Does this take a genius?
Was reading an article by Ellen Messmer and Tim Greene over in NetworkWorld today on Black Hat buzz. I am interested to see some of the security issues around Vista they talk about, especially the rootkit from COSEINC and Joanna Rutkowska. It is called Blue Pill and seems like a particularly nasty one. Perhaps not something you would patch to fix, but goes to Vista's architecture. I think it is a very smart move by Microsoft to encourage this sort of thing by sponsoring and being visible at Black Hat. Lets find out about the holes, before Vista is released while we can do something about it. This seems like a refreshingly different approach by the folks in Redmond and I commend them.
Another presentation that I am looking forward to, for a different reason though, is the one by Ofir Arkin of Insightix. I wrote about this one back in early July. These are the guys who are going to show how it is possible to evade every NAC solution, except theirs of course. This is one where I think the folks at Black Hat were duped. Does Ofir think he has discovered something by showing how NAC solutions that rely on DHCP can be evaded by static IPs? Every customer we speak to about DHCP enforcement brings up this same issue. No rocket science here folks. This is why we don't think DHCP is the optimum way to deploy a NAC solution. But in the absence of other enforcement technologies like 802.1x, it is the best of the rest. I still think it more secure than the SNMP based stuff.
Bigger picture, in security it is always about choices and risk. If you don't feel your risk is high enough to warrant upgrading your network to a more secure way of doing NAC, you make do with DHCP. I think for every security technology out there, there is a way for a determined hacker to evade it. That is exactly why a defense-in-depth is the way to go. Not that it is impossible to get through, but the time and effort involved in doing so, will outweigh the gain. Specifically with NAC, I think most people want it to make sure they are enforcing access policies against managed and unmanaged devices, not necessarily to be the uber-hacker stopper. It is more the inadvertent polluter that NAC is going to stop.