Greetings,
Both of the existing flavors of NEA-type protocols (Cisco NAC and TNC) provide some mechanisms for integrity checking after the admission process has completed and removing an endpoint's privileged access if it falls out of compliance. So IMHO, support for post-admission integrity checking willbe expected in NEA.
Collector/Verifier pairs can use NEA for pre-admission integrity checking and some other protocol for post-admission checking but if a post-admission violation is found, there should be a mechanism to terminate the user's current admission session and restart the admission process.
Regards,
Frank Yeh
Corporate Security Strategy Team
IBM
Tivoli Software
"Darryl \(Dassa\) Lynch" <dassa@xxxxxxx>
10/12/2006 02:27 PM
|
|
Douglas Otis wrote:
>>
>> If an application happens to be malware, it seems it would
>> be unlikely stop these applications. How about:
>>
>> vi) Provide application level advisory information pertaining to
>> available services.
>>
>> Points that seem to be missing are:
>>
>> vii) Notification of non-compliance. (Perhaps this could become a
>> restatement of i.)
>>
>> viii) Time or sequence sensitive compliance certificates provided
>> following a remediation process or service.
>>
>>
>> Often bad behavior is detected, such as scanning or sending
>> spam which may violate AUPs. These violations may trigger a
>> requirement for the endpoint to use a service that offers
>> remedies the endpoint might use.
>> There could then be a time-sensitive certificate of
>> compliance offered following completion of a check-list and
>> an agreement to comply with the recommendations.
>>
>> Those that remain infected after remediation, or that ignore
>> the AUPs and are again detected, may find this process a
>> reason to correct the situation or their behavior, or the
>> provider may wish to permanently disable the account.
Am I mistaken or is NEA intended to be a compliance check before a node is
allowed onto the network? As such, observed behaviour and application abuse
would seem to be issues that would be dealt with by other tools. NEA may be
used to ensure certain applications are installed and some other
characteristics of the node but actual behaviour may not be evident until
such time as the node has joined the network and would be beyond the scope
of detection by NEA IMHO. NEA may be used to assist in limiting the risk of
such behaviour but that is about the extent of it that I see.
My reading of the charter gives me the impression NEA is only intended for a
specific task and some of what we have been discussing seems to extend well
beyond the limited scope proposed.
Darryl (Dassa) Lynch
_______________________________________________
Nea mailing list
Nea@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/nea
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf