NAC

Phil Mayers p.mayers at imperial.ac.uk
Fri Jul 13 11:55:24 CEST 2007


> BTW, this is one of the MAJOR concerns I have with the NEA working group: the 
> explicitly declared the integrity of the client-side piece of software "out 
> of scope" for their working group. This is somewhat fatal, and undermines 
> most of the efforts.
> 
> At least, Cisco's solution delivers a piece of software from the server side, 
> so that the network admin has control over the assessment software and can be 
> reasonably sure it's trusted. Of course, that shifts the problems to the 
> client (end user), who is supposed to trust that piece of software.

With the proliferation of virtual machine technologies and CPU support
for such, I do not think it would be difficult for someone to spoof the
software downloaded.

The "Windows Genuine Advantage" client runs on WINE.

The only way to ensure client-side trustedness is a TPM or similar, and
that has a whole raft of other problems, both technical and political. I
think it's pretty reasonable to say:

"""The working group declares the problem of any turing machine being
able to simulate any other turing machine as out-of-scope."""

I haven't been following the NEA so their work might be rubbish, but the
untrusted client-side nature of the software does not make it
intrinsically worthless - the reason being that for someone to trick out
the software, they have to EXPLICITLY install and configure some other
software, which is a clear AUP violation and when detected (a system
asserts it is patched gets hacked) can be dealt with at the appropriate
level of severity with the organisations administrative (not technical)
group.




More information about the Freeradius-Users mailing list