Fooling Cisco's NAC network access control
Security experts at the Black Hat conference in Amsterdam have demonstrated how Cisco's NAC network access control can be fooled. In a live demonstration using a modified Trust Agent, Michael Thumann and Dror-John Röcher from ERNW were able to gain full access to an NAC protected network using a computer which did not comply with network policies.
According to Thumann and Röcher, Cisco has acknowledged the problem and will be releasing its own advisory on the issue shortly. Network administrators can use systems such as Cisco's NAC to define access policies. An example would be that up-to-date anti-virus software and operating system patches must be installed for computers attempting to access the intranet. In NAC, conformity with these policies is checked by a 'Trust Agent' or 'Security Agent', which is installed on the clients and reports its results to the NAC router.
The attack demonstrated makes use of a fundamental weakness in common access control systems for networks - if client-side control software is running on a system which is under an attacker's control, he can determine its behaviour and can pass himself off as conforming to policies at will.
According to the two security experts, Microsoft's equivalent NAP system also suffers from this problem, but because of its deeper integration within Windows' Active Directory, in practice it presents greater obstacles than the Cisco system. Exploitation of the problem can be made more difficult through the use of digital signatures, but significant improvements to the situation are only likely to be achieved with the advent of Trusted Computing hardware.
- Black Hat: Cisco caught in crossfire, report on heise Security