Harald,
This seems to be missing the point. I think there is a general sense
that NEA could be helpful for some level of protection to complying
endpoints in an enterprise scenario, which is exactly what you have
described below. The disagreement seems to be on the topics of what NEA
does for the network and whether it makes any sense in the provider
model where the network and end device owners are different.
On the network protection issue, I still have not seen anything that NEA
provides that is not provided (in a better manner) by protection
mechanisms that the network must use to protect itself against any
unknown vulnerabilities and compromised endpoints. Everything that has
been said still seems to be a subset of that larger threat which must be
protected against anyway. Having said that, the use of NEA for the
provider model doesn't make sense, since providers are interested in
protecting their networks more than protecting the devices they don't
own. Not to mention that they cannot really hope to get compliance from
devices they don't own.
Vidya
-----Original Message-----
From: Harald Alvestrand [mailto:harald(_at_)alvestrand(_dot_)no]
Sent: Friday, October 13, 2006 6:24 AM
To: Alan DeKok
Cc: nea(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
Subject: Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
A typical NEA case (taken out of what Cisco's NAC is supposed
to be good
for):
- Worker goes on holiday, takes laptop
- New attack is discovered that exploits a newly discovered
Windows vulnerability
- Patch is created, distributed and installed
- NEA posture requirement is increased to "must have patch"
- Worker comes back, plugs in laptop
Without NEA-like functionality:
- Worker is admitted
- Worker gets attacked & compromised
- IDS & other alarms go off
- Remediation efforts do what they usually do
With NEA:
- Worker gets sandboxed
- Worker gets upgraded
- Worker gets admitted
- No compromise, so no remediation
No ill intent on the part of any participant (except the
attacker). Just a TCO issue.
The fact that some fruit is low-hanging doesn't mean it's not
worth picking.
Harald
Alan DeKok wrote:
Brian E Carpenter <brc(_at_)zurich(_dot_)ibm(_dot_)com> wrote:
What if your contractor has carefully configured the
laptop to give
all the right answers? What if it has already been infected with a
virus that causes it to give all the right answers?
Yes, that's a problem with NEA. No, it's not a problem
for many (if
not most) people using NEA.
The people I talk with plan on using NEA to catch the 99%
case of a
misconfigured/unknown system that is used by a well-meaning but
perhaps less clueful employee or contractor. The purpose
of NEA is to
enhance network security by allowing fewer insecure end
hosts in the
network.
No one can prevent a determined attacker from getting in. But by
providing fewer hosts for him to attack, the attacks become less
feasibly, and more visible.
Alan DeKok.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf