NAC

Stefan Winter stefan.winter at restena.lu
Fri Jul 13 09:58:27 CEST 2007


Hi,

> Regarding some comments made earlier in NEA list, wouldn't
> an approach similar to microsoft ("statements of health" or SoH) would
> be a better solution ?
>
> In this case, the client would just send its status (SoH) and get an
> answer from the server (+ network access granted/isolated/denied).
>
> Granted, it is really a "microsoft-standard" (no implementation, but
> there are already backward compatibility requirements with previous
> version) - but the idea in general ?

umm. Something like the following conversation on the wire?

Net: How are you?
comp: I'm fine, feeling good today.
Net: Okay, welcome.

The inherent problem is that 
a) the comps perception on whether it feels good or not doesn't necessarily 
match the requirements the network would like to enforce
b) it's way too easy to just send "I'm fine". I'm sure you could quickly find 
a download of nifty little utility from gray-area website that simply always 
says that you're fine.

The basic problem beneath this is that the network has to ask the *suspect 
himself* how it would judge itself. 

BTW, this is one of the MAJOR concerns I have with the NEA working group: the 
explicitly declared the integrity of the client-side piece of software "out 
of scope" for their working group. This is somewhat fatal, and undermines 
most of the efforts.

At least, Cisco's solution delivers a piece of software from the server side, 
so that the network admin has control over the assessment software and can be 
reasonably sure it's trusted. Of course, that shifts the problems to the 
client (end user), who is supposed to trust that piece of software.

Greetings,

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070713/00c27039/attachment.pgp>


More information about the Freeradius-Users mailing list