Brian E Carpenter wrote: >>> I run a very closed network, ports are closed and not opened unless >>> there is a validated request, external drives are disabled etc etc. >>> A contractor comes in with a notebook and needs to work on some >>> files located on our internal secure network. A trusted staff >>> member rings in with the request to open a specified port. The >>> port is opened and the contractor hooks up the laptop to it. NEA >>> does it's thing and if the laptop doesn't match the requirements of >>> the internal network policy it is directed to a sandbox network for >>> remediation. If the laptop does meet the policy then it allowed >>> onto the internal network. >> >> What if your contractor has carefully configured the laptop >> to give all the right answers? What if it has already been >> infected with a virus that causes it to give all the right answers? >> >> The first case is certainly current practice, and the second >> one could arrive any day.
Hello Brian I would be monitoring for unusual behaviour on the network and would be warned if the laptop started to behave in ways not expected. NEA would only save time in getting the system onto the network as instead of physically inspecting it I'd be relying on automated means to judge compliance. It would be an acceptable risk. The risk of someone wishing to hack in or being infected with a virus as you describe is low. I'd mainly be using NEA to assist in those situations where the trust isn't total but there isn't harmful intent. If you know of a system that provides total protection, is easy for users to perform their duties and doesn't have me or IT staff doing physical checks I'd be more than willing to look at it. Let's face it, there will always be a risk of someone getting around any informational or protection mechanism put into play, we all have to judge that risk and set up networks accordingly. If we really want to be secure we wouldn't allow any ad hoc connections at all. Darryl (Dassa) Lynch _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
