Does Your NAC Slack?

The National Security Agency (NSA) recently released a guide on network infrastructure security. In the report, the NSA advises the implementation of a Network Access Control (NAC) solution to protect the network from unauthorized physical connections. While a necessary tool, NAC solutions are limited in their abilities due to visibility challenges, and this weakness gets exploited by covert spoofing devices.

NAC lacks: visibility

NAC is a traffic-based solution that monitors Layer 2, relying on a MAC address or the 802.1x standard to authenticate devices. However, NAC controls get bypassed by MAC-less devices or devices with a spoofed MAC address. This is a significant risk as non 802.1x compliant devices, such as IoTs, get identified by their MAC address, thus creating a large hole in security defenses.

Malicious actors exploit the visibility gap with hardware attack tools that impersonate legitimate HIDs by spoofing their MAC address. Without the Layer 1 visibility necessary to detect the true identity of spoofing devices, the NAC solution authenticates them, granting access to the network. Once inside, these covert attack tools can carry out a variety of harmful attacks, ranging from espionage and data theft to ransomware and man-in-the-middle attacks.

NAC and HAC-1: a perfect match

Sepio’s HAC-1 solution provides a panacea to the gap in device visibility by covering Layer 1. HAC-1 uses Layer 1 data to generate a digital fingerprint of all assets to provide complete asset visibility. The solution identifies all hardware devices for what they truly are – not just what they claim to be – and instantly detects spoofing devices. The enhanced visibility provided by HAC-1 supports NAC solutions in securing the network infrastructure by offering a more robust dataset. HAC-1 integrates with existing NAC implementations through the 3^rd party REST API option without affecting the performance of the NAC solution.