What lessons should we learn from the latest Cisco NAC Framework Vulnerabilities?
At the recent BlackHat Europe 2007 two researchers, Dror-John Roecher and Michael Thumann, presented on attacking Cisco NAC framework.
They discussed two main issues with the Cisco NAC framework.
The first relates to the fact that a NAC solution cannot trust the information coming back from an element. It is since this information is provided by the element, the same one the NAC solution does not trust in the first place.
This point is valid for all NAC solutions and was raised by me in my Bypassing NAC presentation at BlackHat 2006 in the summer (my recent version of the presentation can be downloaded from here).
The second issue is that for two variants of Cisco NAC framework (NAC-L3-IP, and NAC-L2-IP) there is no form of user authentication mechanism other then verifying the posture of the client machine (i.e. A/V, FW, patches, SP, etc.).
The German researchers managed to spoof the posture validation between a Cisco Trust Agent to the Cisco ACS (Access Control Server), and to gain access to the network even if the element is not compliant with the posture validation checks. Their attack would work when either using NAC-L3-IP and NAC-L2-IP. If NAC-L2-802.1x will be used, then user authentication will be mandatory (actually this is the response Cisco had issued to this manner).
The conclusion here is simple, posture validation cannot replace user authentication. It should be part of the overall NAC process, but only after the element and the user are authenticated.