Greetings,
Both of the existing flavors of NEA-type protocols (Cisco NAC and
TNC) provide some mechanisms for integrity checking after the admission
process has completed and removing an endpoint's privileged access if it
falls out of compliance. So IMHO, support for post-admission integrity
checking willbe expected in NEA.
Collector/Verifier pairs can use NEA for pre-admission integrity
checking and some other protocol for post-admission checking but if a
post-admission violation is found, there should be a mechanism to terminate
the user's current admission session and restart the admission process.
Regards,
Frank Yeh
Corporate Security Strategy Team
IBM
Tivoli Software
"Darryl \(Dassa\)
Lynch"
<dassa(_at_)dhs(_dot_)org>
To
<nea(_at_)ietf(_dot_)org>
10/12/2006 02:27 cc
PM ietf(_at_)ietf(_dot_)org
Subject
RE: [Nea] Re: WG Review: Network
Please respond to Endpoint Assessment (nea)
dassa(_at_)dhs(_dot_)org
Douglas Otis wrote:
If an application happens to be malware, it seems it would
be unlikely stop these applications. How about:
vi) Provide application level advisory information pertaining to
available services.
Points that seem to be missing are:
vii) Notification of non-compliance. (Perhaps this could become a
restatement of i.)
viii) Time or sequence sensitive compliance certificates provided
following a remediation process or service.
Often bad behavior is detected, such as scanning or sending
spam which may violate AUPs. These violations may trigger a
requirement for the endpoint to use a service that offers
remedies the endpoint might use.
There could then be a time-sensitive certificate of
compliance offered following completion of a check-list and
an agreement to comply with the recommendations.
Those that remain infected after remediation, or that ignore
the AUPs and are again detected, may find this process a
reason to correct the situation or their behavior, or the
provider may wish to permanently disable the account.
Am I mistaken or is NEA intended to be a compliance check before a node is
allowed onto the network? As such, observed behaviour and application
abuse
would seem to be issues that would be dealt with by other tools. NEA may
be
used to ensure certain applications are installed and some other
characteristics of the node but actual behaviour may not be evident until
such time as the node has joined the network and would be beyond the scope
of detection by NEA IMHO. NEA may be used to assist in limiting the risk
of
such behaviour but that is about the extent of it that I see.
My reading of the charter gives me the impression NEA is only intended for
a
specific task and some of what we have been discussing seems to extend well
beyond the limited scope proposed.
Darryl (Dassa) Lynch
_______________________________________________
Nea mailing list
Nea(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/nea
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf