Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

["Alan DeKok" <aland at deployingradius.com>]

Keith Moore <moore at cs.utk.edu> wrote:
> I don't accept as an axiom that it's perfectly reasonable for an 
> enterprise to control access to its network based on whether the hosts 
> that attach to the network are willing to run spyware.

  Giving it a negative label isn't the same as asserting it has
negative value.  Companies already require certain virus scanners to
be installed, or VPN software, etc.

  I'm not saying you're wrong, I'm playing a bit of Devil's advocate
based on conversations with people who plan on deploying it, for the
reasons I've been discussing.

> there's a broad consensus that access controls at their current level of 
> precision are useful and generally beneficial.  there's not (afaik) a 
> broad consensus that access controls at the level of precision 
> facilitated by NEA are a good thing.

  Agreed.  Many of the benefits of NEA can be achieved by simple MAC
address filtering, guest portals, 802.1x, VLAN assignment, etc.
That's NETWORK access control, as opposed to controlling network
access based on the contents of the hosts hard drive.

> maybe NEA is going down a completely wrong path.  a major premise behind 
> NEA seems to be that networks can be made more secure if host operating 
> systems and applications are kept at a current patch level.

  I would phrase that as "kept at a KNOWN configuration".  And that's
not altogther wrong, or unreasonable.  I would be happy if I could get
notified when my core router's configuration changed unexpectedly...

> now you're proposing that other kinds of hosts be crippled 
> and essentially taxed to make up for the market's lack of foresight and 
> the gross negligence of that vendor.

  That is one take on it.  Another is that a legal issue is being
solved with a technical solution.  i.e. prove the software you're
running in a publicly traded company is all legal.  Solution?
Instrument every machine on the network to tell an inventory-control
system what it's running.  That looks a whole lot like NEA, albeit
with a completely different justification.  and it has nothing to do
with security, or OS, either. :)

> However, I also see numerous potential problems associated with a
> mechanism that tries to establish that trustworthiness by examining
> the configurations of those hosts.

  Yup.  The choices I've seen are to either have *zero* information
about what's on the network, or to implement a hokey mechanism to
maybe get some potentially untrustworthy information.  That's a bad
set of alternatives...

> And there's a very real potential for NEA doing more harm than 
> good unless those problems are understood and addressed.

  I think we can characterize the problem a little more
quantitatively.  Listing problems and solutions would be good, if I
can find the time...

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea