Narayanan, Vidya wrote:
From: Susmit Panjwani [mailto:susmit(_at_)gmail(_dot_)com]
Sent: Saturday, October 07, 2006 5:04 PM
To: Harald Alvestrand
Cc: Narayanan, Vidya; nea(_at_)ietf(_dot_)org; iesg(_at_)ietf(_dot_)org;
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Third, I simply can't see what the organization's interests would be
protecting a device that doesn't even belong to it.
An organization might not be interested in protecting a device that
does not belong to it but would definitely be interested in
preventing the attacks originating from such device (if
compromised) when it joins the organization network.
It appears that the NEA charter is completely misleading to
some people from what is stated in this email. As the NEA
charter alludes to, NEA does nothing to protect against
compromised devices. Also, as has been agreed, NEA is not a
protection mechanism for the network - it is meant to be a
protection mechanism for compliant, truthful and as yet
uncompromised end hosts against known vulnerabilities.
True the NEA doesn't "do" anything to protect against compromised devices
but it does assist in limiting the known compromises on endpoint devices by
being a mechanism for the checking and reporting on compliance to what ever
network policy is in place including virus and patch levels. As a network
administrator I already deploy mechanisms for doing just this, but at a
higher level than the NEA charter indicates. To me the difference is
between being reactive or proactive. Compliance testing I already run
occurs after an end node has joined the network, with NEA the possibility is
for compliance checking before being allowed onto the network so isolation
and immediate remediation is possible.
Any network, in its own best interests, must assume that it
has lying and compromised endpoints connecting to it and
that there are unknown vulnerabilities on any NEA-compliant
devices connecting to it. Any kind of protection that
addresses these general threats that the network may be
exposed to at any time will simply obviate the need for NEA from the
Reliance on one protection or reporting mechanism is not enough. We need a
lot of varied tools to cover all the bases and minimise risk.
A network operator that thinks the network is getting any
protection by employing NEA is clearly ignoring the obvious
real threats that the network is exposed to at any time.
No, NEA would just be one more tool used to improve overall security and
minimise risk. It would be at a different level to the tools some of
This is what I meant when I said that the charter is unclear
and it must explicitly state that NEA is not meant as a
protection mechanism of any sort for the network.
I don't believe the Charter needs to delve into this at all. If some people
see it as part of their protection mechanisms, so be it.
Darryl (Dassa) Lynch
Ietf mailing list