Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
It seems impractical to specify system requirements or expect a
suitable examination be done realtime prior to obtaining access.
Maybe you're saying that a complete systems check would take too
long. That is true, but that isn't how the NEA variants are being
designed or deployed.
Bad actors will always be able to falsify this information, so the
NEA does not offer protection.
This issue has already been discussed.
The NEA should be viewed as a process that eliminates many of the
security related support calls.
That is not a priority for any customers I talked to. I've never
head this as a justification for NEA from anyone.
It seems impractical to expect NEA will prevent bad actors from
producing the expected results.
Which is why recent discussions on the NEA list made it clear that
no one was expecting that from NEA.
There are anti-virus and OS updating services that could produce a
certificate that includes: ...
Which is a good idea, and substantially similar to validation and
remediation services currently offered. That information still has to
be propogated to the device that controls network access.
It seems unwise to expect an endpoint to open their robes to the
access point. However, the access point could offer certification
services they require prior to granting access. This service may be
something as simple as agreeing to the AUP presented on a web-form,
or agreeing to remedy the cause of abusive behavior.
People are doing something similar to this today with quarantine
networks, and remediation sites. But it's ad-hoc, and not automated.
Rather than talking about the posture of the endpoint,
consider the NEA to be little more than a repository for time-
sensitive compliance certificates offering just the five points listed.
Pretty much, yes. With the addition of a protocol to carry that
information from the end point to elsewhere in the network.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf