tag:blogger.com,1999:blog-4088979.post4735926245831313676..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Review Posted Plus NACRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4088979.post-19588775456280086142009-06-16T06:39:14.622-04:002009-06-16T06:39:14.622-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74289866088038058902007-08-16T01:56:00.000-04:002007-08-16T01:56:00.000-04:00This comment has been removed by a blog administrator.Ayishahttps://www.blogger.com/profile/14790237594110917232noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15564976696152794082007-07-26T18:57:00.000-04:002007-07-26T18:57:00.000-04:00None. I'm an independent security consultant. To b...None. I'm an independent security consultant. To be honest, I don't really like NAC, but not for the (flawed) reasons you list.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82152144551175093042007-07-26T18:11:00.000-04:002007-07-26T18:11:00.000-04:00Anonymous,Before I address your point, why don't y...Anonymous,<BR/><BR/>Before I address your point, why don't you name yourself and the NAC vendor who employs you?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35538291024003054802007-07-26T17:12:00.000-04:002007-07-26T17:12:00.000-04:00It is 2007, and according to Symantec today the to...It is 2007, and according to Symantec today the top 5 pieces of malware are:<BR/><BR/>W32.Imautorun is a worm that copies itself to all drives and downloads potentially malicious files on to the compromised computer.<BR/>W32.Bratsters is a worm that copies itself to all drives and downloads potentially malicious files on to the compromised computer.<BR/>W32.Phoney.A is a worm that spreads through mapped drives. It also lowers security settings on the compromised computer.<BR/>W32.Himu.A@mm is a mass-mailing worm that also spreads through network drives and shared folders. The worm also attempts to disable security related applications and block access to certain Web sites. <BR/><BR/>[for the sake of argument I've taken out 2 trojans from this top 5 list - also McAfee shows a similar list to this]<BR/><BR/>So, you've correctly implemented a client based NAC solution. None of these have NAC evading capabilities. You have successfully prevented a machine without current AV defs (and installed AV software) from connecting to your network. Thus, you have prevented a machine infected by any one of these from spraying itself all over your fileservers.<BR/><BR/>Of course it is an arms race. Of course this depends on other security layers, like AV. However saying NAC is pointless because there is a possibility of workaround is the same as saying wall safes are useless because some thieves can break into them.<BR/><BR/>Now if you want to argue NAC cost analysis and the reality of deploying full blown NAC solutions to a non greenfields corporate environment you might have more success. Arguing technically just shows a lack of understanding of the problem NAC solutions are trying to solve.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-8500110980666373622007-07-26T08:04:00.000-04:002007-07-26T08:04:00.000-04:00Anonymous, you said "considering the current threa...Anonymous, you said "considering the current threat landscape is typically generic infected machines with spray and pray worm infection vectors." It's not 2003 anymore. Read <A HREF="http://taosecurity.blogspot.com/2006/12/nac-is-fighting-last-war.html" REL="nofollow">NAC Is Fighting the Last War</A>.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-22793629415825936302007-07-26T06:59:00.000-04:002007-07-26T06:59:00.000-04:00Harping on about rootkitted machines on random OS'...Harping on about rootkitted machines on random OS's demonstrates that you have missed the point of what NAC is trying to provide. I don't think any NAC vendor suggests that they have detection mechanisms for every rootkit. I don't think any NAC vendor suggests that they have a solution about emulated 'policy compliant' clients.<BR/>However, considering the current threat landscape is typically generic infected machines with spray and pray worm infection vectors, how can you believe that a correctly implemented client based NAC solution does not significantly raise the bar for malware?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58729045194387381472007-07-20T15:33:00.000-04:002007-07-20T15:33:00.000-04:00I agree 100%. NAC is really NACC Network Admission...I agree 100%. NAC is really NACC Network Admission Configuration Control. It currently only will really validate that the host is running AV, patched, and those types of things. It won't really know that the box is rootkitted with a backdoor prior to admitting. But either way, were still better off with NAC then without. Its a good step in the right direction.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-41901797066722002882007-07-19T13:57:00.000-04:002007-07-19T13:57:00.000-04:00By the by, I use VNC to admin my Linux boxes at ho...By the by, I use VNC to admin my Linux boxes at home. (Ok, ok, I also use SSH...) :)Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-85154960731564626622007-07-19T13:52:00.000-04:002007-07-19T13:52:00.000-04:00I would assume that NAC vendors would agree betwee...I would assume that NAC vendors would agree between the lines that NAC doesn't validate the integrity of the system connecting, but rather than password/connection policy of whatever remote access technology you have would do that. If someone in Romania has valid credentials, you have something else terribly wrong and I would hope the other nets and mitigations in place would control the damage and/or eventually ferret out that imposter (easily said, I know!). <BR/><BR/>NAC is a cool thing, but for every success story there are probably 10 other failures and backed-out stories.<BR/><BR/>NAC is to compliance/configuration control as IPS is to IDS. It's not for everyone. I think a lot of NAC purveyors are really looking for security and the ability to shunt rogue devices off into never-never-land or out of the trusted network. That's solving a small problem with a very complex solution, in my mind.<BR/><BR/>Kinda makes you wonder why it is called NAC/P (Network Access Control/Protection) when that's only a fallable side effect of the real activity...Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1862377754182512072007-07-19T08:33:00.000-04:002007-07-19T08:33:00.000-04:00I think the best argument I came up with in favor ...I think the best argument I came up with in favor of NAC is that it helps uncompromised computers stay that way.<BR/><BR/>Imagine if your ISP refused to let your IIS server receive packets until it had asserted that it was secure against Code Red.<BR/><BR/>If it doesn't do that, it's probably vulnerable, and the patching process can commence.<BR/><BR/>If it is already compromised, well, it doesn't matter.<BR/><BR/>So the point of NAC isn't to (directly) protect other assets -- it's to protect the asset connecting with NAC.<BR/><BR/>I know biology metaphors are overused, but a school requiring polio vaccinations isn't just keeping out polio (although that's definitely a benefit) -- it's also making sure that any breakout doesn't hit everybody.<BR/><BR/>I'm still scared of how NAC will deal with Unix-like laptops, though.Dan Weberhttps://www.blogger.com/profile/06626675217693199470noreply@blogger.com