Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/25/2008
07:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

NAC Plus Smart Switches Equals Better Control

New capabilities make the technology better than ever for access control and compliance reporting.

COMPLETE PICTURE
The capabilities of the software used to verify system configuration vary widely and should be carefully considered. Through host assessment and reporting, a NAC deployment can independently prove that hosts are configured according to your standards and policies. In order to deliver on that promise, the host assessment component must identify the programs you wish to track as well as their status, such as installed, running, or not running. Unless the assessment component can identify everything you need, it has little value for compliance; half a report is not better than nothing.

In many cases, however, it's not practical to insist that every system gaining access to the network use your chosen assessment software. Some systems, such as printers and routers, can't run it, and those brought in by third parties such as contractors and customers usually won't run it. From a security standpoint, you may want to scan that computer before giving it access to the network, but from a business standpoint, stopping external users like consultants, system engineers, or contractors from working on their own computers may not be possible either.

Part of the provisioning process is handing out temporary guest access. Many NAC vendors like Cisco and Great Bay Software have guest-access features that force users to authenticate through 802.1X or through a Web portal similar to those used by hotels. By processing all authentication through a NAC product, you get the benefit of having the authentication information aggregated at a single place, relieving you of the job of aggregating authentication events from a variety of systems.

Provided you can restrict guests' access to sensitive resources by such means as putting them on restricted virtual LANs that only allow access to the Internet, having guest users electronically sign an end-user license agreement, or EULA, when they connect to the network may be sufficient to prove compliance where a full host assessment isn't possible. This data can then be used to document when and which users accessed the network.

Of course, having users sign an agreement, by itself, isn't sufficient to stop attackers. Users who wish to harm your organization can simply lie, but when used in the context of a larger security initiative where NAC controls entry to the network, guest access and forced signing of a EULA can go along way to proving your company is taking steps to comply with its policies and provide ammunition should you need to prosecute attackers.

Switch-Based Security Features
Availability of features varies based on switch and firmware, and vendors offer similar features under different names
Cisco HP Problem Benefit Watch for ...
DHCP Snooping DHCP Snooping DHCP, a critical network service, is inherently trusted and easily spoofed. Creates a database of DHCP exchanges, tracking IP, MAC, and port information. Detects rogue DHCP servers and denies access or sends an alert. Any new DHCP server, including yours, will be identified as a rogue. Configure switches to recognize new servers.
Dynamic ARP Inspection Dynamic ARP Protection ARP maps MAC addresses to IP addresses with no security checks. Attackers can easily spoof ARP, leading to man-in-the-middle and denial-of-service attacks. Detects spoofed MAC addresses and ARP flooding attacks. Also uses the DHCP database to dynamically identify MAC addresses early. A downstream access switch won't see DHCP exchanges on upstream switches, so the feature could disrupt communications.
IP Source Guard Dynamic IP Lockdown DHCP can be bypassed by statically assigning host IP addresses. Creates a database of successful DHCP exchanges, mapping IP leases to MAC addresses, ports, and VLANs. DHCP database isn't centralized. Hosts with statically assigned IP addresses have to be manually entered.
Port Security MAC Lockdown Attackers can disconnect an existing device like a printer and plug in their own computer on fully configured port. You can statically define which MAC addresses can appear on a port and all others can be denied. Not particularly effective since MAC addresses can be learned the and spoofed.
Protected Ports Source Port Filtering Computers on the same switch and VLAN can communicate directly, bypassing any network-based security features. Protected ports stop adjacent computers communicating directly with each other, essentially segmenting computers. Stops P2P tasks like file sharing, IM, and other host-to-host communications between computers in the same broadcast domain.

 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.