Re: [Nea] WG Review: Network Endpoint Assessment (nea)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Russ - I agree that something like a global NEA is necessary - just not that
a new protocol is necessary to implement it. So let me ask...

So then why not pass a new configuration mode model with SNMP - the point is
that while the idea of some agent that could actually collect these separate
logs and service records from the various 'aspects of compliance' built into
the operating models of the system in question, is no new one.

Tripwire's does this already. COPS and FREMONT can be made to with CRON and
their configuration files. SNORT, AIDE, Heck they can even use SysLogNG as
the transport for their log data which might also make sense as an
addition...  Or SCP/SFTP if they wanted to.

The point is that while NEA is a good collective idea at the altitude the
idea was hatched at, there are already things that do the NEA component
functions today, and that can be aggregated together into a homogeneous
utility environment without redesigning the wheel again.

I don't dispute that the end goal of what the Creator's of the NEA idea
wanted to accomplish is not good. It is clearly. But the issue is whether
its necessary to have in the form they have proposed so far when other very
similar and more widely deployed transports exist for the Inter-Nodal
Communications Model that NEA purports to want to create.

Again - SNMP and Syslog/SysLogNG can do allot of this already. Why not just
add an Node-Integrity Reporting Process to either of  them. From an Audit
Perspective this would be a powerful addition to the SysLog protocols since
it would better anchor them

Just my 35c.

Todd Glassey

----- Original Message ----- 
From: "Russ Housley" <housley@xxxxxxxxxxxx>
To: "Narayanan, Vidya" <vidyan@xxxxxxxxxxxx>
Cc: <nea@xxxxxxxx>; <iesg@xxxxxxxx>; <ietf@xxxxxxxx>
Sent: Wednesday, October 11, 2006 7:18 AM
Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)


> Vidya:
>
> >I'm not sure that the charter actually needs to get into the modes at
> >all - I'm guessing what happens after NEA (i.e., what is done with the
> >results from NEA) has zero impact on any work being done in NEA itself.
> >So, why not simply state something like "Once NEA is conducted on an
> >endpoint, the results may be used by an organization in accordance with
> >any policies of the organization itself."?
>
> Discussions with the IAB and IESG prior to external review lead to
> the addition of the modes discussion.  The point is that some
> networks will demand compliance to grant full access, and other
> networks will simply notify that host that they are not in
> compliance.  A host my not want to change the configuration to gain
> compliance.  That is acceptable in the second case, but not the first.
>
> Russ
>
>
>
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]