Lakshminath Dondeti wrote:
At 01:42 AM 10/7/2006, Harald Alvestrand wrote:
<snip>
Many universities require their students to buy their own laptops,
but prohibit certain types of activity from those laptops (like
spamming, DDOS-attacks and the like). They would love to have the
ability to run some kind of NEA procedure to ensure that laptops are
reasonably virus-free and free from known vulnerabilities, and are
important enough in their students' lives that they can probably
enforce it without a complaint about "violation of privacy".
Just pointing out that there's one use case with user-managed
endpoints where NEA is not obviously a bad idea.
My email ventures into a bit of non-IETF territory, but we are
discussing use cases, and so I guess it's on topic. Universities
should be the last places to try antics like NEA. Whereas an
operational network would be a priority to them, it is also important
that they allow students to experiment with new applications. If we
are believing that general purpose computing will be taken away from
college students, we are indeed talking about a different world.
In any event, the bottomline is NEA as a solution to "network
protection" is a leaky bucket at best.
NEA at best *may* raise the bar in attacking a "closed" network where
endpoints are owned and tightly controlled by the organization that
owns the network.
Posture checking is certainly a leaky bucket. It doesn't protect all
kinds of endpoint, it doesn't protect the endpoints against all kinds of
threats, and it doesn't protect much of anything against a smart,
resourceful attacker who is deeply familiar with the NEA system in use
and is interested in investing considerable resources in attacking or
circumventing it.
But (to recycle a very old simile) the fact that I can open the locks of
most doors with a crowbar doesn't mean that locks are not useful.
Organizations that have deployed products that do something like what
NEA is talking about have reported that their TCO is reduced.
Harald
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf