ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

2006-10-16 08:34:27
from [Frank Yeh Jr] [Permanent Link] 





Greetings,

"todd glassey" <tglassey(_at_)earthlink(_dot_)net> wrote on 10/13/2006 05:56:42 
AM:


So then this is an attempt by Cisco and IBM and several others to
qualify a "SOX reporting and compliance tool" - get real.

Todd Glassey


      I'm not sure I follow how you can infer that post-admission status
checks are Cisco and IBM's attempt to qualify a "SOX reporting and
compliance tool". That's one of the wildest leaps of (il)logic I have seen.

      While my comments here do not represent IBM in any official capacity
I can say that IMHO, a Sox compliance and reporting tool based solely on
NEA (or Cisco NAC or TNC) would be woefully inadequate. Could the data
collected for an NEA posture check be stored as part of an audit trail and
would this data be useful? Absolutely! Does that make this a Sox compliance
and reporting tool? No way! It would just become another trail of
interesting information that would be aggregated in a REAL compliance and
reporting tool.

      One might also consider that the original post concerned
post-admission integrity checking as opposed to checking at admission only.
The data collected during the admission process would be just as suitable
for compliance and reporting as post-admission data. So why does the
addition of post-admission checking suddenly make this a compliance and
reporting tool?

      While logic can sometimes be dangerous ("my logic is undeniable"), I
tend to rely on it in the absence of anything better. I don't understand
the logic behind your statement.

Regards,
Frank Yeh



----- Original Message -----
From: Frank Yeh Jr
To: dassa(_at_)dhs(_dot_)org
Cc: nea(_at_)ietf(_dot_)org ; ietf(_at_)ietf(_dot_)org
Sent: Thursday, October 12, 2006 3:32 PM
Subject: RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

Greetings,

Both of the existing flavors of NEA-type protocols (Cisco NAC and
TNC) provide some mechanisms for integrity checking after the
admission process has completed and removing an endpoint's
privileged access if it falls out of compliance. So IMHO, support
for post-admission integrity checking willbe expected in NEA.

Collector/Verifier pairs can use NEA for pre-admission integrity
checking and some other protocol for post-admission checking but if
a post-admission violation is found, there should be a mechanism to
terminate the user's current admission session and restart the
admission process.

Regards,
Frank Yeh
Corporate Security Strategy Team
IBM
Tivoli Software

[image removed] "Darryl \(Dassa\) Lynch" <dassa(_at_)dhs(_dot_)org>





"Darryl \(Dassa\) Lynch" <dassa(_at_)dhs(_dot_)org>
10/12/2006 02:27 PM

Please respond to
dassa(_at_)dhs(_dot_)org

[image removed]
To

[image removed]
<nea(_at_)ietf(_dot_)org>

[image removed]
cc

[image removed]
ietf(_at_)ietf(_dot_)org

[image removed]
Subject

[image removed]
RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

[image removed]

[image removed]


Douglas Otis wrote:


If an application happens to be malware, it seems it would
be unlikely stop these applications.  How about:

vi)   Provide application level advisory information pertaining to
available services.

Points that seem to be missing are:

vii)  Notification of non-compliance. (Perhaps this could become a
restatement of i.)

viii) Time or sequence sensitive compliance certificates provided
      following a remediation process or service.


Often bad behavior is detected, such as scanning or sending
spam which may violate AUPs.  These violations may trigger a
requirement for the endpoint to use a service that offers
remedies the endpoint might use.
There could then be a time-sensitive certificate of
compliance offered following completion of a check-list and
an agreement to comply with the recommendations.

Those that remain infected after remediation, or that ignore
the AUPs and are again detected, may find this process a
reason to correct the situation or their behavior, or the
provider may wish to permanently disable the account.


Am I mistaken or is NEA intended to be a compliance check before a node

is

allowed onto the network?  As such, observed behaviour and application

abuse

would seem to be issues that would be dealt with by other tools.  NEA may

be

used to ensure certain applications are installed and some other
characteristics of the node but actual behaviour may not be evident until
such time as the node has joined the network and would be beyond the

scope

of detection by NEA IMHO.  NEA may be used to assist in limiting the risk

of

such behaviour but that is about the extent of it that I see.

My reading of the charter gives me the impression NEA is only intended

for a

specific task and some of what we have been discussing seems to extend

well

beyond the limited scope proposed.

Darryl (Dassa) Lynch


_______________________________________________
Nea mailing list
Nea(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/nea




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I understand that there is an ISO MOU with the IETF - I want to see it..., Aisenberg, Michael
Next by Date:  Re: draft-kolkman-appeal-support, John C Klensin
Previous by Thread:  RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea), Frank Yeh Jr
Next by Thread:  Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea), Alan DeKok
Indexes:  [Date] [Thread] [Top] [All Lists]