Hi Steve, Let me start with a couple of fundamental points that have already been stated before. A. Any network is exposed to threats from lying endpoints, compromised endpoints and unknown vulnerabilities even on NEA-compliant endpoints. B. A network needs to be protected against such generic threats (as listed in A). I am rather confused by this attempt to make NEA fit into some kind of a network protection mechanism. I keep hearing that NEA is *one* of a suite of protocols that may be used for protecting networks. Let's dig a bit deeper into what a network may employ as protection mechanisms in order to protect against all kinds of general threats. i) Access control mechanisms such as authentication and authorization (to ensure only valid endpoints are allowed on the network) ii) Ingress address filtering to prevent packets with topologically incorrect IP addresses from being injected into the network iii) VPNs to provide remote access to clients iv) Firewalls to provide advanced filtering mechanisms v) IDS/IPS to detect and prevent intrusions vi) Application level filtering where applicable (e.g., detecting and discarding email spam) A combination of the above (or the like) needs to be used to address the general threats mentioned above (in B, for e.g.). Given that, what does NEA bring to the network that isn't already provided by such mechanisms that need to be employed anyway? It is not like we can stop using some of these mechanisms if NEA is present, since the threats that NEA may protect against (from the network perspective) are a small subset of the general threats that a network operator must consider. And, when the general threats are addressed, any subset of those threats are also addressed. The effectiveness of NEA is tied to the type of endpoint (i.e., truthful, compliant endpoints with known vulnerabilities). A network, OTOH, needs mechanisms that protect against all kinds of endpoints. I fail to understand why a particular category of endpoints that NEA addresses is not viewed as a subset of the general category of "all endpoints". Some further comments inline. > -----Original Message----- > From: Stephen Hanna [mailto:shanna@xxxxxxxxxxx] > Sent: Tuesday, October 10, 2006 1:30 PM > To: ietf@xxxxxxxx; nea@xxxxxxxx; iesg@xxxxxxxx > Subject: [Nea] Re: WG Review: Network Endpoint Assessment (nea) > > I have seen a lot of discussion about whether NEA provides > "network protection". In fact, it has been suggested that the > charter be revised to say "NEA must not be considered a > protection mechanism for networks." I don't agree. > > Let's start by examining this concept of "network protection". > It's an awfully broad concept. No single security technology > can provide total protection for a network against all attacks. > Instead, a careful threat analysis must be done and layered > countermeasures put in place: firewalls, malware scanning, > intrusion detection and prevention, strong authentication and > authorization, strong encryption for data at rest and in > transit, user education, etc. > > In the context of an overall security program and when > combined with other security technologies, NEA can help > protect networks. > Let me list the ways. > > First, NEA can help improve the security of cooperating, > truthful endpoints. How is this network protection? As you state above, it is about improving the security of co-operating, truthful *endpoints*. > When a cooperating, truthful endpoint > connects to the network, its health can be checked and any > problems fixed before it can come under attack. This helps > protect networks by keeping endpoints healthy so that fewer > endpoints become infected and potentially impact the network > through port scanning and other misbehavior. > > The protection provided by NEA alone is not absolute. Healthy > endpoints can be vulnerable to a zero day attack. And NEA on > its own provides no protection against lying endpoints and no > protection against hosts that don't participate in NEA > protocols. But it's a lot better than today's situation where > some endpoints are completely unprotected with patches or > anti-virus software. > > Second, NEA can be used with technology for detecting lying > endpoints. This prevents compromised systems from lying to > gain access to the network, thus providing a huge improvement > in network security. > Once again, given that a network operator must really protect against many generic threats, what kind of improvement is NEA bringing to the security of the network? > I recognize that technology for detecting lying endpoints is > out of scope for the NEA effort but we shouldn't pretend that > it doesn't exist. Without NEA or similar protocols, it will > be hard to integrate lying endpoint detection systems into > network access control. That's why the NEA BOF in Montreal > agreed to include language in the charter saying that "the > protocols developed by the NEA WG must be designed to > accommodate emerging technologies for identifying and dealing > with lying endpoints." > > Third, endpoints that don't initially participate in NEA > protocols can be quarantined for further examination with an > external vulnerability scanner or a dynamically downloaded > NEA client. Again, this is not part of the proposed NEA WG > charter but it is another example of ways that NEA can be > used with other security technologies to improve network security. > I'm confused by the above - what is the role of NEA here? > To summarize, the NEA protocols will increase network > security on their own. When combined with other technologies, > the increase in network security is much greater. But either > way it is not accurate to say that NEA is not a protection > mechanism for networks. > I continue to remain puzzled on the above points! Vidya _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf