The National Security Agency (NSA) recently released a guide on network infrastructure security. In the report, the NSA advises the implementation of a Network Access Control (NAC) solution to protect the network from unauthorized physical connections. While a necessary tool, NAC solutions are limited in their abilities due to visibility challenges, and this weakness gets exploited by covert spoofing devices.
NAC solutions lack visibility
NAC is a traffic-based solution that monitors Layer 2, relying on a MAC address or the 802.1x standard to authenticate devices. However, NAC controls get bypassed by MAC-less devices or devices with a spoofed MAC address. This is a significant risk as non 802.1x compliant devices, such as IoTs, get identified by their MAC address, thus creating a large hole in security defenses.
Malicious actors exploit the visibility gap with hardware attack tools that impersonate legitimate HIDs by spoofing their MAC address. Without the Layer 1 visibility necessary to detect the true identity of spoofing devices, the NAC solution authenticates them, granting access to the network. Once inside, these covert attack tools can carry out a variety of harmful attacks, ranging from espionage and data theft to ransomware and man-in-the-middle attacks.
NAC Solutions and HAC-1: a perfect match
Sepio’s solution for rogue device mitigation provides a panacea to the gap in device visibility by covering Layer 1. HAC-1 uses Layer 1 data to generate a digital fingerprint of all assets to provide complete physical layer security and asset visibility. The solution identifies all hardware devices for what they truly are – not just what they claim to be – and instantly detects spoofing devices. The enhanced visibility provided by HAC-1 supports NAC solutions in securing the network infrastructure by offering a more robust dataset. HAC-1 integrates with existing NAC implementations through the 3rd party REST API option without affecting the performance of the NAC solution.
NAC journey implementation
If you are early in your NAC journey or would like to complement your current coverage with an additional layer, there are a number of approaches you can take to either replacing the NAC which will leave you in a better global security posture without the headaches or replace portions of the NAC implementation. The various approaches will be discussed in a future article but include implementing Zero Trust Network Access, and utilizing what Gartner refers to as “lightweight NAC”.
In any of these approaches, complete visibility and asset identity truth again become critical to network infrastructure security controls. At the time of connection, devices need firstly to be discovered, correctly identified, assessed for potential risk and outcome to determine the suitability of access, and, if necessary, blocked.
If you need help along your journey of improving your NAC or moving beyond it, Sepio is here.
Sepio is purpose built to solve these issues plaguing security teams by allowing for a complete, trafficless global solution that gives you ultimate visibility, true asset identity, and risk mitigation.
