The StillSecure Blog and Grill
Some NAC vendors use a vulnerability exploit known as ARP poisoning (also called ARP spoofing) to prevent endpoints from gaining network access. While this works in theory, it’s a bad idea for a number of reasons. To explain why, we’ll need to dive into what ARP is, and how ARP poisoning can be used to limit endpoint access to your network.
What’s ARP?Address Resolution Protocol (ARP) is a network protocol designed to associate network layer 2 (MAC addresses) with layer 3 (IP addresses). When an endpoint needs to know where to physically send a packet on the local network, it makes an ARP broadcast request on the network to find out.
Because ARP is designed to facilitate communications between two devices on the same physical network, ARP packets cannot leave the local physical network (A.K.A. layer 2 subnet). That means they cannot cross a router to another network.
Endpoints broadcast, to all devices in the same layer 2 subnet, the question:
“Who has IP www.xxx.yyy.zzz?”
Devices on that subnet are required to respond to that request if they have that MAC address, saying:
“MAC address AA:BB:CC:DD:EE:FF has IP www.xxx.yyy.zzz”
This allows the endpoint to populate outgoing IP packets (packets sent at layer 3 or higher) with a destination MAC address, and it allows hardware that doesn’t understand IP addresses, such as switches and hubs, to get the packet where it needs to go.
There you go, that’s ARP: simple. So the next time you hear someone talking about ARP’ing a host, you’ll know what they’re saying.
ARP is all well and good, but when you’re sending thousands or millions of packets on a network, you don’t want to have to ask that same question for every packet you create. It would really slow network communication if every host had to do that for every outbound packet. To solve this issue, endpoints keep what’s called an ARP table (ARP cache). It allows them to remember the answers to those requests, so they can be reused.
An ARP table simply looks like:
- (10.1.2.1) at 00:26:b9:87:43:aa (ether) on eth2
- (10.1.1.1) at 00:19:b9:ef:21:dc (ether) on eth2
It links an IP address (10.1.2.1) with a MAC address (00:26:b9:87:43:aa) on a physical network adapter (eth2). ARP tables can be very small on some networks, or they can be very large, in the thousands of entries. The next time the host needs to send a packet to IP 10.1.2.1, it looks up the MAC address in its ARP table, and uses that.
Why is ARP Poisoning Inherently Bad?
ARP poisoning is a network attack that exploits a vulnerability in the ARP protocol to redirect traffic from one location (say a network gateway) to an attacker’s host. Some NAC products use this type of vulnerability exploit to funnel traffic through them for purposes of access control.
At a very basic level, when an endpoint requests the MAC address of say, your network gateway, the NAC appliance responds with its own MAC address first. This causes (most) endpoints to send their traffic to the NAC appliance rather than to your gateway, which allows the NAC appliance to determine whether to give the endpoint access to other resources, or not.
While it can work, most security experts frown on the use of vulnerabilities to achieve functional goals. It’s little different than saying: I need to access your laptop, so I’m going to exploit a vulnerability to get to it, so I can provide you some level of value without you having to spend your time installing an agent, or giving me a login. You wouldn’t tolerate that behavior on your laptop, so why tolerate it on your network?
The time has come! The final voting is now underway for the Windows IT Pro Community Choice Awards and StillSecure is currently nominated in two separate categories. As the CEO of StillSecure, I feel that these award nominations are a true testament to how well we have performed as a company, not only with our products and services, but with meeting the needs of our customers. StillSecure is uniquely positioned within the market to provide customers products and solutions that are, above all else, easy to install and operate with two key elements in mind – fast, deep endpoint assessment, and comprehensive endpoint control.
With the growing evolution of bring-your own device (BYOD), NAC solutions are becoming more important than ever to deploy for customers. The concerns related to BYOD and protecting every device on the network are not going away and have led to a resurgence in NAC market – something we continue to hear from our customers despite what others have said about the market.
We are confident that our track record of providing best-in-class products and solutions speaks for itself but are aware that when it comes to network monitoring and protection rest is never an option. The final voting for the Windows IT Pro Community Choice Awards is entirely based on community and customer votes and feedback. With that in mind, here are the categories that StillSecure is up for this year. Wish us luck and vote StillSecure 2013!
- Best Deployment/Configuration Product (Safe Access ®)
- Best Network-Management Product (Safe Access)
Many NAC products offer a weak form of high-availability, and no load balancing. In some other NACs, HA is generally achieved by mirroring entire system disks over the network, and if one server goes offline, the hot backup server takes up the slack. Load balancing is left to you and third party vendors.
Others’ HA serves the purpose, but it means you’ve got one server doing all the work, while the other just sits there, taking up space, power, and generating heat; doing no one any good. Servers are expensive. Powering them and cooling them is expensive. That’s a big part of why virtualization and the cloud are taking over.
If your business is doing any work in the cloud for those reasons, why would you buy a NAC solution that means you’re going to be having servers just waiting for a rainy day? Might as well get some value out of them.
Help, I can’t load balance by myself!
The other downside of most NAC products is that they offer little or no load balancing functionality. Often, you’re required to segregate network traffic for them, and in some really nasty cases, you have to purchase very expensive TAP appliances to distribute traffic if there’s too much for a single appliance to handle.
The Elegant Solution
What if you never had to relegate a NAC server to sitting around waiting for something bad to happen? And what if you didn’t have to do anything special to have processing load spread across multiple servers? No new hardware to buy, no special network configurations, nothing wasted just so you can make your network work for NAC?
Safe Access uses a unique HA and load-balancing architecture: it uses the concept of a cluster that shares all state between servers. In a Safe Access cluster, you can have any number of servers configured to protect a particular part of your network. Servers in the cluster automatically spread the workload between them, and if one or more servers fail, the rest continue without missing a beat.
Safe Access also supports any number of clusters, so you can break your network down anyway you like, and deploy with multiple enforcement modes, like 802.1X, DHCP, and inline, all centrally managed and reliable.
Voila! Problem solved: no wasted servers, and no extra effort to spread traffic across them. This is built into Safe Access’ web-based award-winning user interface, and it takes just a couple of clicks to add and remove cluster servers.
Next time you buy NAC, consider one that doesn’t waste your time or money.
NAC is made up of a variety of different components:
- Endpoint detection: watching the network for new endpoints connecting to it.
- Endpoint profiling: understanding information about endpoints, like their IP address, MAC address, physical location, operating system.
- Endpoint assessment: looking at the endpoint in depth, and understanding whether it meets your compliance policy.
- Policy matching: Taking into account all the information about the endpoint in order to determine what type of action to take regarding an endpoint: is it allowed on the production network? Is there a problem with the endpoint that should be repaired? Should the endpoint be isolated from the rest of the network? Should someone be alerted to a problem?
- Enforcing access controls: Limiting the endpoint’s access to resources on the network based on a matched policy.
- Remediation: Either directly repairing issues on an endpoint, or working with a patch manager to do so.
- Notification: Notifying administrators or the help desk when issues are detected that cannot be repaired remotely.
- Guest Access Control: Creating and managing temporary, limited access to a network, for temporary network users, such as contractors.
One thing that most NACs lack is comprehensive endpoint assessment. Leveraging outdated technologies to gain an incomplete view of the endpoint, or leaving the technology to other vendors because creating and maintaining assessment content is hard. As many NACs can be very weak when it comes to endpoint assessment, some will make you jump through hoops and spend piles of money to make you adapt your network to serve their assessment engine.
To understand why, let’s dive into what we mean by endpoint assessment. Assessment feeds the decision as to whether an endpoint complies with your policy or not. It also helps you understand the overall compliance level of your network, and provide the data necessary for you to trend your remediation efforts organization-wide so you demonstrate value to your management It can include the following:
- Patch levels: Ensuring that all critical patches are applied to the operating system and applications on the operating system.
- Security software monitoring: Verification that security software like anti-malware, host-based intrusion detection and prevention, data-at-rest encryption, and others are working properly. Not only are they installed; they are functional, and fully up-to-date.
- Critical files intact: Ensuring that system and other critical files have not been tampered with, which can indicate the presence of a zero-day attack or advanced persistent threat (APT).
- Approved applications: Ensuring that only approved applications are running, or at least that no disapproved applications are running. DropBox® and Google Drive® are popular use cases here, to prevent corporate data from leaving the network.
- Application security: Ensuring that application security settings for browsers, office applications, and utilities are correct to help prevent phishing attacks and malware sites.
- Network configuration: Ensuring that network configurations require secure wireless and are not transmitting traffic off your network.
- Services and processes: Make sure that required services and processes are running, and unauthorized ones are not. … and many others.
Many NAC products leverage 3rd party scanner or assessment tools, or IDPS, each of which have significant limitations:
- 3rd party scanner: Slow and heavy, requiring significant processing resources and time.
- 3rd party assessment tool: Limited scope, agent-only, and dependent on 3rd parties for content updates.
- IDPS: Looks only at behavior, not at the state of a system, and what could happen. Also requires that traffic from desktop switches be forwarded to a NAC appliance.
Safe Access leverages purpose-built assessment technology built from the ground up for speed, depth, and minimal resource consumption. This brings some unique capabilities to the table:
- Extremely lightweight agent: smallest, with only a 5MB footprint.
- Over 2000 cross-vendor checks: you’re covered from all angles.
- Hyper-fast assessment: agent testing completes in less than 2 seconds, and about 15 seconds for agentless.
- Functional parity between agent and agentless: Works the same with or without an agent, and even automatically and seamlessly falls back to agentless testing if the agent is missing.
- DoD IAVA support: For DoD customers, StillSecure’s total control of the rule set allows Safe Access to be the only NAC that has total IAVA integration built-in.
By James D. Brown, CEO, StillSecure
Black Hat is underway. And today (Wednesday) kicks off the much anticipated briefings sessions, a series of highly technical information security-focused sessions that bring together thought leaders from all facets of the infosec world. Below are my “can’t miss” sessions and Twitter handles of some speakers that I’m excited to hear from (and will be “following” during the event). If you’re planning to attend any of these, tweet at the @StillSecure handle and I will look for you! Here goes:
Wed, July 31
- OSFooler: Remote OS Fingerprinting is Over, Jaime Sanchez, (@segofensiva)
- Thundercell, Georgia Weidman, (@georgiaweidman)
- Registry Inspector Forensics (RIF), Lodovico Marziale, (@vicomarziale)
Thu, Aug 1
- Ice-Hole, Darren Manners, (@darrenmanners)
- Sphere of Influence 3.2, Darren Manners, (@darrenmanners)
- Dependency-Check, Jeremy Long
Is NAC back? We certainly think so. In fact, we never thought it was dead to begin with and have an award-winning NAC solution, Safe Access®, to prove it. I’ve outlined my top three misconceptions about NAC below with explanations on why these myths simply do not hold up.
1. Anti-malware on your endpoints prevents most threats to your network.
Why it's not true:
Unpatched browsers, running unapproved services or applications, leaving vulnerabilities unpatched, altered system libraries, and many other issues are all ways to make endpoints vulnerable to attack or for an insider to use them to attack your network. None of the above items are monitored by anti-malware, and each can allow a significant breach.
Why try to bypass anti-malware in such a target-rich environment?
Solid security policy, enforced by NAC, and augmented by an MDM is a way to close these holes.
2. Small businesses don't have to worry about security.
Why it's not true:
Many startups have only their IP as value in their company. Securing this IP to at least a reasonable degree is critical to the continued survival of the company. In some cases, startups need to ask customers to trust them with sensitive data in order to provide their product or service. These types of companies can suffer irreparable harm if they suffer a breach which exposes their customers legally, financially, or otherwise. Securing the infrastructure of a start up also can be a market differentiator when dealing with larger customers.
Multiple layers of security, commensurate with the needs of the business is key.
3. NAC is difficult to deploy and expensive.
Why it’s not true:
Some NAC solutions are expensive and difficult to deploy, that’s true. However, that isn’t always the case. With Safe Access, there’s no hardware to buy, everything can be done virtually, and it can be deployed in an hour or so on many networks. If you have a Windows® DHCP server and managed switches on your network, you’ve got what you need to deploy Safe Access right out of the box.
There’s no reason not to install NAC today, to gain the ability to watch endpoints (including smartphones and tablets) connect and disconnect from your network, test them for compliance with your policy, isolate the ones that have serious issues, and repair the ones that can be automatically fixed. You also gain the ability to manage your guests, and make sure they can go only where you want them to on your network, or on the Internet.
By James D. Brown, CEO, StillSecure
You may have heard that our Director of Marketing, Camilla Mason-Jones was recently recognized by UBM Tech Channel’s CRN as one of the top Women of the Channel. This list recognizes female executives across vendor channel organizations, distributors and solution providers for their accomplishments over the past year, and the far-reaching impact they are having on the technology industry going forward.
As the CEO, I work very closely with Camilla to help drive and implement our marketing strategy. I could not be more proud of her for reaching this accomplishment. In the short time that she has been with StillSecure, she has revitalized our partner program which helped to better position the company as the outsourced marketing partner of choice. In fact, by joining forces with StillSecure’s partners to help them sell our solutions, she helped to position StillSecure’s managed security services arm for strategic sale, allowing us to focus solely on growing our network access control award-winning product Safe Access.
Aside from her accomplishments on the job, Camilla is also an extremely smart woman and all around just a fun person to be around. I know that Camilla will continue to drive StillSecure and our Safe Access product forward in the years to come. I would like to extend our deepest congratulations to Camilla from all of us at StillSecure! And please make sure to check out her official write up on CRN.
There are fewer things more upsetting than buyer’s remorse. It’s bad enough when it’s your own money and we have all been there. You make a big purchase with you your hard-earned money, and then learn that it doesn’t live up to its expectations or you could have bought it much cheaper someplace else. When it’s a purchase for your company, the pressure increases. Now you’ve spent money that you have to justify to your boss. If you decided to go with just the most visible vendor (as many people do), hoping that will help justify your decision, you may be kicking yourself later when you find a more cost-effective, and easier-to-use solution that may meet your needs just as well.
Before you invest in a Network Access Control (NAC) solution, first ask yourself a few key questions:
Do I have to upgrade my network?
Some NAC vendors require you to set up SPAN ports on your desktop switches to forward that traffic to your network core, where it can be analyzed by NAC servers, which leverage IDPS technology to provide endpoint assessment capabilities. In theory, there’s no problem here, your switches can all span ports, and you’ve got a network. What’s the big deal?
There are a few problems with this approach:
- You’re losing a major benefit of your network switch fabric: that traffic that’s localized doesn’t have to be sent through the rest of the network. Duplicating all your traffic and shipping it to your network core means reducing your overall network capacity.
- SPAN ports increase the load on your switch’s CPU. With enough traffic, you can slow your switch down, make it more difficult to manage, or overload it entirely, causing it to crash.
- Highly distributed networks suffer, because either you’ve got to put a NAC appliance at every location, or potentially more than double the traffic over slower remote links.
- Traffic can be lost when there’s a lot going on. You simply can’t take 48 1Gbps ports and send all their traffic over a 1Gbps or 10Gbps SPAN port. This means there will be traffic your NAC will never see, which provides a great way for an attacker to DoS your NAC, and slip by unnoticed.
- Encrypted traffic gets missed: in an era when more and more traffic is encrypted, that’s a glaring hole that can be easily exploited by using a VPN.
- On a very large network, you may have to purchase high-performance network TAP hardware costing tens or hundreds of thousands of dollars to aggregate and split traffic into chunks the NAC appliance can consume. That’s a big increase in costs, and it also means your shiny new 10 or 40Gbps network is probably being heavily loaded: just to support your NAC.
While these NACs can operate without this set up, you lose a big chunk of their functionality, and therefore a big chunk of value. And, you sacrifice your network performance, and make life easier for attackers.Am I going to be locked into a particular switch vendor?
Network Access Control vendors who use NAC as a way to sell more switches have a vested interest in locking you into their ecosystem. This is very smart on their part, and if you’re buying switches, you can often have their NAC for free as a result. We run into this all the time: the switch vendor throws in NAC for free. If you’re paying for these NACs, you’re paying too much.
Oh, and by the way, don’t go buying another vendor’s switches, because your NAC won’t support them. Not a very good deal if you ask me.
Am I wasting money on hardware?
One flaw that IDPS-based NACs suffer is their dependence on special purpose hardware (application-specific integrated circuits, or ASICs) to be able to process large amounts of data packets on your network. This gets worse the faster you go: the hardware to handle very large traffic loads gets to be more and more specialized, and cost goes up significantly.
This also significantly limits the capacity for virtualized solutions, so while these NAC vendors may have the ability to run in a virtual environment, they can’t scale VMs like their physical hardware counterparts. That’s not real virtualization: why would I want to virtualize your software if it gets crippled in the process?
StillSecure Safe Access suffers from none of these limitations, and imposes none of these restrictions. It can be deployed in as little as an hour on many networks, and those whose switch infrastructure is vintage 2004 or later don’t need to purchase any new components.
So, to avoid the pain and costs of buyer’s remorse, check us out. I think you’ll be pleasantly surprised. Call our expert sales team at 303-381-3802 to see how we can help make NAC a painless experience for you.
By James D. Brown, CEO, StillSecure
As of June 10, 2013, Safe Access®’s place on the U.S. Department of Defense (DoD) Defense Information Systems Agency (DISA) Unified Capabilities Approved Product List (UC APL) was renewed with Safe Access v6.1 (see APLITS TN 1228901). That’s a mouthful that means StillSecure Safe Access has renewed its presence as an approved product for all Department of Defense customers.
StillSecure is also the first NAC vendor to complete certification on the new, and very strict, 2013 APL requirements, and all 9 applicable Security Technical Implementation Guidance (STIG) requirements documents. The combination of the various requirements amounts to over 1,000 different security configurations, requirements, and features that must be met to be certified for inclusion on the UC APL. Safe Access is also the only approved NAC product approved for virtualization.
This means that Safe Access can lay claim once more to the moniker, “Military-Grade NAC”, and it continues an 8-year commitment to comply with and meet the network access control needs of the DoD and its various branches. Since 2005, Safe Access has been on a DoD approved product list, first on the Army Information Assurance Approved Products List (IA APL), and last, in 2009, when we were approved for the DoD-level DISA UC APL.
Safe Access meets the specific needs of the DoD by being the only NAC that "speaks" IAVA natively. Compliance and vulnerability checks performed by Safe Access in a DoD-environment are reported as IAVAs, policies are configured using IAVAs, and you can even access the CYBERCOM website directly from Safe Access to research IAVA details. Safe Access also has full OVAL® integration, which allows our Security Alert Team™ to include new OVAL checks as they are created. Further, Safe Access can verify the proper function of data-at-rest encryption, McAfee® HBSS® agents, and other information assurance agents on endpoints. With full CAC-authentication built in, Safe Access fits right into any approved DoD-installation. Finally, Safe Access can provide access control for mobile devices, nicely complementing a Mobile Device Manager or other mobile management technologies to provide full situational awareness of the mobile devices on your network, and allow you to control the access they receive on the network.
A significant investment of time and money for any organization, this certification demonstrates a solid commitment to helping meet the security and information assurance needs of our armed forces. Let me also take this opportunity to thank our many Army, Navy, Air Force, Marines, Reserves, and National Guard customers for their continued support, and for their business. They have helped us make Safe Access stronger, easier-to-deploy, less expensive to operate, and more scalable.
This certification lasts until June 2016, so we look forward to continuing our relationships within the DoD, demonstrating more and more value to those many customers, and earning the trust of many more.
You may have read our news regarding our re-position to focus exclusively on Network Access Control (NAC). If not you can see it here. This is a very exciting time for NAC, and its developments within the Federal and commercial sectors, and so we wanted to ensure that we remained fully focused on developing new features and product sets to support and secure our customers.
Why is it so exciting? In 2011 Securing Bring-Your-Own-Device (BYOD) emerged as a real and serious need, and one that will only gain momentum. Because BYOD technologies are almost inherently mobile, and often involve unmanaged devices, it can be very difficult to enforce security policies involving it. Meeting this new challenge required new technologies and new innovations. Thus, the mobile device manager was born.
Mobile device managers (MDM) provide an agent for the mobile devices on your network, and allow you to push compliance policies to them. Most can also report back on compliance levels. What they often don’t do, however, is remediate non-compliant devices, or isolate devices based on dangerous configurations, such as being jailbroken, or not running anti-malware. MDMs are focused on mobile devices, not on network infrastructure, nor do they help with laptops and desktops brought in from home.
Remediation and endpoint isolation are a perfect fit for NAC, and thus are a key part of enforcing a BYOD policy. An MDM alone doesn’t give you enough control to really police the use of mobile devices on your network. This has driven a major resurgence in the NAC market, and in large part has driven StillSecure’s decision to divest its managed security services business and focus 100% on it’s Safe Access® NAC product.
Despite the fact that NAC has had a reputation for being difficult to deploy, Safe Access has always stood out as one of the easiest NACs to install, and in fact, we can show its full power in under an hour on your network. That means Safe Access can often be installed with no major configuration changes, nor any additional hardware purchases. Many of our competitors require orders of magnitude longer to demonstrate a fully functional deployment. Because of this, and our high speed testing engine that can bring to bear thousands of cross-vendor compliance tests, Safe Access is uniquely positioned to be a top BYOD player, and it’s what makes us so excited to focus entirely on NAC.