Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings,

"todd glassey" <tglassey@xxxxxxxxxxxxx> wrote on 10/13/2006 05:56:42 AM:

> So then this is an attempt by Cisco and IBM and several others to
> qualify a "SOX reporting and compliance tool" - get real.

>  
> Todd Glassey

I'm not sure I follow how you can infer that post-admission status checks are Cisco and IBM's attempt to qualify a "SOX reporting and compliance tool". That's one of the wildest leaps of (il)logic I have seen.

While my comments here do not represent IBM in any official capacity I can say that IMHO, a Sox compliance and reporting tool based solely on NEA (or Cisco NAC or TNC) would be woefully inadequate. Could the data collected for an NEA posture check be stored as part of an audit trail and would this data be useful? Absolutely! Does that make this a Sox compliance and reporting tool? No way! It would just become another trail of interesting information that would be aggregated in a REAL compliance and reporting tool.

One might also consider that the original post concerned post-admission integrity checking as opposed to checking at admission only. The data collected during the admission process would be just as suitable for compliance and reporting as post-admission data. So why does the addition of post-admission checking suddenly make this a compliance and reporting tool?

While logic can sometimes be dangerous ("my logic is undeniable"), I tend to rely on it in the absence of anything better. I don't understand the logic behind your statement.

Regards,
Frank Yeh


> ----- Original Message -----
> From: Frank Yeh Jr
> To: dassa@xxxxxxx
> Cc: nea@xxxxxxxx ; ietf@xxxxxxxx
> Sent: Thursday, October 12, 2006 3:32 PM
> Subject: RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
>
> Greetings,
>
> Both of the existing flavors of NEA-type protocols (Cisco NAC and
> TNC) provide some mechanisms for integrity checking after the
> admission process has completed and removing an endpoint's
> privileged access if it falls out of compliance. So IMHO, support
> for post-admission integrity checking willbe expected in NEA.
>
> Collector/Verifier pairs can use NEA for pre-admission integrity
> checking and some other protocol for post-admission checking but if
> a post-admission violation is found, there should be a mechanism to
> terminate the user's current admission session and restart the
> admission process.
>
> Regards,
> Frank Yeh
> Corporate Security Strategy Team
> IBM
> Tivoli Software
>
> [image removed] "Darryl \(Dassa\) Lynch" <dassa@xxxxxxx>
>

>
> "Darryl \(Dassa\) Lynch" <dassa@xxxxxxx>

> 10/12/2006 02:27 PM
>
> Please respond to
> dassa@xxxxxxx

>
> [image removed]

> To
>
> [image removed]
> <nea@xxxxxxxx>

>
> [image removed]

> cc
>
> [image removed]
> ietf@xxxxxxxx

>
> [image removed]

> Subject
>
> [image removed]
> RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

>
> [image removed]

>
> [image removed]

>
>
> Douglas Otis wrote:
> >>
> >> If an application happens to be malware, it seems it would
> >> be unlikely stop these applications.  How about:
> >>
> >> vi)   Provide application level advisory information pertaining to  
> >> available services.
> >>
> >> Points that seem to be missing are:
> >>
> >> vii)  Notification of non-compliance. (Perhaps this could become a  
> >> restatement of i.)
> >>
> >> viii) Time or sequence sensitive compliance certificates provided
> >>       following a remediation process or service.
> >>
> >>
> >> Often bad behavior is detected, such as scanning or sending
> >> spam which may violate AUPs.  These violations may trigger a
> >> requirement for the endpoint to use a service that offers
> >> remedies the endpoint might use.
> >> There could then be a time-sensitive certificate of
> >> compliance offered following completion of a check-list and
> >> an agreement to comply with the recommendations.
> >>
> >> Those that remain infected after remediation, or that ignore
> >> the AUPs and are again detected, may find this process a
> >> reason to correct the situation or their behavior, or the
> >> provider may wish to permanently disable the account.
>
> Am I mistaken or is NEA intended to be a compliance check before a node is
> allowed onto the network?  As such, observed behaviour and application abuse
> would seem to be issues that would be dealt with by other tools.  NEA may be
> used to ensure certain applications are installed and some other
> characteristics of the node but actual behaviour may not be evident until
> such time as the node has joined the network and would be beyond the scope
> of detection by NEA IMHO.  NEA may be used to assist in limiting the risk of
> such behaviour but that is about the extent of it that I see.
>
> My reading of the charter gives me the impression NEA is only intended for a
> specific task and some of what we have been discussing seems to extend well
> beyond the limited scope proposed.
>
> Darryl (Dassa) Lynch
>
>
> _______________________________________________
> Nea mailing list
> Nea@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/nea

>
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ietf

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]