Extreme closes NAC loophole

Network specialist Extreme announces upgrades to switch firmware

Network vendor Extreme has upgraded its switch firmware, ExtremeXOS (XOS), to plug a security flaw that could be used to bypass network access control (NAC) systems using Dynamic Host Configuration Protocol (DHCP) for policy control.

The upgrade will also allow better NAC rollouts that use either the IEEE 802.1x standard for policy control or Microsoft's Network Access Protection (NAP) NAC system, which is due to be rolled out with Longhorn server later this year.

Extreme’s UK technical manager, Paul O’Kelly, said, "DHCP can be compromised by a hacker or user reconfiguring their PC with a static IP address, so we've introduced a feature embedded in XOS called Trusted DHCP Server. Network admins would use the command line interface (CLI) to configure ports, which then will forward traffic from endpoints communicating by DHCP only."

Extreme is also improving NAC through enhancements to 802.1x. A new Universal Port Framework feature automatically provisions network resources when new users and devices connect. When combined with 802.1x, Universal Port gives much finer control than simple VLAN assignment and would make it simple to set up VoIP and network user policies for users in hotdesking environments.

Finally, Extreme is also furthering its support for Microsoft's NAP initiative by including the ability for the switch to quarantine endpoints automatically, while still allowing access to valid remediation servers based on information provided by the NAP policy server, which would run on Longhorn Server.

O'Kelly said that these enhancements could be used with Extreme's own NAC system, Sentriant Access Guard and that the upgrade from XOS 11.5 to 11.6 costs nothing if firms have a current valid support contract with Extreme.