NAC solutions are thought by some to be a magic bullet; however this is not the case.
This article contains sensitive information which is well known in the information security industry (at least for experts); however is not well known to the IT industry.
This article is
not hacking. It merely showcases how simple configurations prohibit the NAC from protecting your network. This article does not discuss methods of bypassing 802.1x.
NAC verify the computer's / devices in various manners including, but not limited to:
- MAC address
- WMI queries
- Installed applications and configurations (includes domain membership)
Most NAC solutions can be bypassed in several fashions:
Hub (not switch!)
- Connect a valid computer/device to the hub
- Connect the hub to the network
- Once verified (or after a couple of minutes) proceed to the next step
- Modify your network adaptor MAC address and IP address to match the valid computer
- Enjoy!
However this method produces TCP resets and as such is easy to locate and produces noise over the network. When using the Hub method the invalid computer sends out TCP SYN requests and the replies to it are sent back to both the valid and invalid computer; at this point the valid computer sends out a reset packet (because it isn't expecting that connection) and a race condition begins where one computer tries to reset the connection and the other tries to continue the connection. This situation allows for easier forensics and worse connections.
The second fashion:
Router
- Configure the router (with NAT and PAT enabled) to router all incoming ports to a specific port (e.g. port 1) / to a specific IP (e.g. 10.0.0.2).
- Connect the valid computer/device to the router (port 1).
- If forwarding using IP address the IP address configured in step one should be the first one the router DHCP issues, verify the valid computer/device received it
- Connect the WAN port to the network
- Once verified (or after a couple of minutes) proceed to the next step
- Connect your computer to an unused port on the router
- Enjoy!
Finding a circumvention performed in this fashion is not possible unless the router's WAN port hasn't
been changed (for example, if your company uses ABC network cards, and you see one from DEF Network Card, Inc, that should raise a flag).
There are expensive solutions such as MAG SEC that can close the problem but that's not really NAC and usually not feasable.
Comments (1)
Commented:
-rich