The Sys-Security Group

Last week I was asked by a reporter whether any of the NAC bypass issues I discussed in my BlackHat USA 2006 presention (August, 2006) have been remedied in the six months since then.

My answer was no. In other words, those that could be bypassed then can still be bypassed today.

The question was in light of the upcoming BlackHat DC 2007 (February, 2007) conference where I will be giving an updated presentation about bypassing NAC. In fact, I will present more ways to bypass NAC and with more examples of NAC solutions that are vulnerable.

One trend I have identified in the last six months is the growing number of IT professionals who understand what NAC is; what it should and should not provide. They are asking the right questions when examining NAC solutions (see: The Definition of NAC and Questions to ask in a NAC RFI/RFP)

A NAC solution that can be bypassed or does not identify elements operating on the network is not a solution someone should consider. It actually creates a false sense of security and cannot meet an organization’s compliance requirements.

Next week I will be speaking at Blackhat DC 2007 and at EUSecWest. I have updated my Bypassing NAC presentation to include more material and product examples. Some surprises are planned, so for those who would not attend either one of the conferences, stay tuned for the posted presentation at the end of next week ☺.

Like there aren’t enough integration and usage problems with VoIP, this post in the community blogs of Network World details the problems using VoIP at home and the issues it may cause for home security systems.

The blog post lists several issues with the usage of VoIP at home, which I have addressed with my previous VoIP presentations (dating back to 2001). The worst issue, in my opinion, is no power no service (no phone, no alarm system, and no emergency services).

The kind of feedback I am recently getting regarding 802.1x is that large enterprises now recognize the high total cost of ownership and the burden, which is associated with deploying 802.1x across an entire enterprise network.

The cost of upgrading the infrastructure (either completely replacing non-compliant networking gear, or just upgrading software of existing gear), the need to install software agents (802.1x is merely a username and password protocol), the need to introduce new elements onto the network (i.e. authentication servers, etc.), the man power needed to deploy the solution, and the fact 802.1x based solutions can be bypassed fairly easily (i.e. exception lists) brings enterprises to look elsewhere for a NAC solution technology.

802.1x has a high total cost of ownership, a long time-to-value, and the benefit of the technology is somewhat questionable.