Harald, This seems to be missing the point. I think there is a general sense that NEA could be helpful for some level of protection to complying endpoints in an enterprise scenario, which is exactly what you have described below. The disagreement seems to be on the topics of what NEA does for the network and whether it makes any sense in the provider model where the network and end device owners are different. On the network protection issue, I still have not seen anything that NEA provides that is not provided (in a better manner) by protection mechanisms that the network must use to protect itself against any unknown vulnerabilities and compromised endpoints. Everything that has been said still seems to be a subset of that larger threat which must be protected against anyway. Having said that, the use of NEA for the provider model doesn't make sense, since providers are interested in protecting their networks more than protecting the devices they don't own. Not to mention that they cannot really hope to get compliance from devices they don't own. Vidya > -----Original Message----- > From: Harald Alvestrand [mailto:harald@xxxxxxxxxxxxx] > Sent: Friday, October 13, 2006 6:24 AM > To: Alan DeKok > Cc: nea@xxxxxxxx; ietf@xxxxxxxx > Subject: Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea) > > A typical NEA case (taken out of what Cisco's NAC is supposed > to be good > for): > > - Worker goes on holiday, takes laptop > - New attack is discovered that exploits a newly discovered > Windows vulnerability > - Patch is created, distributed and installed > - NEA posture requirement is increased to "must have patch" > - Worker comes back, plugs in laptop > > Without NEA-like functionality: > - Worker is admitted > - Worker gets attacked & compromised > - IDS & other alarms go off > - Remediation efforts do what they usually do > > With NEA: > - Worker gets sandboxed > - Worker gets upgraded > - Worker gets admitted > - No compromise, so no remediation > > No ill intent on the part of any participant (except the > attacker). Just a TCO issue. > > The fact that some fruit is low-hanging doesn't mean it's not > worth picking. > > Harald > > > Alan DeKok wrote: > > Brian E Carpenter <brc@xxxxxxxxxxxxxx> wrote: > > > >> What if your contractor has carefully configured the > laptop to give > >> all the right answers? What if it has already been infected with a > >> virus that causes it to give all the right answers? > >> > > > > Yes, that's a problem with NEA. No, it's not a problem > for many (if > > not most) people using NEA. > > > > The people I talk with plan on using NEA to catch the 99% > case of a > > misconfigured/unknown system that is used by a well-meaning but > > perhaps less clueful employee or contractor. The purpose > of NEA is to > > enhance network security by allowing fewer insecure end > hosts in the > > network. > > > > No one can prevent a determined attacker from getting in. But by > > providing fewer hosts for him to attack, the attacks become less > > feasibly, and more visible. > > > > Alan DeKok. > > > > _______________________________________________ > > Ietf mailing list > > Ietf@xxxxxxxx > > https://www1.ietf.org/mailman/listinfo/ietf > > > > > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf