Two flaws in Cisco’s Network Admission Control (NAC) architecture allow unauthorised PCs to be viewed as legitimate devices on a network, according to German security researchers.
A tool that takes advantage of the flaws was demonstrated at last month's Black Hat security conference in Amsterdam by Michael Thumann, chief security officer, and Dror-John Roecher, senior security consultant at German penetration-testing firm, ERNW.
The NAC technology lets IT managers set rules that prevent a client device from accessing a network unless the device complies with specific policies on antivirus software, firewalls, software patches and other issues, Cisco said.
The NAC architecture uses Cisco Trust Agent technology, which sits on each client, to determine whether a device complies with established policies. Based on the findings of the agent, a policy management server either lets the device log on to the network or puts it into a quarantine zone.
Roecher said that a "fundamental design" failure makes it possible to trick the policy server to allow any device to access a network. "Basically, it allows anyone to come along and say, 'Here are my credentials, this is my service pack level, this is the list of installed patches, my antivirus software is current,'" he said.
Roecher said the second flaw prevents the policy server from confirming whether the information it gets from the trust agent is accurate. Therefore, he said, spoofed information can easily be sent to the policy server.
"There's a way of persuading the installed Trust Agent to not report what's actually on the system but to report what we want it to. We can spoof the credentials and gain access to the network" with a system that is completely out of compliance, he said.
Cisco didn't respond to requests for comment. But in a note posted on its website, the company acknowledged that it's possible to spoof information pertaining to a device's status by simulating communication between Cisco Trust Agent and its interaction with network enforcement devices.
Alan Shimel, chief security officer at StillSecure, a firm whose products compete with NAC, said that the problems cited at the Black Hat conference may be caused by Cisco's proprietary authentication protocol. "They don't have a mechanism for accepting certificates" to authenticate devices, he said.
Shimel also noted that any agent software that lives on a machine, tests the machine and reports back to a server can be spoofed.
The NAC security problem also highlights the importance of using "postadmission" network controls along with "preadmission" checks such as NAC, said Jeff Prince, chief technology officer at ConSentry Networks, a security vendor in Milpitas, Calif.
"NAC is an important first line of defence, but it is not very useful" without ways of controlling a user's action after gaining access, he said.