Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hallam-Baker, Phillip wrote:

The best way to stop such nonsense is to recognize what every mainstream security specialist working in the field recognized long ago - there is a difference between the network and the inter-network and connection to either is a privilege that should only be granted on the basis of need.

Your political strategy is naïve and fragile. You mistake a tactic for a strategy. Insisting that every component that connects to any network be absolutely unrestricted in its capabilities is unworkable, unsustainable and violates the security principle of least privilege. It is a tactic that is doomed to failure.
I think the problem that Keith is talking about is the problem of "unreasonable" policies, which will instantly create a "criminal" subculture in any networks that have such "unreasonable" policies. For example, if the only ISPs that are available to me insist that the machine I connect to their precious network run Windows XP SP > foo, but I'm actually a Linux user, then techniques will emerge that allow me to fool the ISP into thinking that I'm a Windows XP SP > foo 
 machine.
Trying to enforce that a Turing-complete machine have capabilities "no greater than X" might seem to an IT senior manager to be a really good idea, but in practical terms, it can't be done. And if you try to do this in any but the most tightly-purposed 
 networks, rebellion will be the inevitable result.
Some companies have an emerging draconian policy about users running only "authorized" software on their machines, with a cumbersome "approvals" process for any new software that someone might want to run on their machine. Which includes software written by the user themselves. That type of policy might be "reasonable" in a call-center, or some other tightly-purposed network, but it fails in the general case, and true enforcement is impossible. This emerging draconian policy is subtly re-defining that which constitutes "useful work" in many places such that the only authorized things you can do with your machine are to shuffle Word, PowerPoint, and Excel documents around, surf the Web, and e-mail your co-workers. If you want to do "real work", you necessarily have to violate policy, or do your 
 "real work" on a machine not subject to the policy.



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]