Lakshminath Dondeti wrote:
At 01:42 AM 10/7/2006, Harald Alvestrand wrote:
Many universities require their students to buy their own laptops,
but prohibit certain types of activity from those laptops (like
spamming, DDOS-attacks and the like). They would love to have the
ability to run some kind of NEA procedure to ensure that laptops are
reasonably virus-free and free from known vulnerabilities, and are
important enough in their students' lives that they can probably
enforce it without a complaint about "violation of privacy".
Just pointing out that there's one use case with user-managed
endpoints where NEA is not obviously a bad idea.
My email ventures into a bit of non-IETF territory, but we are
discussing use cases, and so I guess it's on topic. Universities
should be the last places to try antics like NEA. Whereas an
operational network would be a priority to them, it is also important
that they allow students to experiment with new applications. If we
are believing that general purpose computing will be taken away from
college students, we are indeed talking about a different world.
In any event, the bottomline is NEA as a solution to "network
protection" is a leaky bucket at best.
NEA at best *may* raise the bar in attacking a "closed" network where
endpoints are owned and tightly controlled by the organization that
owns the network.
Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen
people have deployed today to
solve the lying-client-problem by scanning for common/current
vulnerabilities as part of the network admission
process will have to interface with PDPs part of a NEA intfrastructure.
Ietf mailing list