Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

To: Harald Alvestrand <harald at alvestrand.no>
Subject: Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
From: Andy Bierman <ietf at andybierman.com>
Date: Sat, 14 Oct 2006 09:21:38 -0700
Cc: nea at ietf.org, ietf at ietf.org, Alan DeKok <aland at deployingradius.com>
In-reply-to: <452F9361.5070905@alvestrand.no>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <20061012035941.EA8BA16E31@mail.nitros9.org> <452F9361.5070905@alvestrand.no>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

Harald Alvestrand wrote:

A typical NEA case (taken out of what Cisco's NAC is supposed to be good for):

- Worker goes on holiday, takes laptop - New attack is discovered that exploits a newly discovered Windows vulnerability - Patch is created, distributed and installed - NEA posture requirement is increased to "must have patch" - Worker comes back, plugs in laptop
Without NEA-like functionality:
- Worker is admitted
- Worker gets attacked & compromised
- IDS & other alarms go off
- Remediation efforts do what they usually do
With NEA:
- Worker gets sandboxed
- Worker gets upgraded
- Worker gets admitted
- No compromise, so no remediation
No ill intent on the part of any participant (except the attacker). Just a TCO issue.

The fact that some fruit is low-hanging doesn't mean it's not worth picking.


I don't agree that this is low-hanging fruit.
The server component of this system seems like a wonderful
new target for DDoS and masquerade attacks.

Harald

Andy

Alan DeKok wrote:

Brian E Carpenter <brc at zurich.ibm.com> wrote:

What if your contractor has carefully configured the laptop to give all the right answers? What if it has already been infected with a virus that causes it to give all the right answers?


  Yes, that's a problem with NEA.  No, it's not a problem for many (if
not most) people using NEA.

  The people I talk with plan on using NEA to catch the 99% case of a
misconfigured/unknown system that is used by a well-meaning but
perhaps less clueful employee or contractor.  The purpose of NEA is to
enhance network security by allowing fewer insecure end hosts in the
network.

  No one can prevent a determined attacker from getting in.  But by
providing fewer hosts for him to attack, the attacks become less
feasibly, and more visible.

  Alan DeKok.

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
  - From: Eliot Lear

References:
- Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
  - From: Alan DeKok
- Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
  - From: Harald Alvestrand

Prev by Date: Re: draft-kolkman-appeal-support
Next by Date: Re: draft-kolkman-appeal-support
Previous by thread: Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Next by thread: Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.