Skip to main content

NAC or Rootkit - How Would I know?

I show up for a meeting, flip open my netbook and start looking around for a wireless connection. The meeting host suggests an SSID. I attach to the network and get directed to a captive portal with an ‘I agree’ button. I press the  magic button an get a security warning dialogue.

NAC-Rootkit It looks like the network is NAC’d. You can’t tell that from the dialogue though. ‘Impluse Point LLC’ could be a NAC vendor or a malware vendor. How would I know? If I were running a rouge access point and wanted to install a root kit, what would it take to get people to run the installer?  Probably not much. We encourage users  to ignore security warnings.

Anyway – it was amusing. After I switched to my admin account and installed the ‘root kit’ service agent and switched back to my normal user, I got blocked anyway. I’m running Windows 7 RC without anti-virus. I guess NAC did what it was supposed to do. It kept my anti-virus free computer off the network.

I’d like someone to build a shim that fakes NAC into thinking I’ve got AV installed. That’d be useful.


  1. >After I switched to my admin account and installed the ‘root kit'^H^H^H^H^H^H^H^Hservice agent...

    I LOL'd

  2. Matt -

    That's what I said to the host in the meeting - 'What's this rootkit thing you're trying to install?'

    We've worked together for a decade & are pretty informal, so it at least provided amusement for the meeting.

  3. I am glad to see our NAC system is working – I am always suspicious of System staff when they are on campus.


    Anyway, I’ll throw my two cents in about NAC systems since this post is here. It’s not a magic bullet that will solve any and all security problems, as NAC was often marketed. It helps protect our network from the unaware students who bring laptops to campus expecting access to services – without patching their systems or running any AV. We average 300 to 500 of these laptops a day over which we have no control.

    NAC is decent at policy enforcement, allowing me to try to get student machines to comply with system guidelines. It also can be a teaching tool for students who know nothing about keeping their systems even minimally secured.

    It will not stop attackers, which is a common misconception. Once logged in and the AV is running, anyone can attack away. Can a dedicated individual figure out how to bypass a NAC system – yes. That person probably is already smart enough to also patch their system. Stop by my office next time and I can show you how.


  4. @James -

    Thanks for the comment.

    I'm not really pro or anti NAC, but what struck me (and why I wrote this) was that the popup for a good thing (a NAC agent) is really indistinguishable from something bad (malware), and hence an ordinary user is as likely as not to click OK on both.

    That's not anything that a NAC vendor or implementer can fix. It's really a problem with the operating system.

    Take care.

  5. Thanks Mike.

    I understood the point you were getting at and didn’t necessarily take the post as anti NAC. I mostly used the post to put my opinion on NAC systems into the blogosphere (which in my humble opinion are uniquely suited to environments like higher ed).

    No worries. Back to lurking…


Post a Comment

Popular posts from this blog

Cargo Cult System Administration

Cargo Cult: …imitate the superficial exterior of a process or system without having any understanding of the underlying substance --Wikipedia During and after WWII, some native south pacific islanders erroneously associated the presence of war related technology with the delivery of highly desirable cargo. When the war ended and the cargo stopped showing up, they built crude facsimiles of runways, control towers, and airplanes in the belief that the presence of war technology caused the delivery of desirable cargo. From our point of view, it looks pretty amusing to see people build fake airplanes, runways and control towers  and wait for cargo to fall from the sky.
The question is, how amusing are we?We have cargo cult science[1], cargo cult management[2], cargo cult programming[3], how about cargo cult system management?Here’s some common system administration failures that might be ‘cargo cult’:
Failing to understand the difference between necessary and sufficient. A daily backup …

Ad-Hoc Versus Structured System Management

Structured system management is a concept that covers the fundamentals of building, securing, deploying, monitoring, logging, alerting, and documenting networks, servers and applications. Structured system management implies that you have those fundamentals in place, you execute them consistently, and you know all cases where you are inconsistent. The converse of structured system management is what I call ad hoc system management, where every system has it own plan, undocumented and inconsistent, and you don't know how inconsistent they are, because you've never looked.

In previous posts (here and here) I implied that structured system management was an integral part of improving system availability. Having inherited several platforms that had, at best, ad hoc system management, and having moved the platforms to something resembling structured system management, I've concluded that implementing basic structure around system management will be the best and fastest path to…

The Cloud – Provider Failure Modes

In The Cloud - Outsourcing Moved up the Stack[1] I compared the outsourcing that we do routinely (wide area networks) with the outsourcing of the higher layers of the application stack (processor, memory, storage). Conceptually they are similar:In both cases you’ve entrusted your bits to someone else, you’ve shared physical and logical resources with others, you’ve disassociated physical devices (circuits or servers) from logical devices (virtual circuits, virtual severs), and in exchange for what is hopefully better, faster, cheaper service, you give up visibility, manageability and control to a provider. There are differences though. In the case of networking, your cloud provider is only entrusted with your bits for the time it takes for those bits to cross the providers network, and the loss of a few bits is not catastrophic. For providers of higher layer services, the bits are entrusted to the provider for the life of the bits, and the loss of a few bits is a major problem. These …