Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Open-Source NAC

PacketFence initiative offers public-domain alternative for network access control

Back in 2003, before network access control (NAC) became one of security's hot buttons, a few engineers at Harvard University developed a way to detect end points, discover their configurations, and isolate those that might present a security risk to the network.

In essence, these guys were doing NAC before NAC was cool.

The engineers, Kevin Amorin and David LaPorte, began working on the idea -- called PacketFence -- in their spare time, on their own computers, with the idea of creating a commercial product. But before they knew it, there were dozens of vendors swarming in the NAC space, and all of them had deeper pockets than the two university employees.

Today, the two men's dreams of making millions have largely fallen by the wayside, but the technology they developed still has legs. In fact, the engineers have turned PacketFence into an open source project which has captured the attention of some universities and small businesses.

"We've rebranded ourselves as an open-source NAC technology," says Amorin. "And we've seen some interest out there."

PacketFence, which is used in many parts of the Harvard network as well as in several other academic environments, offers some of the same features as Cisco's Network Access Control and Microsoft's Network Access Protection, but in a very different form factor.

"For them, it's all about attributes," says LaPorte, who notes that most NAC vendors put an agent on a known machine to collect data about configuration and risky behavior by end users. PacketFence, on the other hand, is designed to manage access by devices that aren't controlled by the NAC administrator and can't be automatically changed or remediated.

"In the academic environment, for example, you don't always control the student's computer," he says. "This is a way that organizations can help register and detect problems in those systems, without controlling them or putting an agent on them."

PacketFence started out as a series of "traps" designed to detect and isolate end users whose machines were worm-infected or unsafely configured, the engineers explain. They developed a method of mapping the MAC address of the machine to the end user's identity, and then helping the users with risky configurations to remediate their machines before being allowed to log onto the network.

Today, PacketFence contains a broad suite of scripts and applications, including open source technologies such as DHCP fingerprinting, Address Resolution Protocol (ARP), and the Snort IDS/IPS. The whole thing can be staged on a Linux server running Apache and PERL scripts.

"You can use it just for registration [of end points] or just for detection of potential issues, but most of our users do both," Amorin says. When an end user tries to log into a network protected by PacketFence, the system finds out what the client is running and isolates any devices that might be dangerous. The system then instructs the client on how to fix itself so it can be allowed onto the network.

At this point, PacketFence is no threat to large-scale commercial systems such as Cisco NAC or Microsoft NAP, because it doesn't collect attribute information and it doesn't stop all dangerous traffic. "What we do with ARP, for example, is best-effort," says LaPorte. "It's possible for a bad packet to slip through, which might not be good enough for a corporate user."

But the engineers have gotten some interest from small businesses that want the functionality of NAC but don't have the budget, Amorin says. "The GUI is unusually good for an open source product, and the functionality is good enough for a lot of academic and small business environments."

The engineers are watching the NAC standards battles with interest, and they may adopt some of the winning technologies for collecting and storing attribute information. They are also working on a method of mapping SIP phone numbers to MAC addresses. "We're still developing [PacketFence]," Amorin says. "We think it's got some potential."

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Microsoft Corp. (Nasdaq: MSFT) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Edge-DRsplash-10-edge-articles
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    News
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Commentary
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Take me to your BISO 
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-23369
    PUBLISHED: 2021-05-10
    In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
    CVE-2020-23370
    PUBLISHED: 2021-05-10
    In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
    CVE-2020-23371
    PUBLISHED: 2021-05-10
    Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
    CVE-2020-23373
    PUBLISHED: 2021-05-10
    Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
    CVE-2020-23374
    PUBLISHED: 2021-05-10
    Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.