Hi Darrly, <snip>
> >> > >> It appears that the NEA charter is completely misleading to some > >> people from what is stated in this email. As the NEA > charter alludes > >> to, NEA does nothing to protect against compromised > devices. Also, as > >> has been agreed, NEA is not a protection mechanism for the > network - > >> it is meant to be a protection mechanism for compliant, > truthful and > >> as yet uncompromised end hosts against known vulnerabilities. > > True the NEA doesn't "do" anything to protect against > compromised devices but it does assist in limiting the known > compromises on endpoint devices by being a mechanism for the > checking and reporting on compliance to what ever network > policy is in place including virus and patch levels. I'm not sure what you mean by "known compromises" - did you mean known vulnerabilities? If so, yes - I was not questioning the role of NEA in dealing with known vulnerabilities on truthful endpoints. The discussion was about using NEA as a protection mechanism for the network and that doesn't make sense to me and as I understand from Susan, that is not the intention of the charter either. > As a > network administrator I already deploy mechanisms for doing > just this, but at a higher level than the NEA charter > indicates. To me the difference is between being reactive or > proactive. Compliance testing I already run occurs after an > end node has joined the network, with NEA the possibility is > for compliance checking before being allowed onto the network > so isolation and immediate remediation is possible. > > >> Any network, in its own best interests, must assume that > it has lying > >> and compromised endpoints connecting to it and that there > are unknown > >> vulnerabilities on any NEA-compliant devices connecting to it. Any > >> kind of protection that addresses these general threats that the > >> network may be exposed to at any time will simply obviate the need > >> for NEA from the network perspective. > > Reliance on one protection or reporting mechanism is not > enough. We need a lot of varied tools to cover all the bases > and minimise risk. > This is repitition at this point - but, when a network has mechanisms to protect itself against lying endpoints and unknown vulnerabilites, that should cover protection against truthful ones with known vulnerabilities. Otherwise, the network is obviously not adequately protected against the broader set of threats. So, one would employ NEA in their networks to protect the end hosts attaching to the network, not the network itself. > >> A network operator that thinks the network is getting any > protection > >> by employing NEA is clearly ignoring the obvious real threats that > >> the network is exposed to at any time. > > No, NEA would just be one more tool used to improve overall > security and minimise risk. It would be at a different level > to the tools some of already deploy. > > >> This is what I meant when I said that the charter is > unclear and it > >> must explicitly state that NEA is not meant as a > protection mechanism > >> of any sort for the network. > > I don't believe the Charter needs to delve into this at all. > If some people see it as part of their protection mechanisms, > so be it. > That is a terrible approach to take, given how misleading the charter obviously has been to many. The charter must be clear about what the WG is doing and what is out of scope. Vidya _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
