Network Endpoint Assessment (NEA): Overview and Requirements

• Internet draft November 2007
• P. Sangster (Symantec)
• H. Khosravi (Intel)
• M. Mani (Avaya)
• K. Narayan (Cisco)
• J. Tardo (Nevis Networks)

Abstract

This document defines the problem statement, scope and protocol requirements between the components of the NEA (Network Endpoint Assessment) reference model. NEA provides owners of networks (e.g. an enterprise offering remote access) a mechanism to evaluate the posture of a system. This may take place during the request for network access and/or subsequently at any time while connected to the network. The learned posture information can then be applied to a variety of compliance oriented decisions. The posture information is frequently useful for detecting systems that are lacking or have out of date security protective mechanisms such as: anti-virus and host-based firewall software. In order to provide context for the requirements, a reference model and terminology are introduced.

Annotations

• Intent of NEA
  • assess the endpoints to determine their compliance with security policies so that corrective measures can be provided before they are exposed to those threats.

• Purpose
  • develop standard protocols that can be used to communicate compliance information between a NEA Client and a NEA Server. The purpose is when used with a standard PT protocol, the PA and PB protocols will allow interoperability between a NEA client from one vendor and a NEA server from another.

• client/server architecture
  • NEA typically involves the use of special client software running on the requesting endpoint that observes and reports on the configuration of the system to the network infrastructure.
  • The infrastructure has corresponding validation software that is capable of comparing the endpoint’s configuration information with network compliance policy and providing the result to appropriate authorization entities that make decisions about network and application access.

Posture Collectors:

• collecting standard and/or vendor-specific posture attributes (OS version, patch levels, anti-virus software, security mechanisms on the endpoint such as host-based IDS or firewall)

Posture Broker Client

• de-multiplexing the PB message received from the NEA Server and distributing each encapsulated PA message to the corresponding Posture Collector.
• multiplex the response from the Posture Collectors to the NEA Server.
• handle global assessment decisions from the Posture Broker Server.

Posture Transport Client

• on top of Layer 2 or Layer 3.

Servers are just inverse of Client.

PA Protocl

• attributes sent by client (Posture Attr, Assertion Attr)
• attributes sent by server (Request Attr, Result Attr, Remediation Attr, Assertion Attr)

PB Protocol

PT Protocl

Problem of this architecures?

• lying endpoint? The owner of a machine can send arbitrary information to server.
• NEA client is not responsible for reporting NAT, or virtual machine domains.
• Message interception/modification
• Replay and attribute theft
• DoS?