I have seen a lot of discussion about whether NEA provides
"network protection". In fact, it has been suggested that
the charter be revised to say "NEA must not be considered
a protection mechanism for networks." I don't agree.
Let's start by examining this concept of "network protection".
It's an awfully broad concept. No single security technology
can provide total protection for a network against all attacks.
Instead, a careful threat analysis must be done and layered
countermeasures put in place: firewalls, malware scanning,
intrusion detection and prevention, strong authentication and
authorization, strong encryption for data at rest and in transit,
user education, etc.
In the context of an overall security program and when combined
with other security technologies, NEA can help protect networks.
Let me list the ways.
First, NEA can help improve the security of cooperating, truthful
endpoints. When a cooperating, truthful endpoint connects to the
network, its health can be checked and any problems fixed before
it can come under attack. This helps protect networks by keeping
endpoints healthy so that fewer endpoints become infected and
potentially impact the network through port scanning and other
misbehavior.
The protection provided by NEA alone is not absolute. Healthy
endpoints can be vulnerable to a zero day attack. And NEA on its own
provides no protection against lying endpoints and no protection
against hosts that don't participate in NEA protocols. But it's
a lot better than today's situation where some endpoints are
completely unprotected with patches or anti-virus software.
Second, NEA can be used with technology for detecting lying
endpoints. This prevents compromised systems from lying to
gain access to the network, thus providing a huge improvement
in network security.
I recognize that technology for detecting lying endpoints is
out of scope for the NEA effort but we shouldn't pretend that
it doesn't exist. Without NEA or similar protocols, it will be
hard to integrate lying endpoint detection systems into network
access control. That's why the NEA BOF in Montreal agreed to
include language in the charter saying that "the protocols developed
by the NEA WG must be designed to accommodate emerging technologies
for identifying and dealing with lying endpoints."
Third, endpoints that don't initially participate in NEA protocols
can be quarantined for further examination with an external
vulnerability
scanner or a dynamically downloaded NEA client. Again, this is not part
of the proposed NEA WG charter but it is another example of ways that
NEA
can be used with other security technologies to improve network
security.
To summarize, the NEA protocols will increase network security
on their own. When combined with other technologies, the increase
in network security is much greater. But either way it is not
accurate to say that NEA is not a protection mechanism for networks.
Thanks,
Steve
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf