/>
X

Don't bother with NAC

At BlackHat this week Ofir Arkin, CTO of a network scanner and asset management vendor Insightix points out a few technical issues with the way NAC, as envisioned by Cisco, is currently designed. Among them: DHCP.
zd-defaultauthor-richard-stiennon.jpg
Written by Richard Stiennon on

At BlackHat this week Ofir Arkin, CTO of a network scanner and asset management vendor Insightix points out a few technical issues with the way NAC, as envisioned by Cisco, is currently designed. Among them:

 

  • DHCP.  Static IP addresses can bypass DHCP which is a primary means of enforcement for some NAC solutions.
  • 802.1x  Spoofing exempt devices and using Network Address Translation can bypass NAC.
  • Endpoint assessment.  Patching delays mean your endpoint is vulnerable anyway.

All good points but I believe technical arguments against NAC, Network Admission Control, are out-weighed by more fundamental problems with trusting endpoints to report their health. See my column on NAC vs Secure Network Fabric published last week.


The confusing thing about this debate is that those companies that do Network Access Control use the NAC acronym as well.  To keep it simple just remember: Access Control, good. Admission Control, bad.


 

 

Related

He flew American Airlines, she flew United. For both, the unthinkable happened
screen-shot-2022-06-30-at-10-14-36-am.png

He flew American Airlines, she flew United. For both, the unthinkable happened

Business
Southwest Airlines has cancelled 20,000 flights. Now for the really bad news
screen-shot-2021-07-07-at-4-01-12-pm.png

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

Business
McDonald's and Chick-fil-A both have a big problem. Only one has a solution
screen-shot-2022-06-28-at-6-24-27-pm.png

McDonald's and Chick-fil-A both have a big problem. Only one has a solution

Business