ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

2006-10-11 10:34:17
from [Narayanan, Vidya] [Permanent Link] 

Hi Darryl,
Your email indicates that you would: 

a) somehow require that a visitor's laptop run an NEA client, 
b) expect the device to support PAs that the server requires to be
checked, and 
c) trust data coming out of it,

rather than treat that endpoint as an unknown endpoint and do IDS/IPS in
the network. 

Other than finding this a rather bizzarre trust model, I have to say
that there will be a very small set of such endpoints where the owner of
that endpoint is going to be thrilled to allow you to place such clients
on his/her device and perform updates on it. 

In short, this is exactly the type of endpoint I wouldn't imagine NEA
being useful for! 

Vidya 


-----Original Message-----
From: Darryl (Dassa) Lynch [mailto:dassa(_at_)dhs(_dot_)org] 
Sent: Wednesday, October 11, 2006 2:56 AM
To: Narayanan, Vidya; ietf(_at_)ietf(_dot_)org; nea(_at_)ietf(_dot_)org
Subject: RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

Narayanan, Vidya wrote:
<SNIP>

I continue to remain puzzled on the above points!


Hello Vidya

Perhaps if I put forward an example of how NEA may benefit me 
it would go some way to clear the puzzle.

I run a very closed network, ports are closed and not opened 
unless there is a validated request, external drives are 
disabled etc etc.  A contractor comes in with a notebook and 
needs to work on some files located on our internal secure 
network.  A trusted staff member rings in with the request to 
open a specified port.  The port is opened and the contractor 
hooks up the laptop to it.  NEA does it's thing and if the 
laptop doesn't match the requirements of the internal network 
policy it is directed to a sandbox network for remediation.  
If the laptop does meet the policy then it allowed onto the 
internal network.  I have not had to physically interface 
with the laptop or needed to allow it onto the internal 
network before some basic checks have been carried out.  If 
the laptop met the policy requirements it was quickly allowed 
into the internal network and the contractor hasn't had to 
prove to me their device could be trusted except through 
automated means using NEA.  If I wish, I can run some more 
checks as the laptop joins the internal network including 
additional authentication and other hoops to ensure the 
system hasn't lied through NEA.

Really I see NEA as providing additional information to a 
network administrator so they automate more decisions on the 
network.  In the above situation, if I felt NEA provided all 
the information I needed I'd leave ports open and be 
reasonably confident there was little risk in doing so as 
unknown systems would be directed to the sandbox network if 
necessary and if a lying system was able to make it to the 
internal network my normal protection/security measures would 
catch it out or warn me of the possibility within a reasonable time.

Just another tool to give network administrators information 
and systems they can use to ensure the majority of users get 
their requirements met in a reasonable and timely manner.

Darryl (Dassa) Lynch 




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea), Ted Hardie
Next by Date:  Re: [Nea] WG Review: Network Endpoint Assessment (nea), todd glassey
Previous by Thread:  Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea), Ned Freed
Next by Thread:  RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea), Darryl \(Dassa\) Lynch
Indexes:  [Date] [Thread] [Top] [All Lists]