April 3rd, 2007
Spoofing NAC
Remember Stiennon's first law of network security? It is:
Thou shalt not trust an end point to report its own state.
This means that you cannot trust the IP address, MAC address, location, AV signature file version, and configuration information reported by a device. It can be spoofed. Unfortunately this is the basis of CNAC, Cisco's Network Access Control proposal. I have written about this fundamental flaw many times. Last summer I wrote about it here, igniting a conflagration in the blogosphere.
Now it is reported at Black Hat that researchers have successfully circumvented CNAC by spoofing end point configurations. This is trivial and any motivated hacker can pull it off. Now there is even a toolkit. But why bother since there are few CNAC implementations? The real lesson learned is that if you are deploying this type of NAC you are not doing it to improve your security.
Researchers in Germany today demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy.
And for my fellow bloggers who I rarely call out using my own blog: are you ready to retract your "founded on quicksand" statements and admit that you were wrong and Stiennon was right once again? :-)
Full disclosure: Since last summer's debate I have taken a position with a direct competitor to Cisco.
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
