/>
X
Home & Office
Home Home & Office Networking

Don't bother with NAC

At BlackHat this week Ofir Arkin, CTO of a network scanner and asset management vendor Insightix points out a few technical issues with the way NAC, as envisioned by Cisco, is currently designed. Among them: DHCP.
Written by Richard Stiennon, Contributor on

At BlackHat this week Ofir Arkin, CTO of a network scanner and asset management vendor Insightix points out a few technical issues with the way NAC, as envisioned by Cisco, is currently designed. Among them:

 

  • DHCP.  Static IP addresses can bypass DHCP which is a primary means of enforcement for some NAC solutions.
  • 802.1x  Spoofing exempt devices and using Network Address Translation can bypass NAC.
  • Endpoint assessment.  Patching delays mean your endpoint is vulnerable anyway.

All good points but I believe technical arguments against NAC, Network Admission Control, are out-weighed by more fundamental problems with trusting endpoints to report their health. See my column on NAC vs Secure Network Fabric published last week.


The confusing thing about this debate is that those companies that do Network Access Control use the NAC acronym as well.  To keep it simple just remember: Access Control, good. Admission Control, bad.


 

 

Editorial standards
Show Comments

Related

chat bot

What is ChatGPT and why does it matter? Here's what you need to know

A robot texting on a smartphone in space

How to use ChatGPT: What you need to know

screenshot-2023-03-29-at-3-24-48-pm.png

How to use ChatGPT to summarize a book, article, or research paper