Hi Steve,
Let me start with a couple of fundamental points that have already been
stated before.
A. Any network is exposed to threats from lying endpoints, compromised
endpoints and unknown vulnerabilities even on NEA-compliant endpoints.
B. A network needs to be protected against such generic threats (as
listed in A).
I am rather confused by this attempt to make NEA fit into some kind of a
network protection mechanism. I keep hearing that NEA is *one* of a
suite of protocols that may be used for protecting networks. Let's dig a
bit deeper into what a network may employ as protection mechanisms in
order to protect against all kinds of general threats.
i) Access control mechanisms such as authentication and authorization
(to ensure only valid endpoints are allowed on the network)
ii) Ingress address filtering to prevent packets with topologically
incorrect IP addresses from being injected into the network
iii) VPNs to provide remote access to clients
iv) Firewalls to provide advanced filtering mechanisms
v) IDS/IPS to detect and prevent intrusions
vi) Application level filtering where applicable (e.g., detecting and
discarding email spam)
A combination of the above (or the like) needs to be used to address the
general threats mentioned above (in B, for e.g.). Given that, what does
NEA bring to the network that isn't already provided by such mechanisms
that need to be employed anyway? It is not like we can stop using some
of these mechanisms if NEA is present, since the threats that NEA may
protect against (from the network perspective) are a small subset of the
general threats that a network operator must consider. And, when the
general threats are addressed, any subset of those threats are also
addressed.
The effectiveness of NEA is tied to the type of endpoint (i.e.,
truthful, compliant endpoints with known vulnerabilities). A network,
OTOH, needs mechanisms that protect against all kinds of endpoints. I
fail to understand why a particular category of endpoints that NEA
addresses is not viewed as a subset of the general category of "all
endpoints".
Some further comments inline.
-----Original Message-----
From: Stephen Hanna [mailto:shanna(_at_)juniper(_dot_)net]
Sent: Tuesday, October 10, 2006 1:30 PM
To: ietf(_at_)ietf(_dot_)org; nea(_at_)ietf(_dot_)org;
iesg(_at_)ietf(_dot_)org
Subject: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
I have seen a lot of discussion about whether NEA provides
"network protection". In fact, it has been suggested that the
charter be revised to say "NEA must not be considered a
protection mechanism for networks." I don't agree.
Let's start by examining this concept of "network protection".
It's an awfully broad concept. No single security technology
can provide total protection for a network against all attacks.
Instead, a careful threat analysis must be done and layered
countermeasures put in place: firewalls, malware scanning,
intrusion detection and prevention, strong authentication and
authorization, strong encryption for data at rest and in
transit, user education, etc.
In the context of an overall security program and when
combined with other security technologies, NEA can help
protect networks.
Let me list the ways.
First, NEA can help improve the security of cooperating,
truthful endpoints.
How is this network protection? As you state above, it is about
improving the security of co-operating, truthful *endpoints*.
When a cooperating, truthful endpoint
connects to the network, its health can be checked and any
problems fixed before it can come under attack. This helps
protect networks by keeping endpoints healthy so that fewer
endpoints become infected and potentially impact the network
through port scanning and other misbehavior.
The protection provided by NEA alone is not absolute. Healthy
endpoints can be vulnerable to a zero day attack. And NEA on
its own provides no protection against lying endpoints and no
protection against hosts that don't participate in NEA
protocols. But it's a lot better than today's situation where
some endpoints are completely unprotected with patches or
anti-virus software.
Second, NEA can be used with technology for detecting lying
endpoints. This prevents compromised systems from lying to
gain access to the network, thus providing a huge improvement
in network security.
Once again, given that a network operator must really protect against
many generic threats, what kind of improvement is NEA bringing to the
security of the network?
I recognize that technology for detecting lying endpoints is
out of scope for the NEA effort but we shouldn't pretend that
it doesn't exist. Without NEA or similar protocols, it will
be hard to integrate lying endpoint detection systems into
network access control. That's why the NEA BOF in Montreal
agreed to include language in the charter saying that "the
protocols developed by the NEA WG must be designed to
accommodate emerging technologies for identifying and dealing
with lying endpoints."
Third, endpoints that don't initially participate in NEA
protocols can be quarantined for further examination with an
external vulnerability scanner or a dynamically downloaded
NEA client. Again, this is not part of the proposed NEA WG
charter but it is another example of ways that NEA can be
used with other security technologies to improve network security.
I'm confused by the above - what is the role of NEA here?
To summarize, the NEA protocols will increase network
security on their own. When combined with other technologies,
the increase in network security is much greater. But either
way it is not accurate to say that NEA is not a protection
mechanism for networks.
I continue to remain puzzled on the above points!
Vidya
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf