any element is allowed to operate without intervention.

Another problem is that the 802.1x security measures only enforce usernames and passwords for computers, and not printers, IP telephone handsets, cameras or wireless access points, leaving them open to have their MAC addresses discovered and re-used by hackers.

‘Many companies are looking for a silver bullet that does everything in terms of network security and management, but this does not exist. NAC is one important piece of an internal network security infrastructure, but you need to understand its capabilities and its limits, and what it actually provides,’ added Arkin.