wrt "Network Endpoint Assessment" (was: Re: Free Rootkit with Every New Intel Machine)

Jeff.Hodges at KingsMountain.com Jeff.Hodges at KingsMountain.com
Wed Jun 20 19:59:19 EDT 2007

of potential related interest is..

Network Endpoint Assessment (NEA): Overview and Requirements         

note term "remediate/remediation".

relevant snippage below. see also..




1. Introduction 
    Today, most network providers can leverage existing standards-
    based technologies to restrict access to their network based 
    upon criteria such as the requesting system's user or host-based 
    identity, source IP address or physical access point.  However 
    these approaches still leave the network resident systems 
    vulnerable to malware-based attack, when an authorized but 
    infected system is admitted and the malware is able to spread 
    throughout the internal network. 
    As a result, network operators need a proactive mechanism to 
    assess the state of systems joining or present on the network to 
    determine their status relative to network compliance policies.  
    For example, if a system is determined to be out of compliance 
    because it is lacking proper defensive mechanisms such as 
    firewalls, anti-virus software or the absence of critical 
    security patches, there needs to be a way to safely repair 
    (remediate) the system so that it can be subsequently trusted to 
    join and operate on the network.  The NEA technology strives to 
    provide a mechanism to report the configuration of an endpoint 
    for evaluation against network compliance policy.  Such a 
    mechanism could offer a useful tool for the network operators'
    arsenal but should be recognized as not being a complete 
    endpoint compliance solution in and of itself.  
    NEA typically involves the use of special client software 
    running on the requesting system that observes and reports on 
    the configuration of the system to the network infrastructure.  
    The infrastructure has corresponding validation software that is 
    capable of comparing the system configuration information with 
    network compliance policy and providing the result to 
    appropriate authorization entities that make decisions about 
    network and application access.  Some systems may be incapable 
    of running the NEA client software (e.g. printer) or be 
    unwilling to share information about its configuration.  In 
    these cases the network infrastructure might decide to disallow 
    or limit access to the network. 
    In many cases, the admission decision is provisioned to the 
    enforcement mechanisms on the network and/or system requesting 
    access.  The decision might allow for no access, limited or 
    quarantined access (possibly to allow for remediation), or full 
    access to the network.  While the NEA Working Group recognizes 
    there is a link between an assessment and the enforcement of the 
    assessment decision, the mechanisms and protocols for 
    enforcement are not in scope for this specification. 
    Architectures, similar to NEA, have existed in the industry for 
    some time and are present in shipping products, but do not offer 
    interoperability.  Some examples of such architectures include: 
    Trusted Computing Group's Trusted Network Connect [TNC], 
    Microsoft's Network Access Protection [NAP], Cisco's Network 
    Admission Control [CNAC]).  These technologies assess the 
    software or hardware configuration of endpoint devices for the 
    purposes of monitoring or enforcing compliance to an 
    organization's policy.  These architectures are not 
    interoperable because they are implemented using primarily non-
    standards based technologies. 
    The NEA working group is working on defining standard protocols 
    so as to enable interoperability between devices from different 
    vendors allowing network owners to deploy truly heterogeneous 
    solutions. This document describes the requirements for NEA 
    candidate technologies and protocols.  

 4. Problem Statement 
    NEA technology may be used for several purposes.  One use is to 
    facilitate endpoint compliance checking against an 
    organization's security policy when an endpoint connects to the 
    network.  Organizations often require endpoints to run an IT-
    specified OS configuration and have certain security 
    applications enabled, e.g. anti-virus software, host intrusion 
    detection/prevention systems, personal firewalls, and patch 
    management software.  An endpoint that is not compliant with IT 
    policy may be vulnerable to a number of known threats that might 
    exist on the network. 
    Without NEA technology, ensuring compliance of endpoints to 
    corporate policy is a time-consuming and difficult task.  Not 
    all endpoints are managed by a corporation's IT organization, 
    e.g. lab assets and guest machines.  Even for assets that are 
    managed, they may not receive updates in a timely fashion 
    because they are not permanently attached to the corporate 
    network, e.g. laptops.  With NEA technology, the network is able 
    to assess an endpoint as soon as it requests access to the 
    network or at any time after joining the network.  This provides 
    the corporation an opportunity to check compliance of all NEA-
    capable endpoints in a timely fashion and facilitate endpoint 
    remediation potentially while quarantined where needed.  
    Endpoint that are not NEA-capable or choose not to share 
    sufficient posture to evaluate compliance may be subject to 
    different access policies. 
    The decision of how to handle non-compliant or non-participating 
    endpoints can be made by the network administrator possibly 
    based on information from other security mechanisms on the 
    network (e.g. authentication).  For example, remediation 
    instructions or warnings may be sent to the non-compliant 
    endpoint with a properly authorized user while allowing limited 
    access to the network.  Also, network access technologies can 
    use the NEA results to restrict or deny access to an endpoint, 
    while allowing vulnerabilities to be addressed before an 
    endpoint is exposed to attack.  The communication and 
    representation of NEA assessment results to network access 
    technologies on the network is out-of-scope for this document.  
    Re-assessment is an important part of NEA technology as it 
    allows for additional assessments of previously considered 
    compliant endpoints to be performed.  This might become 
    necessary because network compliance policies and/or endpoint 
    posture can change over time.  A system initially assessed as 
    being compliant when it joined the network may no longer be in 
    compliance after changes occur.  For example, re-assessment 
    might be necessary if a user disables a security protection 
    (e.g. host firewall) required by policy or when the firewall 
    becomes non-compliant after a firewall patch is issued and 
    network policy is changed to require the patch.  
    Another use of NEA technology may be to verify or supplement 
    organization asset information stored in inventory databases.   
    NEA technology can be used to provide posture assessment for a 
    range of ways of connecting to the network including (but not 
    limited to) wired and wireless LAN access, remote access via 
    IPsec[IPSEC] or SSL[TLS] VPN, or gateway access.   NEA 
    technology can also be used to check and report compliance for 
    endpoints when they try to access certain mission critical 
    applications within an enterprise by employing service 
    (application) triggered assessment.  




The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list