« A catalyst for security | Main | Less Then Zero, Part 1 »

October 19, 2006

I expected better from Ofir

I read an article today in Network World by Tim Greene on the new NAC appliance by Insightix.  The appliance called Blazara (it is getting harder and harder to come up with good names), can quarantine using ARP spoofing or SNMP based upon device behavior.  For those who don't remember Insightix is the company where Ofir Arkin is the CTO.  Ofir made quite a splash at Black Hat claiming how virtually every NAC solution could be fooled.  I wrote about it a bunch back then and you can read some of it here.

Ofir made a big deal how static or spoofed IP's could get by DHCP based NAC, how the Cisco NAC stuff could be bypassed, etc.  He made it sound like his company looked at all of these technologies, found them lacking and was coming out with something fool proof.  Though Ofir was at first a little upset with me for being a bit hard in my analysis, we did wind up agreeing on somethings, when I met him in person.  I was looking forward to see what special magic Ofir and the Insightix team came up with.  Shame on me for believing in magic, I never learn my lesson.

For all the blustering, what does Ofir and team have,  ARP spoofing.  Are you kidding me?  You are going to get up there in front of the security world and tell us how all of these other technologies are vulnerable and your answer is ARP spoofing.  I expected more.  But wait, Ofir delivers more, Insightix has a fall back from ARP spoofing.  What you ask?  Why none other than that bastion of security, SNMP of course.  Again, are you frigging kidding me?

For those who don't know ARP spoofing is used by Mirage Networks as well.  It involves fooling the device into thinking it is ineligible to send traffic. The soft white underbelly of this is, that if a hacker wants to get around it, he just has to change the ARP table back again, so the device does not get fooled by the spoof.  It is at best slightly better than DHCP NAC.  Then SNMP as a secure protocol? I have written (as well as a bunch of other people) about that SNMP does not stand for secure networking management protocol, but instead simple (as in simple) network management protocol.  It has more holes in it than Swiss Cheese.  On top of this, Insightix appears to be a behavior based NAC that does not really test a device before coming on the network for compliance with any policies. It merely tests is the device one which is allowed on or not and then does its behavior disqualify it from access.

Ofir after your presentation at Black Hat, you are going to have to do better than this!

Posted at 03:13 PM in NAC |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d834609f4e69e2

Listed below are links to weblogs that reference I expected better from Ofir:

» 802.1x NAC Observation from InfoSecPodcast
Alan from StillSecure slaps Ofir Arkin and Insightix pretty hard on their use of ARP spoofing and SNMP for NAC. Alan does a good job of pointing out that these methods have flaws. He doesnt come out and say it but 802.1x is a more secure choice.... [Read More]

Tracked on Oct 19, 2006 5:03:07 PM

Comments

My Photo

Subscribe to my blog

Lijit Search

MyBlog Log Community

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Blog Networks

  • Find the best blogs at Blogs.com.

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About