Hi Darryl,
Your email indicates that you would:
a) somehow require that a visitor's laptop run an NEA client,
b) expect the device to support PAs that the server requires to be
checked, and
c) trust data coming out of it,
rather than treat that endpoint as an unknown endpoint and do IDS/IPS in
the network.
Other than finding this a rather bizzarre trust model, I have to say
that there will be a very small set of such endpoints where the owner of
that endpoint is going to be thrilled to allow you to place such clients
on his/her device and perform updates on it.
In short, this is exactly the type of endpoint I wouldn't imagine NEA
being useful for!
Vidya
-----Original Message-----
From: Darryl (Dassa) Lynch [mailto:dassa(_at_)dhs(_dot_)org]
Sent: Wednesday, October 11, 2006 2:56 AM
To: Narayanan, Vidya; ietf(_at_)ietf(_dot_)org; nea(_at_)ietf(_dot_)org
Subject: RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Narayanan, Vidya wrote:
<SNIP>
I continue to remain puzzled on the above points!
Hello Vidya
Perhaps if I put forward an example of how NEA may benefit me
it would go some way to clear the puzzle.
I run a very closed network, ports are closed and not opened
unless there is a validated request, external drives are
disabled etc etc. A contractor comes in with a notebook and
needs to work on some files located on our internal secure
network. A trusted staff member rings in with the request to
open a specified port. The port is opened and the contractor
hooks up the laptop to it. NEA does it's thing and if the
laptop doesn't match the requirements of the internal network
policy it is directed to a sandbox network for remediation.
If the laptop does meet the policy then it allowed onto the
internal network. I have not had to physically interface
with the laptop or needed to allow it onto the internal
network before some basic checks have been carried out. If
the laptop met the policy requirements it was quickly allowed
into the internal network and the contractor hasn't had to
prove to me their device could be trusted except through
automated means using NEA. If I wish, I can run some more
checks as the laptop joins the internal network including
additional authentication and other hoops to ensure the
system hasn't lied through NEA.
Really I see NEA as providing additional information to a
network administrator so they automate more decisions on the
network. In the above situation, if I felt NEA provided all
the information I needed I'd leave ports open and be
reasonably confident there was little risk in doing so as
unknown systems would be directed to the sandbox network if
necessary and if a lying system was able to make it to the
internal network my normal protection/security measures would
catch it out or warn me of the possibility within a reasonable time.
Just another tool to give network administrators information
and systems they can use to ensure the majority of users get
their requirements met in a reasonable and timely manner.
Darryl (Dassa) Lynch
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf