Hurricane Labs: Network Access Control (from the hacker, not the vendor)
Network Access Control (from the hacker, not the vendor)
Last week was the Information Security Summit at Tri-C Corporate College East. It was my first time at the Summit, so I went in looking to learn something new. Looking over the 'pre-con' training that they had to offer, I noticed an inexpensive course on NAC (Network Access Control). This was of relevant interest to me because of the fact not long ago one of my tasks as a penetration tester was to break into a NAC "secured" network. What me and my fellow tester found was a mis-configured, hard to understand and easy to subvert device that wouldn't have caught us if we walked in with our laptops spamming viruses to the network. So, I took this course in hopes of understand how they worked and where the fail was in the setup we tested.
The day of the course came around and I showed up to what was to be an 8 hour course. The instructor was excellent and kept interest very well. He was as dynamic as he could be when talking about something as technical as NAC. He explained the ups and downs of the various (vendor neutral) devices and how to set them up properly and get them to work in various environments. He definitely knew what he was talking about and made most parts of NAC relatively easy to understand. So no complaints there.
A few things however, did not sit right with me. The first thing that bothered me was the fact during the first hour of the course, the instructor completely disregarded Linux machines as being something that can be used. He basically called Linux users 'elite' and made it sound unimportant. What I gathered from the tone in which he said that is that Linux machines and NAC devices/systems do not like to play nice together. I also inferred that he did not wish there to be any questions regarding Linux machines and NAC. At this point I was starting to get a little turned off by the course, and since it was in the first hour, that was a disappointment.
The second and more important thing that left me feeling empty about the whole course is when he talked about subverting or hacking a NAC protected network. He basically stated that a simple MAC spoof and 'acting' like the spoofed device (ie answering on the correct ports and fingerprinting properly) will let you on the network with little to no hassle. This even applies to NAC setups that require a client agent to connect. The proper spoofing technique would let you have way more access then you should have. From a penetration tester/hacker standpoint, this was music to my ears and was basically the same process we used at the NAC protected client.
Overall however, ISS and the course were both interesting and fun, despite those few things that happened to turn me off to the class.
Lesson learned: I don't really care for NAC.
The day of the course came around and I showed up to what was to be an 8 hour course. The instructor was excellent and kept interest very well. He was as dynamic as he could be when talking about something as technical as NAC. He explained the ups and downs of the various (vendor neutral) devices and how to set them up properly and get them to work in various environments. He definitely knew what he was talking about and made most parts of NAC relatively easy to understand. So no complaints there.
A few things however, did not sit right with me. The first thing that bothered me was the fact during the first hour of the course, the instructor completely disregarded Linux machines as being something that can be used. He basically called Linux users 'elite' and made it sound unimportant. What I gathered from the tone in which he said that is that Linux machines and NAC devices/systems do not like to play nice together. I also inferred that he did not wish there to be any questions regarding Linux machines and NAC. At this point I was starting to get a little turned off by the course, and since it was in the first hour, that was a disappointment.
The second and more important thing that left me feeling empty about the whole course is when he talked about subverting or hacking a NAC protected network. He basically stated that a simple MAC spoof and 'acting' like the spoofed device (ie answering on the correct ports and fingerprinting properly) will let you on the network with little to no hassle. This even applies to NAC setups that require a client agent to connect. The proper spoofing technique would let you have way more access then you should have. From a penetration tester/hacker standpoint, this was music to my ears and was basically the same process we used at the NAC protected client.
Overall however, ISS and the course were both interesting and fun, despite those few things that happened to turn me off to the class.
Lesson learned: I don't really care for NAC.