Docstoc

NEA WG

Document Sample
NEA WG Powered By Docstoc
					            IETF NEA WG
(NEA = Network Endpoint Assessment)



           nea[-request]@ietf.org
Chairs: Steve Hanna, Juniper shanna@juniper.net
        Susan Thomson, Cisco sethomso@cisco.com

 IETF 67, Tuesday, November 7, 2006, 3:20 PM – 5:20 PM
                   Agenda Review
3:20      Blue Sheets, Jabber & Minutes Scribes
3:25      Agenda Bashing
3:30      NEA Milestones
3:40      Discussion of Requirements I-D
5:10      Next Steps
5:20      Adjourn


November 7, 2006       IETF NEA WG            2
                   NEA Milestones
• First Milestones
     – Prepare NEA Requirements I-D (Nov-Jan)
     – WGLC on NEA Requirements I-D (Feb ‘07)
     – IETF LC on NEA Requirements I-D (Apr ‘07)


• Then we’ll add milestones for PA, PB, etc.
     – Subject to AD approval


November 7, 2006       IETF NEA WG                 3
    NEA Roles and Responsibilities
•   NEA Requirements Design Team and Editors
     – Volunteers solicited on list and at IETF 67
     – Selected by NEA WG chairs

     – Develop initial Requirements I-D
     – Revise I-D in response to WG rough consensus

•   NEA WG Participants
     – Review draft documents
     – Discuss on email list and at IETF meetings
     – Reach rough consensus on email list

•   NEA WG Chairs
     –   Select Design Teams and Editors
     –   Moderate WG discussions
     –   Judge rough consensus
     –   Manage WG process


November 7, 2006                      IETF NEA WG     4
                   Goals for Today
• Discuss Requirements I-D
     – Get feedback on current ideas


• Recruit volunteers for NEA Requirements
  Design Team




November 7, 2006        IETF NEA WG         5
         Requirements I-D Outline
•   Abstract, Boilerplate
•   Introduction
•   Terminology
•   Applicability
•   Problem Statement
•   Reference Model
•   Use Cases
•   Requirements
     – Common
     – Protocol-specific (PA, PB, PT)
• Security Analysis/Considerations
• References, Editors’ Addresses, Acknowledgements

November 7, 2006               IETF NEA WG           6
                      Terminology
• Endpoint
     – A host that can be connected to a network
          • Laptop, desktop, server, printer, cell phone,
            any device with an IP address


• Posture
     – Endpoint security-relevant configuration
          • OS and application version and patch level,
            security software configuration and status, etc.

November 7, 2006             IETF NEA WG                       7
                   Problem Statement
• Assess endpoint posture

• Various actions may follow
     – In-scope
          • Deliver assessment result to endpoint
          • Deliver remediation instructions to endpoint
     – Out-of-scope but must be accommodated
          •   Evaluate posture policy compliance
          •   Monitor compliance
          •   Binding to network access control protocols
          •   Remediate
          •   Identify lying endpoints
November 7, 2006                  IETF NEA WG               8
                   NEA Reference Model
       NEA Client                                              NEA Server


             Posture        Posture Attribute (PA) protocol   Posture
             Collectors                                       Validators



              Posture       Posture Broker (PB) protocol       Posture
              Broker                                           Broker
              Client                                           Server
                          Posture Transport (PT) protocols
            Network                                           Network
                                     Network
            Access                                            Access
                                     Enforcement
            Requestor                                         Authority
                                     Device


November 7, 2006                     IETF NEA WG                            9
                   NEA Reference Model
       NEA Client                                         NEA Server


             Posture    Posture Attribute (PA) protocol   Posture
             Collectors                                   Validators



              Posture    Posture Broker (PB) protocol     Posture
              Broker                                      Broker
              Client                                      Server


            Posture
                      Posture Transport (PT) protocols Posture
            Transport                                  Transport
            Client                                     Server



November 7, 2006                  IETF NEA WG                          10
                   Use Cases
• Goals
     – Span the problem space
     – Drive requirements


• Non-Goals
     – List all use cases
     – Describe details of PT protocols


November 7, 2006        IETF NEA WG       11
                   Types of Flows
• Initial assessment of endpoint
     – Triggered by Network Connection
     – Triggered by Service Request


• Re-assessment of endpoint
     – Triggered by NEA Server (timer, event, etc.)
     – Triggered by NEA Client (timer, event, etc.)


November 7, 2006        IETF NEA WG                   12
                   Types of Attributes
•   Endpoint Data (client to server)
     – By value
     – By reference

•   Compliance Policy (server to client)

•   Compliance Policy Evaluation Results (client to server)

•   Cryptographic Protocols (multiple round trips)
     – Proof of possession
     – Replay protection mechanisms

•   Compliance Result (server to client)

•   Remediation Instructions (server to client)



November 7, 2006                   IETF NEA WG                13
                    Employee John Smith
          0. Endpoint Assessment Triggered By Network Connection
          • Software Inventory Reported and Logged

          NEA Client                                       NEA Server

             Inventory   Posture Attribute (PA) protocol   Inventory
                                                                        Log
             Collector                                     Validator



              Posture    Posture Broker (PB) protocol      Posture
              Broker                                       Broker
              Client                                       Server


            Posture
                      Posture Transport (PT) protocols Posture
            Transport                                  Transport
            Client                                     Server

November 7, 2006                   IETF NEA WG                           14
                          Professor Jane Doe
          0. Endpoint Assessment Triggered By Service Request
          • Patch Management Collector Reports Patch Levels
          • Patch Management Validator sends Upgrade Advisory
          NEA Client                                         NEA Server

             Patch Mgmt    Posture Attribute (PA) protocol    Patch Mgmt
             Collector                                        Validator




              Posture      Posture Broker (PB) protocol       Posture
              Broker                                          Broker
              Client                                          Server


            Posture
                      Posture Transport (PT) protocols Posture
            Transport                                  Transport
            Client                                     Server

November 7, 2006                     IETF NEA WG                           15
                           Colonel Mustard
       0.   Constant Monitoring in Place              4. Automated Remediation
       1.   Security Collector Detects Posture Change 5. Reassessment
       2.   Security Collector Triggers Reassessment 6. Access Restored
       3.   Access Limited

            NEA Client                                      NEA Server

              Security    Posture Attribute (PA) protocol    Security
              Collector                                      Validator




               Posture    Posture Broker (PB) protocol        Posture
               Broker                                         Broker
               Client                                         Server


             Posture
                       Posture Transport (PT) protocols Posture
             Transport                                  Transport
             Client                                     Server
                                  Enforcement
November 7, 2006                    IETF NEA WG                                  16
                   Other Use Cases?
• Other use cases that:
     – Must be addressed by NEA
     – Drive new PA, PB, or PT requirements




November 7, 2006         IETF NEA WG          17
                   Next Steps
• Solicit Design Team Contributors
     – Through November 16


• Start Design Team Weekly Concalls
     – Week of November 27


• First Requirements I-D Posted

November 7, 2006     IETF NEA WG      18

				
DOCUMENT INFO