Hi Vidya Narayanan, Vidya wrote: >>> -----Original Message----- >>> From: Susmit Panjwani [mailto:susmit@xxxxxxxxx] >>> Sent: Saturday, October 07, 2006 5:04 PM >>> To: Harald Alvestrand >>> Cc: Narayanan, Vidya; nea@xxxxxxxx; iesg@xxxxxxxx; ietf@xxxxxxxx >>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>> >>>>> Third, I simply can't see what the organization's interests would be in >>>>> protecting a device that doesn't even belong to it. >>> >>>> An organization might not be interested in protecting a device that >>>> does not belong to it but would definitely be interested in >>>> preventing the attacks originating from such device (if >>>> compromised) when it joins the organization network. >> >> It appears that the NEA charter is completely misleading to >> some people from what is stated in this email. As the NEA >> charter alludes to, NEA does nothing to protect against >> compromised devices. Also, as has been agreed, NEA is not a >> protection mechanism for the network - it is meant to be a >> protection mechanism for compliant, truthful and as yet >> uncompromised end hosts against known vulnerabilities. True the NEA doesn't "do" anything to protect against compromised devices but it does assist in limiting the known compromises on endpoint devices by being a mechanism for the checking and reporting on compliance to what ever network policy is in place including virus and patch levels. As a network administrator I already deploy mechanisms for doing just this, but at a higher level than the NEA charter indicates. To me the difference is between being reactive or proactive. Compliance testing I already run occurs after an end node has joined the network, with NEA the possibility is for compliance checking before being allowed onto the network so isolation and immediate remediation is possible. >> Any network, in its own best interests, must assume that it >> has lying and compromised endpoints connecting to it and >> that there are unknown vulnerabilities on any NEA-compliant >> devices connecting to it. Any kind of protection that >> addresses these general threats that the network may be >> exposed to at any time will simply obviate the need for NEA from the >> network perspective. Reliance on one protection or reporting mechanism is not enough. We need a lot of varied tools to cover all the bases and minimise risk. >> A network operator that thinks the network is getting any >> protection by employing NEA is clearly ignoring the obvious >> real threats that the network is exposed to at any time. No, NEA would just be one more tool used to improve overall security and minimise risk. It would be at a different level to the tools some of already deploy. >> This is what I meant when I said that the charter is unclear >> and it must explicitly state that NEA is not meant as a >> protection mechanism of any sort for the network. I don't believe the Charter needs to delve into this at all. If some people see it as part of their protection mechanisms, so be it. Darryl (Dassa) Lynch _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf