Tim Greene has an article over at Network World on how a student at the University of Portland bypassed a Cisco Clean Access (CCA) NAC check to get on the network and got suspended as a result. Simple device software checks, such as those done by CCA were never meant to provide 100% security. Of course no security measure provides that level of protection. Device software checks were designed to prevent the inadvertent user with an out-of-date system from getting on the network. A user bent on introducing malicious code into your network isn’t going to be stopped easily. As I’ve wrote about endlessly, security is a system, not one product. One tenet of good security analysis is to assume that one layer of protection within your environment completely fails. How the rest of your security system picks up the slack is a very telling metric regarding the overall security of your network.
As NAC becomes more pervasive, so will the techniques to bypass its checks. The hope is that those individuals with the technical competence to bypass the checks are also competent enough not to have their machines compromised. How true this is remains to be seen.
Technorati Tags: NAC