Nothing's perfect, NAC enforcement included.
There are a variety of methods to choose from, with the choice dependent on how much effort, cost and disruption are acceptable and whether the method is deemed secure enough.
NAC policies can be enforced at the edge of networks by access switches, firewalls and VPN gateways and inside the network also by using firewalls as well as in-line appliances between access and distribution switches. They can also be enforced by manipulating DHCP IP address assignments and by resetting a device's ARP tables to block network access.
A critique of enforcement methods presented at a Black Hat conference by the CTO of Innsightix helped put the security of these methods in perspective.
For instance, in the case of DHCP, proxying DHCP servers to enforce security policy cannot address devices that somehow obtain static IP addresses and therefore don't need to deal with the DHCP server. That can makes significant portions of some networks free of NAC enforcement, Arkin said.
In another example, enforcing NAC policies via switches relying on 802.1X can provide tight policy controls but only for devices that support 802.1x via client software. Devices that don't - such as printers an phones - could be spoofed, circumventing NAC altogether and giving access to an unauthorized machine that can then do damage.
The critique was meant as a heads-up to potential NAC users so they are aware of possible vulnerabilities and can take steps to fill whatever gaps exist, he says. "As long as users understand these solutions are not perfect and take other measures, then I've done my job right," Arkin says.
Users should balance the security of the enforcement method of NAC products with the amount of money and time they will take to implement. For instance, if the best method for a customer is 802.1X authentication, that requires an 802.1X client on every device that will be screened. Users have to ask whether distributing the clients and upgrading the switches that will enforce the policies are worth it.