It seems common that the feedback we hear from those who have attempted the mammoth task of deploying NAC is ‘Nightmare’ or ‘given up’. Why should controlling your own network and connected assets be so difficult? There are a few reasons that immediately spring to mind, BYOD (or if we go large the Internet of Things) and the traditionally intrusive nature of the NAC beast and the inability of a number of network connected devices to use agents making them difficult to verify.
Take a printer for example. How do you know a printer is a printer? We can see it is a printer, it does what we expect it to do so it must be a printer. Now lets jump onto the control panel, take its MAC and IP address and configure a lap top to ‘pretend’ it’s now the printer, as far as we know, there is still a printer connected to the network. So how can we catch this change and take the steps to stop our new ‘printer’ from getting unauthorised access to the network.
We can use the network to provide us with the clues that tell us the true identity of the end-device, information that is readily available and is surprisingly simple to use. TCP fingerprinting, end-device services and the devices ‘willingness to talk’ can be used to start understanding the true identity of your printer.
Finally, whether for means fair of foul, the devices will eventually talk on the network. Capturing these conversations in real time helps you see if a printer really is a printer or if it is now a data exfiltration staging server?