RE: [Nea] RE: Detecting Compromised Endpoints

To: "Thomas Hardjono" <thardjono at signacert.com>, "Marcus Leech" <mleech at nortel.com>
Subject: RE: [Nea] RE: Detecting Compromised Endpoints
From: "Narayanan, Vidya" <vidyan at qualcomm.com>
Date: Thu, 1 Jun 2006 18:11:18 -0700
Cc: nea at ietf.org
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
Thread-index: AcaAuttAP5wZlUxmRe+uhfGbd2LhxQAEJSUgAUUE5GA=
Thread-topic: [Nea] RE: Detecting Compromised Endpoints

Catching up late on this one as well... 

One fundamental problem I have with the comparisons here is that
protocols like IPsec were not set out to ensure the "health" of
endpoints. The goal of IPsec is to securely verify credentials and
provide a secure authenticated channel for communication between two
endpoints. 

OTOH, the goal of NEA is to verify the "posture" and "health" of
endpoints. IPsec verifies that a given user/device possesses the right
(not necessarily uncompromised) credentials  to access the network,
while NEA is meant to ensure that the device accessing the network has
valid software, for instance. 

These goals seem vastly different and to say that device compromise and
malware affect both protocols in a similar manner is not intuitive to
me. 

Regards,
Vidya
 

> -----Original Message-----
> From: Thomas Hardjono [mailto:thardjono at signacert.com] 
> Sent: Friday, May 26, 2006 6:56 AM
> To: Marcus Leech
> Cc: nea at ietf.org
> Subject: RE: [Nea] RE: Detecting Compromised Endpoints
> 
> 
> Marcus,
> 
> The problem is that all devices out there that run software 
> are targets to malware.  This includes VPN Gateways, routers, 
> firewalls, etc. etc.
> 
> Just because we have not seen malware attacking these 
> devices, it does not mean it will not happen. Perhaps its 
> just a matter of time.
> 
> Anyways, we should focus on NEA (which should be focusing on 
> *protocols* for interoperability :)
> 
> Cheers,
> 
> /thomas/
> 
> -----Original Message-----
> From: Marcus Leech [mailto:mleech at nortel.com]
> Sent: Friday, May 26, 2006 4:52 AM
> To: Thomas Hardjono
> Cc: nea at ietf.org; Frank Yeh Jr
> Subject: Re: [Nea] RE: Detecting Compromised Endpoints
> 
> Thomas Hardjono wrote:
> > Thanks Frank - yes, you are spot on.
> >  
> > My understanding as to how the discussion drifted to 
> trusted hardware 
> > arose from some questions in the IETF.
> >  
> > Basically, some folks at the IETF were suggesting that we 
> don't bother
> 
> > with NEA because (a) any posture agent on the client can be 
> modified 
> > by malware (to then forge posture reports); and (b) They 
> don't believe
> 
> > in trusted hardware or even the possibility of secure systems.
> >  
> > The funny thing is that virtually all protocols invented in 
> the IETF 
> > is subject to changes by malware in (a).  This includes IPsec VPN 
> > clients, routing code, NAT boxes, and even the entire IP stack.
> >
> I was going to simply let my contributions to this thread 
> die, having said what I wanted to say.
> 
> But this just has to be answered.  There's a fundamental 
> difference between compromise of something like an IPSEC
>   client, and compromise of an agent.  If I compromise an 
> IPSec client in some way, it doesn't affect the security
>   state of the VPN gateway, only that of the client.
> 
> In the TCG scenario, security decisions made by the network 
> as a whole rely entirely on the agent behaving
>   correctly, including not having been compromised.  You're 
> making security decisions based on information
>   that can't be independently verified.  When I assert that 
> I'm mleech at nortel.com to some gateway or NAS
>   or whatever, my credentials (password, certificates, etc) 
> act as a method of "indepenent verification" of my
>   mleech at nortel.com assertion.    Just because a remote, 
> turing-complete, machine *asserts* that it is sane, and
>   has notarization to "prove" it, doesn't necessarily make it 
> so, and there's no way for the network infrastructure
>   to verify those assertions with the same kind of solidity 
> as verifying my mleech at nortel.com assertion by way
>   of credentials.  No amount of cryptographic mumbo-jumbo can 
> get around that very fundamental problem,
>   IMHO.
> 
> Anyway, I'm done.  Everyone knows what my opinion is on the 
> fundamentals here, but to the extent that we
>   all have drunk the kool-aid at some level, there needs to 
> be protocol standards, and *that's* what NEA
>   is all about.
> 
> > Perhaps we should just give-up on the Internet :)
> Well, that's a whole other topic :-)
> 
> 
> _______________________________________________
> Nea mailing list
> Nea at ietf.org
> https://www1.ietf.org/mailman/listinfo/nea
> 

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Prev by Date: RE: [Nea] RE: Detecting Compromised Endpoints
Next by Date: RE: [Nea] Charter language on compromised endpoints
Previous by thread: RE: [Nea] RE: Detecting Compromised Endpoints
Next by thread: [Nea] Charter language on compromised endpoints
Index(es):
- Date
- Thread

RE: [Nea] RE: Detecting Compromised Endpoints

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.