Network access control (NAC) technology is spoken of as being the ultimate shield against malicious attacks. While all IT managers agree that NAC is the best security available, they are unable to define exactly what NAC is and how different interpretations by vendors can work under one roof.
At the Black Hat USA 2006 conference, it was proposed that this confusion must be cleared before network-access control technologies are widely acceptable. The principle behind NAC is simple enough. IT managers will devise systems that will not let anyone in until they comply with the said company's security guidelines. Ofir Arkin, chief technology officer and co-founder of Insightix Ltd said that the technology was very viable. "It's a valid technology and something you need to consider as part of your network security," he said.
Speaking at length about NAC technology Arkin made it clear that under existing rules, it was easy for a really determined person to bypass NAC controls. Without naming vendors, Arkin made it clear that the NAC solutions offered by Cisco, Microsoft, and Symantec were riddled with unworkable theories. Basically this confusion made it easy for hackers to bypass controls and enter the systems.
He slammed several solutions, mainly ones that use DHCP (Dynamic Host Configuration Protocol) proxy servers to enforce security policy. He said that the controls could be circumvented by simply using static IP addresses. "802.1x is the best technology that is out there," Arkin said, adding that currently Cisco's 802.1x NAC solution was "the best that is out there." However Cisco's solution is able to work only on its own equipment. "Not all equipment may have that (802.1x)," Arkin said. "Not all networking elements can support 802.1x."
Reacting to Arkin's presentation, Cisco Chief Security Officer John Stewart said NAC technology still had a long way to go. "The technology's immature. But [NAC] will increase my capability to keep my network in good condition," he said. "Can it be maneuvered to have false data? Yes. Would it be completely the case that every device on my network will provide false data? Unlikely." He added that there would be weak links, "But I think that's the wrong thing to focus on. We want to address the weaknesses but focus on the benefits."
