Black Hat: Fooling Cisco's NAC Network Access Control
Via heise Security News.
Security experts at the Black Hat conference in Amsterdam have demonstrated how Cisco's NAC network access control can be fooled. In a live demonstration using a modified Trust Agent, Michael Thumann and Dror-John Röcher from ERNW were able to gain full access to an NAC protected network using a computer which did not comply with network policies.
According to Thumann and Röcher, Cisco has already fixed the problem and will be releasing its own advisory on the issue shortly. Network administrators can use systems such as Cisco's NAC to define access policies. An example would be that up-to-date anti-virus software and operating system patches must be installed for computers attempting to access the intranet. In NAC, conformity with these policies is checked by a 'Trust Agent' or 'Security Agent', which is installed on the clients and reports its results to the NAC router.
The attack demonstrated makes use of a fundamental weakness in common access control systems for networks - if client-side control software is running on a system which is under an attacker's control, he can determine its behaviour and can pass himself off as conforming to policies at will.