Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Douglas Otis <dotis@xxxxxxxxxxxxxx> wrote:
> It seems impractical to specify system requirements or expect a  
> suitable examination be done realtime prior to obtaining access.

  Maybe you're saying that a complete systems check would take too
long.  That is true, but that isn't how the NEA variants are being
designed or deployed.

>  Bad actors will always be able to falsify this information, so the
> NEA does not offer protection.

  This issue has already been discussed.

> The NEA should be viewed as a process that eliminates many of the
> security related support calls.

  That is not a priority for any customers I talked to.  I've never
head this as a justification for NEA from anyone.

> It seems impractical to expect NEA will prevent bad actors from  
> producing the expected results.

  Which is why recent discussions on the NEA list made it clear that
no one was expecting that from NEA.

> There are anti-virus and OS updating services that could produce a
> certificate that includes: ...

  Which is a good idea, and substantially similar to validation and
remediation services currently offered.  That information still has to
be propogated to the device that controls network access.

> It seems unwise to expect an endpoint to open their robes to the  
> access point.  However, the access point could offer certification  
> services they require prior to granting access.  This service may be  
> something as simple as agreeing to the AUP presented on a web-form,  
> or agreeing to remedy the cause of abusive behavior.

  People are doing something similar to this today with quarantine
networks, and remediation sites.  But it's ad-hoc, and not automated.

> Rather than talking about the posture of the endpoint,  
> consider the NEA to be little more than a repository for time- 
> sensitive compliance certificates offering just the five points listed.

  Pretty much, yes.  With the addition of a protocol to carry that
information from the end point to elsewhere in the network.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]