Wednesday, December 20, 2006

IETF Network Endpoint Assessment Working Group

Dark Reading posting an article on the new Network Endpoint Assessment (nea) IETF working group. The description says, in part:

Network Endpoint Assessment (NEA) architectures have been implemented in the industry to assess the "posture" of endpoint devices for the purposes of monitoring compliance to an organization's posture policy and optionally restricting access until the endpoint has been updated to satisfy the posture requirements. An endpoint that does not comply with posture policy may be vulnerable to a number of known threats that may exist on the network. The intent of NEA is to facilitate corrective
actions to address these known vulnerabilities before a host is exposed to potential attack. Note that an endpoint that is deemed compliant may still be vulnerable to threats that may exist on the network. The network may thus continue to be exposed to such threats as well as the range of other threats not addressed by maintaining endpoint compliance.
I have a feeling these Cisco Network Admission Control (NAC) / Microsoft Network Access Protection (NAP) / Trusted Network Connect (TNC) plans are all fighting the last war. Others have criticized NEA, and I tend to agree with their conclusions. I have a feeling that "business realities" are going to prevent security people from restricting access to NEA-noncompliant devices. At some point NEA will be another part of configuration management anyway.

1 comment:

Brian said...


I usually read your posts and quietly say to myself "Rich got that right.". Unfortunately this post is the very rare exception to that.

The Dark Reading article you cited really isn't very good. For starters the author totally overlooks the unusually lengthy process that many in the NEA community were involved in to actually get the working group chartered. Dozens of people participated in the discussions over email representing the user and the vendor communities. This working group was far from "quietly formed" and included many more than just "major security players".

Further, the Dark Reading piece goes into the Cisco, Juniper (TCG), Microsoft competition without recognizing at least a dozen other vendors marketing their own NEA solutions and the dozens of vendors of complimentary security, configuration managemenbt, and network/security management solutions whose products either work with NEA today or plan to within the next 18 months.

In citing the Information Week article that discuses Ofir Arkin's work and his presentation at Black Hat 2006 you've also picked a weak reference. Arkin's presentation was the first I'd ever heard that points out how incomplete many NAC solutions are today. Arkin said that if you aren't providing a NAC solution wired, wireless and remote access today; you're not really doing NAC. The article dings Cisco for only supporting Cisco; but as Arkin pointed out at the time the presentation was given Juniper only supports Juniper and Microsoft only supports Microsoft.

You pointed out that you felt that these solutions were "fighting the last war"; but you didn't say why.

You wrote that in your opinion "business realities" would prevent security peoplefrom restricting access from non-NEA compliant devices. I just hope that the company that manages my health care records, my bank, and the brokerage firm that handles my IRA don't agree with you there.

Happy Holidays!

Liberty for All,