At BlackHat this week Ofir Arkin, CTO of a network scanner and asset management vendor Insightix points out a few technical issues with the way NAC, as envisioned by Cisco, is currently designed. Among them:
- DHCP. Static IP addresses can bypass DHCP which is a primary means of enforcement for some NAC solutions.
- 802.1x Spoofing exempt devices and using Network Address Translation can bypass NAC.
- Endpoint assessment. Patching delays mean your endpoint is vulnerable anyway.
All good points but I believe technical arguments against NAC, Network Admission Control, are out-weighed by more fundamental problems with trusting endpoints to report their health. See my column on NAC vs Secure Network Fabric published last week.
The confusing thing about this debate is that those companies that do Network Access Control use the NAC acronym as well. To keep it simple just remember: Access Control, good. Admission Control, bad.