NAC
Stefan Winter
stefan.winter at restena.lu
Fri Jul 13 09:58:27 CEST 2007
Hi,
> Regarding some comments made earlier in NEA list, wouldn't
> an approach similar to microsoft ("statements of health" or SoH) would
> be a better solution ?
>
> In this case, the client would just send its status (SoH) and get an
> answer from the server (+ network access granted/isolated/denied).
>
> Granted, it is really a "microsoft-standard" (no implementation, but
> there are already backward compatibility requirements with previous
> version) - but the idea in general ?
umm. Something like the following conversation on the wire?
Net: How are you?
comp: I'm fine, feeling good today.
Net: Okay, welcome.
The inherent problem is that
a) the comps perception on whether it feels good or not doesn't necessarily
match the requirements the network would like to enforce
b) it's way too easy to just send "I'm fine". I'm sure you could quickly find
a download of nifty little utility from gray-area website that simply always
says that you're fine.
The basic problem beneath this is that the network has to ask the *suspect
himself* how it would judge itself.
BTW, this is one of the MAJOR concerns I have with the NEA working group: the
explicitly declared the integrity of the client-side piece of software "out
of scope" for their working group. This is somewhat fatal, and undermines
most of the efforts.
At least, Cisco's solution delivers a piece of software from the server side,
so that the network admin has control over the assessment software and can be
reasonably sure it's trusted. Of course, that shifts the problems to the
client (end user), who is supposed to trust that piece of software.
Greetings,
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070713/00c27039/attachment.pgp>
More information about the Freeradius-Users
mailing list