A typical NEA case (taken out of what Cisco's NAC is supposed to be good
for):
- Worker goes on holiday, takes laptop
- New attack is discovered that exploits a newly discovered Windows
vulnerability
- Patch is created, distributed and installed
- NEA posture requirement is increased to "must have patch"
- Worker comes back, plugs in laptop
Without NEA-like functionality:
- Worker is admitted
- Worker gets attacked & compromised
- IDS & other alarms go off
- Remediation efforts do what they usually do
With NEA:
- Worker gets sandboxed
- Worker gets upgraded
- Worker gets admitted
- No compromise, so no remediation
No ill intent on the part of any participant (except the attacker). Just
a TCO issue.
The fact that some fruit is low-hanging doesn't mean it's not worth picking.
Harald
Alan DeKok wrote:
Brian E Carpenter <brc@xxxxxxxxxxxxxx> wrote:
What if your contractor has carefully configured the laptop to
give all the right answers? What if it has already been infected with
a virus that causes it to give all the right answers?
Yes, that's a problem with NEA. No, it's not a problem for many (if
not most) people using NEA.
The people I talk with plan on using NEA to catch the 99% case of a
misconfigured/unknown system that is used by a well-meaning but
perhaps less clueful employee or contractor. The purpose of NEA is to
enhance network security by allowing fewer insecure end hosts in the
network.
No one can prevent a determined attacker from getting in. But by
providing fewer hosts for him to attack, the attacks become less
feasibly, and more visible.
Alan DeKok.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf