The Ashimmy Blog

Last week I wrote about going to Black Hat and among other presentations, I wanted to see Ofir Arkin of Insightix present.  This was the one that was going to show how every NAC solution can be bypassed by a determined hacker.  I was pretty hard on Ofir in this post and an earlier post.  I have always tried to call them as I see them and if I am wrong, be big enough to say so.  In this case I am not saying I was particularly wrong, but I think Ofir and I have more in common about our views on NAC than we disagree on.  It also appears that Ofir may have been misquoted or taken out of context in some of the articles I read about him.

Yes, the gist of bypassing the DHCP based solutions was the static IP or spoofed IP or MAC address.  He also showed how ARP twiddling  is easily evaded.  However, I think the gist of Ofir's presentation was pointed to the Cisco NAC methodology.  Their L2 and L3 quarantine and testing is just not a very secure way of implementing NAC with lots of weaknesses according to Ofir.  I do not disagree with Ofir on these points.  Ofir and I also agree that a well implemented 802.1x NAC offering is probably one of the best ways to implement NAC.  The problem is finding enough customers with 802.1x capable networks.  So Ofir though stating some obvious drawbacks to some methods of NAC, was right on in other points.  Another point of his presentation, was that there is no common criteria of what NAC is and how it does it.  All in all, it was a good presentation.  An important point is that NAC is not really geared towards stopping the determined hacker, but rather the inadvertant polluter. 

I had a chance to speak to Ofir afterwards.  Though he had read my blog and was upset that I did not reach out to him first (note to self, next time, reach out and give them a chance to explain), after our talk I think we had a good meeting of the minds.  I have invited him to be a guest on my podcast one week and we can talk about NAC further.  Looking forward to it.