On Tue, 2006-10-10 at 20:01 -0700, Narayanan, Vidya wrote:
> I am rather confused by this attempt to make NEA fit into some kind of
> a network protection mechanism. I keep hearing that NEA is *one* of a
> suite of protocols that may be used for protecting networks. Let's dig
> a bit deeper into what a network may employ as protection mechanisms
> in order to protect against all kinds of general threats.
>
> i) Access control mechanisms such as authentication and
> authorization (to ensure only valid endpoints are allowed on the
> network)
>
> ii) Ingress address filtering to prevent packets with topologically
> incorrect IP addresses from being injected into the network
>
> iii) VPNs to provide remote access to clients
>
> iv) Firewalls to provide advanced filtering mechanisms
>
> v) IDS/IPS to detect and prevent intrusions
>
> vi) Application level filtering where applicable (e.g., detecting and
> discarding email spam)
If an application happens to be malware, it seems it would be unlikely
stop these applications. How about:
vi) Provide application level advisory information pertaining to
available services.
Points that seem to be missing are:
vii) Notification of non-compliance. (Perhaps this could become a
restatement of i.)
viii) Time or sequence sensitive compliance certificates provided
following a remediation process or service.
Often bad behavior is detected, such as scanning or sending spam which
may violate AUPs. These violations may trigger a requirement for the
endpoint to use a service that offers remedies the endpoint might use.
There could then be a time-sensitive certificate of compliance offered
following completion of a check-list and an agreement to comply with the
recommendations.
Those that remain infected after remediation, or that ignore the AUPs
and are again detected, may find this process a reason to correct the
situation or their behavior, or the provider may wish to permanently
disable the account.
-Doug
_______________________________________________
Ietf mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/ietf
