Learn to Defend Your System Where Firewalls Can’t—Inside Your Network

Is your organization protecting itself in the new digital age? Unauthorized devices joining the network through an open port or a wireless network is a real threat. With an ever-increasing number of mobile devices—laptop computers, notebooks, smartphones, PDAs, even video game systems—network managers are finding that portable devices are creating a real security threat. Controlling access is what Network Access Control (NAC) is all about.

NAC has a special place in a network security plan because, unlike a firewall, which offers perimeter protection, it monitors the inside of your network. A firewall stops the hacker in Poland from getting to your network through the Internet. NAC stops the hacker inside your building or in the parking lot from getting to your network through an Ethernet port or a wireless access point.

Learn how your organization can protect itself. Attend our next webinar and learn to:
• Prevent network breaches from unauthorized network connections and out-of-compliance devices.
• Stop rogue laptop connections and unauthorized wireless access devices from accessing your network.

Go to http://www.blackbox.com/Store/LP/veri-nacwebinar.aspx to view the webinar schedule and choose the time that’s best for you. In addition, be sure to visit our Veri-NAC resources page.


2 Responses

  1. NAC is definitely a good security measure!

    Page 7 of the NAC competitor comparison overview (http://www.blackbox.com/resource/genPDF/Veri-NAC_Network-Access-Control.pdf) is very impressive. I’m really curious as to how the system provides IP and MAC spoof protection without a client. Can you provide some details?


    • Here is an excerpt from our FAQ for the Veri-NAC that answers your questions concerning MAC and IP spoofing, more information can be found at http://www.blackbox.com/go/Veri-NAC.

      QUESTION: When the Veri-NAC box is introduced into the network, will all assets detected be put on the untrusted list by default, during Asset Discovery?

      ANSWER: No — they are all automatically trusted, unless you start the Dynamic Detection and blocking system with NO assets in the trusted asset list. We recommend turning off Dynamic Detection System first (default setting) and doing an asset discovery Network Access ControlgAsset Discovery then reviewing this trust list at Network Access Control Manage IPs.

      QUESTION: Can I set a policy to define that any “untrusted” asset can only see a few IP addresses, such as an Internet proxy IP address? In other words, I want asset exclusion to be based on IP addresses, not MAC addresses.

      ANSWER: Yes, you can—easily. When an untrusted asset is being blocked, it can’t see IPs that are in the defined protect range. However, it can see IPs that are not in the protect range.
      For example: Let’s say you want to block a contractor’s laptop for access to critical servers, but this person can have access to the Internet, printers, and anything else. Assume the internal network is class C range from 254. The gateway IP address for access to the Internet is, the Veri-NAC IP is The critical servers cluster resides from 192.168.100-110. Here is how you would set up this policy on the Veri-NAC: From Network Access Control Dynamic Detection System: Click the check-box for “Enable PeerBlock blocking”
      Enter “” in the Block Range, “192.168.100-110” in the Protect Range. Now, click “Save” at the bottom of the page.
      Result: When an outside contractor plugs in her laptop, she wouldn’t be able to see any of the critical servers. However, she can have access to the Internet and other non-critical servers without knowing that critical servers exist. When you are in admin view on the Veri-NAC Web interface, you will see that her laptop is being blocked (red highlight on the Manage IPs page).

      : What is the IP/MAC Mismatch list for?

      ANSWER: Let’s look at a sample scenario:
      A network asset, PC1 has the IP address and PC2 has the IP address Both PCs are on the trusted list. PC1 goes offline. PC2 either statically reassigns its own IP to or PC2 requests a new IP, and the DHCP server leases to PC2. Veri-NAC will move PC1 to the mismatch list and give
      the reason “IP address unknown.” The PC2 info will overwrite the PC1 data on the Manage IPs page. PC2 can access the network normally. Later, when both PCs revert to their original IP addresses, PC1 will be removed from the IP Mismatch list. You can also choose to remove IPs in the Mismatch list manually.

      QUESTION: Does Veri-NAC authenticate MAC addresses and block MAC spoofing?

      ANSWER: Veri-NAC does provide MAC spoofing detection and blocking. If two or more devices are on-line at the same time, you will receive an e-mail, and you can have them blocked on detection.

      QUESTION: How do I remove a client that is listed under “MAC IP Mismatch”?

      ANSWER: Go to Network Access Control Manage IPs and, from the drop-down Manage… menu at the top left of the screen, select MAC IP Mismatch List. This will show all clients in the MAC IP Mismatch list. Select the one you want to delete.

      QUESTION: What technique is used to block unknown computers and other devices? Does it affect performance in a “busy” end user network?

      ANSWER: The appliance uses a patented methodology to block untrusted devices from getting on the network. Generally speaking, it is confusing the untrusted asset by feeding it wrong information and creating a low-bandwidth denial of service using PeerBlock, or through rule changes on smart switches (Black Box part number LGB1002A-R2, LGB1003A-R2, or LGB1005A-R2) and firewalls. PeerBlock uses 7 kbps of bandwidth to block, network activity
      whatsoever. “Normal conditions” means only a few untrusted assets at a time, not an abnormal situation, such as 100 untrusted assets simultaneously attempting to access a small network. The stream of only 7 kbps to block unwanted users is very little bandwidth usage. That’s the most bandwidth usage per IP blocking event the appliance will use. Network traffic generated while Veri-NAC is auditing or vulnerabilities ranges from 40 to 120 kbps, therefore, is almost invisible to users even while it discovers their common vulnerabilities and exposures. However, there are some dos and don’ts we recommend to make traffic smooth and invisible. These are covered in
      the README FIRST! document you received with Veri-NAC and include not auditing a critical overloaded server during busy work hours and dealing with alerts from intrusion detection systems (IDS).

      QUESTION: Is MAC addressing the criteria for blocking unknown devices and if so, what if I move the Ethernet NIC to another computer?

      ANSWER: Yes, that is the criteria. So if you move the NIC to another computer, you will be triggering the MAC spoof detection mechanism. Run Asset Discovery to update the Veri-NAC database.

      Thanks for your question.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s