| draft-ietf-sacm-arch-01.txt | draft-ietf-sacm-arch-02.txt | |||
|---|---|---|---|---|
| SACM Working Group A. Montville | SACM Working Group A. Montville | |||
| Internet-Draft B. Munyan | Internet-Draft B. Munyan | |||
| Intended status: Standards Track CIS | Intended status: Standards Track CIS | |||
| Expires: August 26, 2019 February 22, 2019 | Expires: January 27, 2020 July 26, 2019 | |||
| Security Automation and Continuous Monitoring (SACM) Architecture | Security Automation and Continuous Monitoring (SACM) Architecture | |||
| draft-ietf-sacm-arch-01 | draft-ietf-sacm-arch-02 | |||
| Abstract | Abstract | |||
| This memo defines a Security Automation and Continuous Monitoring | This memo defines a Security Automation and Continuous Monitoring | |||
| (SACM) architecture. This work is built upon | (SACM) architecture. This work is built upon [RFC8600], and is | |||
| [I-D.ietf-mile-xmpp-grid], and is predicated upon information gleaned | predicated upon information gleaned from SACM Use Cases and | |||
| from SACM Use Cases and Requirements ([RFC7632] and [RFC8248] | Requirements ([RFC7632] and [RFC8248] respectively), and terminology | |||
| respectively), and terminology as found in | as found in [I-D.ietf-sacm-terminology]. | |||
| [I-D.ietf-sacm-terminology]. | ||||
| WORKING GROUP: The source for this draft is maintained in GitHub. | WORKING GROUP: The source for this draft is maintained in GitHub. | |||
| Suggested changes should be submitted as pull requests at | Suggested changes should be submitted as pull requests at | |||
| https://github.com/sacmwg/ietf-mandm-sacm-arch/. Instructions are on | https://github.com/sacmwg/ietf-mandm-sacm-arch/. Instructions are on | |||
| that page as well. | that page as well. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 26, 2019. | This Internet-Draft will expire on January 27, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Open Questions . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Requirements notation . . . . . . . . . . . . . . . . . . 3 | 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 4 | 3. Architectural Overview . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Architectural Overview . . . . . . . . . . . . . . . . . . . 4 | 4. Relevant Workflows . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. SACM Roles . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. IT Asset Management . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Exploring An XMPP-based Solution . . . . . . . . . . . . 5 | 4.2. Vulnerability Management . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Example Architecture using XMPP-Grid and Endpoint Posture | 4.3. Configuration Management . . . . . . . . . . . . . . . . 6 | |||
| Collection Protocol . . . . . . . . . . . . . . . . . . . 8 | 5. Configuration Management Components, Interactions, and | |||
| 4. Components, Capabilities, Interfaces, and Workflows . . . . . 10 | Capabilities . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Components . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Components . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Capabilities . . . . . . . . . . . . . . . . . . . . . . 11 | 5.2. Interactions . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.3. Interfaces . . . . . . . . . . . . . . . . . . . . . . . 11 | 5.3. Capabilities . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.4. Workflows . . . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Configuration Assessment Workflow . . . . . . . . . . . . . . 9 | |||
| 4.4.1. IT Asset Management . . . . . . . . . . . . . . . . . 12 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.4.2. Vulnerability Management . . . . . . . . . . . . . . 12 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.4.3. Configuration Management . . . . . . . . . . . . . . 14 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 10.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | Appendix A. Mapping to RFC8248 . . . . . . . . . . . . . . . . . 13 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | Appendix B. Example Components . . . . . . . . . . . . . . . . . 16 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | B.1. Policy Services . . . . . . . . . . . . . . . . . . . . . 16 | |||
| Appendix A. Mapping to RFC8248 . . . . . . . . . . . . . . . . . 18 | B.2. Software Inventory . . . . . . . . . . . . . . . . . . . 17 | |||
| Appendix B. Example Components . . . . . . . . . . . . . . . . . 21 | B.3. Datastream Collection . . . . . . . . . . . . . . . . . . 18 | |||
| B.1. Policy Services . . . . . . . . . . . . . . . . . . . . . 21 | B.4. Network Configuration Collection . . . . . . . . . . . . 18 | |||
| B.2. Software Inventory . . . . . . . . . . . . . . . . . . . 22 | Appendix C. Exploring An XMPP-based Solution . . . . . . . . . . 19 | |||
| B.3. Datastream Collection . . . . . . . . . . . . . . . . . . 23 | C.1. Example Architecture using XMPP-Grid and Endpoint Posture | |||
| B.4. Network Configuration Collection . . . . . . . . . . . . 23 | Collection Protocol . . . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 1. Introduction | 1. Introduction | |||
| The purpose of this draft is to define an architectural solution for | The purpose of this draft is to define an architectural approach for | |||
| a SACM Domain. This draft also defines an implementation of the | a SACM Domain, based on the spirit of use cases found in [RFC7632] | |||
| architecutre, built upon [I-D.ietf-mile-xmpp-grid] and | and requirements found in [RFC8248]. This approach gains the most | |||
| [I-D.ietf-sacm-ecp]. These approaches complement each other to more | advantage by supporting a variety of collection systems, and intends | |||
| completely meet the spirit of [RFC7632] and requirements found in | ||||
| [RFC8248]. | ||||
| This solution gains the most advantage by supporting a variety of | ||||
| collection mechanisms. In this sense, the solution ideally intends | ||||
| to enable a cooperative ecosystem of tools from disparate sources | to enable a cooperative ecosystem of tools from disparate sources | |||
| with minimal operator configuration. The solution described in this | with minimal operator configuration. | |||
| document seeks to accommodate these recognitions by first defining a | ||||
| generic abstract architecture, then making that solution somewhat | ||||
| more concrete. | ||||
| Keep in mind that, at this point, the draft is tracking ongoing work | ||||
| being performed primarily around and during IETF hackathons. The | ||||
| list of hackathon efforts follows: | ||||
| o [HACK99]: A partial implementation of a vulnerability assessment | ||||
| scenario involving an [I-D.ietf-sacm-ecp] implementation, a | ||||
| [RFC8322] implementation, and a proprietary evaluator to pull the | ||||
| pieces together. | ||||
| o [HACK100]: Work to combine the vulnerability assessment scenario | ||||
| from [HACK99] with an XMPP-based YANG push model. | ||||
| o [HACK101]: A fully automated configuration assessment | ||||
| implementation using XMPP as a communication mechanism. | ||||
| o [HACK102]: An exploration of how we might model assessment, | ||||
| collection, and evaluation abstractly, and then rely on YANG | ||||
| expressions for the attributes of traditional endpoints. | ||||
| 1.1. Open Questions | ||||
| [NOTE: This section will eventually be removed.] | ||||
| The following is a list of open questions we still have about the | ||||
| path forward with this exploration: | ||||
| o Should workflows be documented in this draft or separate drafts? | ||||
| o Should interfaces be documented in workflow drafts or separate | ||||
| drafts (or even this draft)? | ||||
| 1.2. Requirements notation | 1.1. Requirements notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in RFC | "OPTIONAL" in this document are to be interpreted as described in RFC | |||
| 2119, BCP 14 [RFC2119]. | 2119, BCP 14 [RFC2119]. | |||
| 2. Terms and Definitions | 2. Terms and Definitions | |||
| This draft defers to [I-D.ietf-sacm-terminology] for terms and | This draft defers to [I-D.ietf-sacm-terminology] for terms and | |||
| definitions. | definitions. | |||
| 3. Architectural Overview | 3. Architectural Overview | |||
| The generic approach proposed herein recognizes the need to obtain | The generic approach proposed herein recognizes the need to obtain | |||
| information from existing state collection mechanisms, and makes | information from existing and future state collection systems, and | |||
| every attempt to respect [RFC7632] and [RFC8248]. At the foundation | makes every attempt to respect [RFC7632] and [RFC8248]. At the | |||
| of any architecture are entities, or components, that need to | foundation of any architecture are entities, or components, that need | |||
| communicate. They communicate by sharing information, where, in a | to communicate. They communicate by sharing information, where, in a | |||
| given flow one or more components are consumers of information and | given flow, one or more components are consumers of information and | |||
| one or more components are providers of information. | one or more components are providers of information. | |||
| +--------------------+ | +--------------------+ | |||
| | Feeds/Repositories | | | Feeds/Repositories | | |||
| | of External Data | | | of External Data | | |||
| +--------------------+ | +--------------------+ | |||
| | | | | |||
| | | | | |||
| *****************************v**************** Enterprise Boundary ************ | *****************************v**************** Enterprise Boundary ************ | |||
| * | * | * | * | |||
| * +--------------+ | +--------------+ * | * +---------------+ | +--------------+ * | |||
| * | Orchestrator | | | Repositories | * | * | Orchestrators | | | Repositories | * | |||
| * +------^-------+ | +----^---------+ * | * +------^--------+ | +----^---------+ * | |||
| * | | | +----------------+ * | * | | | +----------------+ * | |||
| * A | B | C | | Downstream Uses| * | * | | | | Downstream Uses| * | |||
| * | | | | +-----------+ | * | * | | | | +-----------+ | * | |||
| * +------v------------------v----------v------+ | |Evaluations| | * | * +------v------------------v----------v------+ | |Evaluations| | * | |||
| * | Message Transfer System <-------> +-----------+ | * | * | Message Transfer System <-------> +-----------+ | * | |||
| * +----------------------^--------------------+ D | +-----------+ | * | * +----------------------^--------------------+ | +-----------+ | * | |||
| * E | | | Analytics | | * | * | | | Analytics | | * | |||
| * | | +-----------+ | * | * | | +-----------+ | * | |||
| * +-------------v---------+ | +-----------+ | * | * +-------------v------+ | +-----------+ | * | |||
| * | Collection Subsystems | | | Reporting | | * | * | Collection Systems | | | Reporting | | * | |||
| * +-----------------------+ | +-----------+ | * | * +--------------------+ | +-----------+ | * | |||
| * +----------------+ * | * +----------------+ * | |||
| ******************************************************************************* | ******************************************************************************* | |||
| Figure 1: Notional Architecture | Figure 1: Notional Architecture | |||
| As shown in Figure 1, the notional SACM architecture consists of some | As shown in Figure 1, the notional SACM architecture consists of some | |||
| basic SACM Components using a message transfer system to communicate. | basic SACM Components using a message transfer system to communicate. | |||
| While not depicted, the message transfer system is expected to | The message transfer system is expected to maximally align with the | |||
| maximally align with the requirements described in [RFC8248], which | requirements described in [RFC8248], which means that the message | |||
| means that the message transfer system will support brokered (i.e. | transfer system will support brokered (i.e. point-to-point) and | |||
| point-to-point) and proxied data exchange. | proxied data exchange. | |||
| Additionally, component-specific interfaces (i.e. such as A, B, C, D, | ||||
| and E in Figure 1) are expected to be specified logically then bound | ||||
| to one or more specific implementations. This SHOULD be done for | ||||
| each capability related to the given SACM Component. | ||||
| 3.1. SACM Roles | The enterprise boundary is not intended to imply a physical boundary. | |||
| Rather, the enterprise boundary is intended to be inclusive of | ||||
| various cloud environments and vendor-provided services in addition | ||||
| to any physical systems the enterprise operates. | ||||
| This document suggests a variety of players in a cooperative | This document suggests a variety of players in a cooperative | |||
| ecosystem - we call these players SACM Components. SACM Components | ecosystem - we call these players SACM Components. SACM Components | |||
| may be composed of other SACM Components, and each SACM Component | may be composed of other SACM Components, and each SACM Component | |||
| plays one, or more, of several roles relevant to the ecosystem. | plays one, or more, of several roles relevant to the ecosystem. | |||
| Generally each role is either a consumer of information or a provider | Generally each role is either a consumer of information or a provider | |||
| of information. The "Components, Capabilities, Interfaces, and | of information. | |||
| Workflows" section provides more details about SACM Components that | ||||
| play these types of roles. | ||||
| 3.2. Exploring An XMPP-based Solution | ||||
| Figure 2 depicts a slightly more detailed view of the architecture | ||||
| (within the enterprise boundary) - one that fosters the development | ||||
| of a pluggable ecosystem of cooperative tools. Existing collection | ||||
| mechanisms can be brought into this architecture by specifying the | ||||
| interface of the collector and creating the XMPP-Grid Connector | ||||
| binding for that interface. | ||||
| Additionally, while not directly depicted in Figure 2, this | ||||
| architecture does allow point-to-point interfaces. In fact, | ||||
| [I-D.ietf-mile-xmpp-grid] provides brokering capabilities to | ||||
| facilitate such point-to-point data transfers). Additionally, each | ||||
| of the SACM Components depicted in Figure 2 may be a provider, a | ||||
| consumer, or both, depending on the workflow in context. | ||||
| +--------------+ +--------------+ | ||||
| | Orchestrator | | Repositories | | ||||
| +------^-------+ +------^-------+ | ||||
| | | | ||||
| | | | ||||
| +-------v--------------------------v--------+ +-----------------+ | ||||
| | XMPP-Grid+ <-----> Downstream Uses | | ||||
| +------------------------^------------------+ +-----------------+ | ||||
| | | ||||
| | | ||||
| +-------v------+ | ||||
| | XMPP-Grid | | ||||
| | Connector(s) | | ||||
| +------^-------+ | ||||
| | | ||||
| +------v-------+ | ||||
| | Collector(s) | | ||||
| +--------------+ | ||||
| Figure 2: XMPP-based Architecture | ||||
| [I-D.ietf-mile-xmpp-grid] details a number of XMPP extensions (XEPs) | ||||
| that MUST be utilized to meet the needs of [RFC7632] and [RFC8248]: | ||||
| o Service Discovery (XEP-0030): Service Discovery allows XMPP | ||||
| entities to discover information about other XMPP entities. Two | ||||
| kinds of information can be discovered: the identity and | ||||
| capabilities of an entity, such as supported features, and items | ||||
| associated with an entity. | ||||
| o Publish-Subscribe (XEP-0060): The PubSub extension enables | ||||
| entities to create nodes (topics) at a PubSub service and publish | ||||
| information at those nodes. Once published, an event notification | ||||
| is broadcast to all entities that have subscribed to that node. | ||||
| At this point, [I-D.ietf-mile-xmpp-grid] specifies fewer features | ||||
| than SACM requires, and there are other XMPP extensions (XEPs) we | ||||
| need to consider to meet the needs of [RFC7632] and [RFC8248]. In | ||||
| Figure 2 we therefore use "XMPP-Grid+" to indicate something more | ||||
| than [I-D.ietf-mile-xmpp-grid] alone, even though we are not yet | ||||
| fully confident in the exact set of XMPP-related extensions we will | ||||
| require. The authors propose work to extend (or modify) | ||||
| [I-D.ietf-mile-xmpp-grid] to include additional XEPs - possibly the | ||||
| following: | ||||
| o Entity Capabilities (XEP-0115): This extension defines the methods | ||||
| for broadcasting and dynamically discovering an entities' | ||||
| capabilities. This information is transported via standard XMPP | ||||
| presence. Example capabilities that could be discovered could | ||||
| include support for posture attribute collection, support for | ||||
| specific types of posture attribute collection such as EPCP, | ||||
| SWIMA, OVAL, or YANG. Other capabilities are still to be | ||||
| determined. | ||||
| o Ad Hoc Commands (XEP-0050): This extension allows an XMPP entity | ||||
| to advertise and execute application-specific commands. Typically | ||||
| the commands contain data forms (XEP-0004) in order to structure | ||||
| the information exchange. This extension may be usable for simple | ||||
| orchestration (i.e. "do assessment"). | ||||
| o HTTP File Upload (XEP-0363): The HTTP File Upload extension allows | ||||
| for large data sets to be published to a specific path on an HTTP | ||||
| server, and receive a URL from which that file can later be | ||||
| downloaded again. XMPP messages and IQs are meant to be compact, | ||||
| and large data sets, such as collected posture attributes, may | ||||
| exceed a message size threshold. Usage of this XEP allows those | ||||
| larger data sets to be persisted, thus necessitating only the | ||||
| download URL to be passed via XMPP messages. | ||||
| o Personal Eventing Protocol (XEP-0163): The Personal Eventing | ||||
| Protocol can be thought of as a virtual PubSub service, allowing | ||||
| an XMPP account to publish events only to their roster instead of | ||||
| a generic PubSub topic. This XEP may be useful in the cases when | ||||
| collection requests or queries are only intended for a subset of | ||||
| endpoints and not an entire subscriber set. | ||||
| o File Repository and Sharing (XEP-0214): This extension defines a | ||||
| method for XMPP entities to designate a set of file available for | ||||
| retrieval by other users of their choosing, and is based on PubSub | ||||
| Collections. | ||||
| o Easy User Onboarding (XEP-401): The goal of this extension is | ||||
| simplified client registration, and may be useful when adding new | ||||
| endpoints or SACM components to the ecosystem. | ||||
| o Bidirectional-streams Over Synchronous HTTP (BOSH) (XEP-0124): | ||||
| BOSH emulates the semantics of a long-lived, bidirectional TCP | ||||
| connection between two entities (aka "long polling"). Consider a | ||||
| SACM component that is updated dynamically, i.e. an internal | ||||
| vulnerability definition repository ingesting data from a Feed/ | ||||
| Repository of External Data, and a second SACM component such as | ||||
| an Orchestrator. Using BOSH, the Orchestrator can effectively | ||||
| continuously poll the vulnerability definition repository for | ||||
| changes/updates. | ||||
| o PubSub Collection Nodes (XEP-0248): Effectively an extension to | ||||
| XEP-0060 (Publish-Subscribe), PubSub Collections aim to simplify | ||||
| an entities' subscription to multiple related topics, and | ||||
| establishes a "node graph" relating parent nodes to its | ||||
| descendents. An example "node graph" could be rooted in a | ||||
| "vulnerability definitions" topic, and contain descendent topics | ||||
| for OS family-level vulnerability definitions (i.e. Windows), and | ||||
| further for OS family version-level definitions (i.e. Windows 10 | ||||
| or Windows Server 2016). | ||||
| o PubSub Since (XEP-0312): This extension enables a subscriber to | ||||
| automatically receive PubSub and Personal Eventing Protocol (PEP) | ||||
| notifications since its last logout time. This extension may be | ||||
| useful in intermittent connection scenarios, or when entities | ||||
| disconnect and reconnect to the ecosystem. | ||||
| o PubSub Chaining (XEP-0253): This extension describes the | ||||
| federation of publishing nodes, enabling a publish node of one | ||||
| server to be a subscriber to a publishing node of another server. | ||||
| 3.3. Example Architecture using XMPP-Grid and Endpoint Posture | ||||
| Collection Protocol | ||||
| Figure 3 depicts a further detailed view of the architecture | ||||
| including the Endpoint Posture Collection Protocol as the collection | ||||
| subsystem, illustrating the idea of a pluggable ecosystem of | ||||
| cooperative tools. | ||||
| +--------------------+ | ||||
| | Feeds/Repositories | | ||||
| | of External Data | | ||||
| +--------------------+ | ||||
| | | ||||
| ********************v************************* Enterprise Boundary ************ | ||||
| * | * | ||||
| * +--------------+ | +-------------------+ +-------------+ * | ||||
| * | Orchestrator | | | Posture Attr Repo | | Policy Repo | * | ||||
| * +------^-------+ | +---------^---------+ +---^---------+ * | ||||
| * | | | | +----------------+ * | ||||
| * | | | | | Downstream Uses| * | ||||
| * | | | | | +-----------+ | * | ||||
| * +------v---------v-----------v---------------v--+ | |Evaluations| | * | ||||
| * | XMPP-Grid <-------> +-----------+ | * | ||||
| * +----------------^-------------------^----------+ | +-----------+ | * | ||||
| * | | | | Analytics | | * | ||||
| * | | | +-----------+ | * | ||||
| * | +-----v--------+ | +-----------+ | * | ||||
| * | | Results Repo | | | Reporting | | * | ||||
| * | +--------------+ | +-----------+ | * | ||||
| * | +----------------+ * | ||||
| * +---------v-----------+ * | ||||
| * | XMPP-Grid Connector | * | ||||
| * +---------^-----------+ * | ||||
| * | * | ||||
| * +-----------------v-------------------------------------------------------+ * | ||||
| * | | * | ||||
| * | +--Posture Collection Manager------------------------------------------+| * | ||||
| * | |+-----------------------+ +----------------+ +----------------------+ || * | ||||
| * | || Communications Server | | Posture Server | | Posture Validator(s) | || * | ||||
| * | |+----------^------------+ +----------------+ +----------------------+ || * | ||||
| * | +-----------|----------------------------------------------------------+| * | ||||
| * | | | * | ||||
| * | +-----------|-------------------------Endpoint or Endpoint Proxy-------+| * | ||||
| * | |+----------v------------+ +----------------+ +----------------------+ || * | ||||
| * | || Communications Client | | Posture Client | | Posture Collector(s) | || * | ||||
| * | |+-----------------------+ +----------------+ +----------------------+ || * | ||||
| * | +----------------------------------------------------------------------+| * | ||||
| * +-----------------Endpoint Posture Collection Profile---------------------+ * | ||||
| * * | ||||
| ******************************************************************************* | ||||
| Figure 3: XMPP-based Architecture including EPCP | ||||
| 4. Components, Capabilities, Interfaces, and Workflows | ||||
| The SACM Architecture consists of a variety of SACM Components, and | ||||
| named components are intended to embody one or more specific | ||||
| capabilities. Interacting with these capabilities will require at | ||||
| least two levels of interface specification. The first is a logical | ||||
| interface specification, and the second is at least one binding to a | ||||
| specific transfer mechanism. An example transfer mechanism is XMPP- | ||||
| Grid+. | ||||
| The following subsections describe some of the components, | ||||
| capabilities, and interfaces we may expect to see participating in a | ||||
| SACM Domain. | ||||
| 4.1. Components | ||||
| The following is a list of suggested SACM Component classes and | ||||
| specializations. | ||||
| o Repository | ||||
| * Vulnerability Information Repository | ||||
| * Asset Inventory Repository | ||||
| + Software Inventory Repository | ||||
| + Device Inventory Repository | ||||
| * Configuration Policy Repository | ||||
| * Configuration State Repository | ||||
| o Collector | ||||
| * Vulnerability State Collector | ||||
| * Asset Inventory Collector | ||||
| + Software Inventory Collector | ||||
| + Device Inventory Collector | ||||
| * Configuration State Collector | ||||
| o Evaluator | ||||
| * Vulnerability State Evaluator | ||||
| * Asset Inventory Evaluator | ||||
| + Software Inventory Evaluator | ||||
| + Device Inventory Evaluator | ||||
| * Configuration State Evaluator | ||||
| o Orchestrator | ||||
| * Vulnerability Management Orchestrator | ||||
| * Asset Management Orchestrator | ||||
| + Software Inventory Evaluator | ||||
| + Device Inventory Evaluator | ||||
| * Configuration Management Orchestrator | ||||
| 4.2. Capabilities | ||||
| Repositories will have a need for fairly standard CRUD operations and | ||||
| query by attribute operations. Collector interfaces may enable ad | ||||
| hoc assessment (on-demand processing), state item watch actions (i.e. | ||||
| watch a particular item for particular change), persisting other | ||||
| behaviors (i.e. setting some mandatory reporting period). Evaluators | ||||
| may have their own set of interfaces, and an Assessor would represent | ||||
| both Collector and Evaluation interfaces, and may have additional | ||||
| concerns added to an Assessor Interface. | ||||
| Not to be overlooked, whatever solution at which we arrive, per | ||||
| [RFC8248], MUST support capability negotiation. While not explicitly | ||||
| treated here, each interface will understand specific serializations, | ||||
| and other component needs to express those serializations to other | ||||
| components. | ||||
| A capability language is fully explored in mandl-sacm-tool- | ||||
| capability-language (to be submitted). | ||||
| 4.3. Interfaces | ||||
| Interfaces should be derived directly from identified workflows, | ||||
| several of which are described in this document. | ||||
| 4.4. Workflows | 4. Relevant Workflows | |||
| The workflows described in this document should be considered as | This section describes three primary information security domains | |||
| candidate workflows - informational for the purpose of discovering | from which workflows may be derived: IT Asset Management, | |||
| the necessary components and specifying their interfaces. | Vulnerability Management, and Configuration Management. | |||
| 4.4.1. IT Asset Management | 4.1. IT Asset Management | |||
| Information Technology asset management is easier said than done. | Information Technology asset management is easier said than done. | |||
| The [CISCONTROLS] have two controls dealing with IT asset management. | The [CISCONTROLS] have two controls dealing with IT asset management. | |||
| Control 1, Inventory and Control of Hardware Assets, states, | Control 1, Inventory and Control of Hardware Assets, states, | |||
| "Actively manage (inventory, track, and correct) all hardware devices | "Actively manage (inventory, track, and correct) all hardware devices | |||
| on the network so that only authorized devices are given access, and | on the network so that only authorized devices are given access, and | |||
| unauthorized and unmanaged devices are found and prevented from | unauthorized and unmanaged devices are found and prevented from | |||
| gaining access." Control 2, Inventory and Control of Software | gaining access." Control 2, Inventory and Control of Software | |||
| Assets, states, "Actively manage (inventory, track, and correct) all | Assets, states, "Actively manage (inventory, track, and correct) all | |||
| software on the network so that only authorized software is installed | software on the network so that only authorized software is installed | |||
| skipping to change at page 12, line 41 ¶ | skipping to change at page 5, line 41 ¶ | |||
| o Identify and catalog new assets by executing Target Endpoint | o Identify and catalog new assets by executing Target Endpoint | |||
| Discovery Tasks | Discovery Tasks | |||
| o Provide information about its managed assets, including uniquely | o Provide information about its managed assets, including uniquely | |||
| identifying information (for that enterprise) | identifying information (for that enterprise) | |||
| o Handle software and/or hardware (including virtual assets) | o Handle software and/or hardware (including virtual assets) | |||
| o Represent cloud hybrid environments | o Represent cloud hybrid environments | |||
| 4.4.2. Vulnerability Management | 4.2. Vulnerability Management | |||
| Vulnerability management is a relatively established process. | Vulnerability management is a relatively established process. To | |||
| According to the [CISCONTROLS], continuous vulnerability management | paraphrase the [CISCONTROLS], continuous vulnerability management is | |||
| the act of continuously acquiring, assessing, and taking subsequent | the act of continuously acquiring, assessing, and taking subsequent | |||
| action on new information in order to identify and remediate | action on new information in order to identify and remediate | |||
| vulnerabilities, therefore minimizing the window of opportunity for | vulnerabilities, therefore minimizing the window of opportunity for | |||
| attackers. | attackers. | |||
| 4.4.2.1. Vulnerability Assessment Workflow Assumptions | ||||
| A number of assumptions must be stated to clarify the scope of a | ||||
| vulnerability assessment workflow: | ||||
| o The enterprise has received vulnerability description information, | ||||
| and that the information has already been processed into | ||||
| vulnerability detection data that the enterprise's security | ||||
| software tools can understand and use. | ||||
| o The enterprise has a suitable IT Asset Management capability | ||||
| o The enterprise has a means of extracting relevant information | ||||
| about enterprise endpoints in a form that is compatible with the | ||||
| vulnerability description data (appropriate Collectors for their | ||||
| technologies) | ||||
| o All information described in this scenario is available in the | ||||
| vulnerability description data and serves as the basis of | ||||
| assessments. | ||||
| o The enterprise can provide all relevant information about any | ||||
| endpoint needed to perform the described assessment (the | ||||
| appropriate Repositories are available) | ||||
| o The enterprise has a mechanism for long-term storage of | ||||
| vulnerability description information, vulnerability detection | ||||
| data, and vulnerability assessment results. | ||||
| o The enterprise has a procedure for reassessment of endpoints at | ||||
| some point after initial assessment | ||||
| 4.4.2.2. Vulnerability Assessment Workflow | ||||
| When new vulnerability description information is received by the | ||||
| enterprise, affected endpoints are identified and assessed. The | ||||
| vulnerability is said to apply to an endpoint if the endpoint | ||||
| satisfies the conditions expressed in the vulnerability detection | ||||
| data. | ||||
| A vulnerability assessment (i.e. vulnerability detection) is | A vulnerability assessment (i.e. vulnerability detection) is | |||
| performed in two steps: | performed in two steps: | |||
| o Endpoint information collected by the endpoint management | o Endpoint information collected by the endpoint management | |||
| capabilities is examined by the vulnerability management | capabilities is examined by the vulnerability management | |||
| capabilities through Evaluation Tasks. | capabilities through Evaluation Tasks. | |||
| o If the data possessed by the endpoint management capabilities is | o If the data possessed by the endpoint management capabilities is | |||
| insufficient, a Collection Task is triggered and the necessary | insufficient, a Collection Task is triggered and the necessary | |||
| data is collected from the target endpoint. | data is collected from the target endpoint. | |||
| skipping to change at page 14, line 20 ¶ | skipping to change at page 6, line 24 ¶ | |||
| endpoint information depending on the nature of a specific | endpoint information depending on the nature of a specific | |||
| vulnerability. Common endpoint information used to detect a | vulnerability. Common endpoint information used to detect a | |||
| vulnerability includes: | vulnerability includes: | |||
| o A specific software version is installed on the endpoint | o A specific software version is installed on the endpoint | |||
| o File system attributes | o File system attributes | |||
| o Specific state attributes | o Specific state attributes | |||
| In many cases, the endpoint information needed to determine an | In some cases, the endpoint information needed to determine an | |||
| endpoint's vulnerability status will have been previously collected | endpoint's vulnerability status will have been previously collected | |||
| by the endpoint management capabilities and available in a | by the endpoint management capabilities and available in a | |||
| Repository. However, in other cases, the necessary endpoint | Repository. However, in other cases, the necessary endpoint | |||
| information will not be readily available in a Repository and a | information will not be readily available in a Repository and a | |||
| Collection Task will be triggered to collect it from the target | Collection Task will be triggered to perform collection from the | |||
| endpoint. Of course, some implementations of endpoint management | target endpoint. Of course, some implementations of endpoint | |||
| capabilities may prefer to enable operators to perform this | management capabilities may prefer to enable operators to perform | |||
| collection under certain circumstances, even when sufficient | this collection even when sufficient information can be provided by | |||
| information can be provided by the endpoint management capabilities | the endpoint management capabilities (e.g. there may be freshness | |||
| (e.g. there may be freshness requirements for information). | requirements for information). | |||
| The collection of additional endpoint information for the purpose of | ||||
| vulnerability assessment does not necessarily need to be a pull by | ||||
| the vulnerability assessment capabilities. Over time, some new | ||||
| pieces of information that are needed during common types of | ||||
| assessments might be identified. Endpoint management capabilities | ||||
| can be reconfigured to have this information delivered automatically. | ||||
| This avoids the need to trigger additional Collection Tasks to gather | ||||
| this information during assessments, streamlining the assessment | ||||
| process. Likewise, it might be observed that certain information | ||||
| delivered by endpoint management capabilities is rarely used. In | ||||
| this case, it might be useful to re-configure the endpoint management | ||||
| capabilities to no longer collect this information to reduce network | ||||
| and processing overhead. Instead, a new Collection Task can be | ||||
| triggered to gather this data on the rare occasions when it is | ||||
| needed. | ||||
| 4.4.3. Configuration Management | 4.3. Configuration Management | |||
| Configuration management involves configuration assessment, which | Configuration management involves configuration assessment, which | |||
| requires state assessment (TODO: Tie to SACM use cases). The | requires state assessment. The [CISCONTROLS] specify two high-level | |||
| [CISCONTROLS] specify two high-level controls concerning | controls concerning configuration management (Control 5 for non- | |||
| configuration management (Control 5 for non-network devices and | network devices and Control 11 for network devices). As an aside, | |||
| Control 11 for network devices). As an aside, these controls are | these controls are listed separately because many enterprises have | |||
| listed separately because many enterprises have different | different organizations for managing network infrastructure and | |||
| organizations for managing network infrastructure and workload | workload endpoints. Merging the two controls results in the | |||
| endpoints. Merging the two controls results in a requirement to: | following paraphrasing: Establish, implement, and actively manage | |||
| "Establish, implement, and actively manage (track, report on, | (track, report on, correct) the security configuration of systems | |||
| correct) the security configuration of (endpoints) using a rigorous | using a rigorous configuration management and change control process | |||
| configuration management and change control process in order to | in order to prevent attackers from exploiting vulnerable services and | |||
| prevent attackers from exploiting vulnerable services and settings." | settings. | |||
| Typically, an enterprise will use configuration guidance from a | Typically, an enterprise will use configuration guidance from a | |||
| reputable source, and from time to time they may tailor the guidance | reputable source, and from time to time they may tailor the guidance | |||
| from that source prior to adopting it as part of their enterprise | from that source prior to adopting it as part of their enterprise | |||
| standard. The enterprise standard is then provided to the | standard. The enterprise standard is then provided to the | |||
| appropriate configuration assessment tools and they assess endpoints | appropriate configuration assessment tools and they assess endpoints | |||
| and/or appropriate endpoint information. A preferred flow follows: | and/or appropriate endpoint information. | |||
| A preferred flow follows: | ||||
| o Reputable source publishes new or updated configuration guidance | o Reputable source publishes new or updated configuration guidance | |||
| o Enterprise configuration assessment capability retrieves | o Enterprise configuration assessment capability retrieves | |||
| configuration guidance from reputable source | configuration guidance from reputable source | |||
| o Optional: Configuration guidance is tailored for enterprise- | o Optional: Configuration guidance is tailored for enterprise- | |||
| specific needs | specific needs | |||
| o Configuration assessment tool queries asset inventory repository | o Configuration assessment tool queries asset inventory repository | |||
| skipping to change at page 15, line 42 ¶ | skipping to change at page 7, line 32 ¶ | |||
| o Configuration assessment tool queries configuration state | o Configuration assessment tool queries configuration state | |||
| repository to evaluate compliance | repository to evaluate compliance | |||
| o If information is stale or unavailable, configuration assessment | o If information is stale or unavailable, configuration assessment | |||
| tool triggers an ad hoc assessment | tool triggers an ad hoc assessment | |||
| The SACM architecture needs to support varying deployment models to | The SACM architecture needs to support varying deployment models to | |||
| accommodate the current state of the industry, but should strongly | accommodate the current state of the industry, but should strongly | |||
| encourage event-driven approaches to monitoring configuration. | encourage event-driven approaches to monitoring configuration. | |||
| 5. Privacy Considerations | 5. Configuration Management Components, Interactions, and Capabilities | |||
| This section provides more detail about the components, interactions, | ||||
| and capabilities required when considering the aforementioned | ||||
| configuration management workflow. | ||||
| 5.1. Components | ||||
| The following is a minimal list of SACM Components required to | ||||
| implement the aforementioned configuration assessment workflow. | ||||
| o Configuration Policy Feed: An external source of authoritative | ||||
| configuration recommendations. | ||||
| o Configuration Policy Repository: An internal repository of | ||||
| enterprise standard configurations. | ||||
| o Configuration Assessment Orchestrator: A component responsible for | ||||
| orchestrating assessments. | ||||
| o Posture Attribute Collection Subsystem: A component responsible | ||||
| for collection of posture attributes from systems. | ||||
| o Posture Attribute Repository: A component used for storing system | ||||
| posture attribute values. | ||||
| o Configuration Assessment Evaluator: A component responsible for | ||||
| evaluating system posture attribute values against expected | ||||
| posture attribute values. | ||||
| o Configuration Assessment Results Repository: A component used for | ||||
| storing evaluation results. | ||||
| 5.2. Interactions | ||||
| SACM Components are intended to interact with other SACM Components. | ||||
| These interactions can be thought of, at the level of this | ||||
| architectural approach, as the combination of interfaces with their | ||||
| supported operations. | ||||
| o Store: One component stores information in another. | ||||
| o Ask: A component requests information from another. | ||||
| o Notify/Ask: A component notifies another component, which then | ||||
| asks the notifying component (or another component) for | ||||
| information. | ||||
| o Publish/Subscribe: A component publishes information to a | ||||
| messaging system and a set of other components, subscribed to that | ||||
| information type, receive the published information. | ||||
| o Tell: A component instructs another. | ||||
| TODO: Consider breaking out Notify, Publish, and Subscribe into | ||||
| separate line items, and adding Error (a type of Notify). Then | ||||
| consider explaining the necessary combinations relevant to the | ||||
| configuration assessment workflow below. | ||||
| Each interaction will convey a payload of information. The payload | ||||
| information is expected to contain sub-domain-specific | ||||
| characteristics and instructions. | ||||
| 5.3. Capabilities | ||||
| Per [RFC8248], solutions MUST support capability negotiation. | ||||
| Components implementing specific interfaces and operations (i.e. | ||||
| interactions) will need a method of describing their capabilities to | ||||
| other components participating in the ecosystem; for example, "As a | ||||
| component in the ecosystem, I can assess the configuration of | ||||
| Windows, MacOS, and AWS using OVAL". | ||||
| 6. Configuration Assessment Workflow | ||||
| This section describes the components and interactions in a basic | ||||
| configuration assessment workflow. For simplicity, error conditions | ||||
| are recognized as being necessary and are not depicted. When one | ||||
| component messages another component, the message is expected to be | ||||
| handled appropriately unless there is an error condition, or other | ||||
| notification, messaged in return. | ||||
| +-------------+ | ||||
| | Policy Feed | | ||||
| +-----+-------+ | ||||
| | 5.1 | ||||
| 1 | +----------------------------------------+ | ||||
| | | | | ||||
| +-----v------+ 2 +----------------+ 5 +-----v-----+ 6 +------------+ | ||||
| | Policy +------> Orchestrator +-----> Evaluator +------> Evaluation | | ||||
| | Repository | +-------+--------+ +-----^-----+ | Results | | ||||
| +------------+ | | | Repository | | ||||
| | 3 | +------------+ | ||||
| | | 5.2 | ||||
| +----------|--------+ | | ||||
| | +--------v------+ | | | ||||
| | | Collector | | | | ||||
| | +-------+-------+ | 4 +------------+ | ||||
| | | +-------> Posture | | ||||
| | +-------+-------+ | | Attribute | | ||||
| | | Target System | | | Repository | | ||||
| | +---------------+ | +------------+ | ||||
| +-------------------+ | ||||
| Collection Sub-Architecture | ||||
| Figure 2: Configuration Assessment Component Interactions | ||||
| Figure 2 depicts configuration assessment components and their | ||||
| interactions, which are further described below. | ||||
| 1. Policy is stored in the Policy Repository: TODO - add specific | ||||
| interaction options here. | ||||
| 2. The Orchestrator obtains collection information from the Policy | ||||
| Repository: TODO - add specific interaction options here. | ||||
| 3. The Orchestrator initiates collection to be performed by the | ||||
| Collection Sub-Architecture: TODO - add specific interaction | ||||
| options here. | ||||
| 4. Collected posture attributes are stored n the Posture Attribute | ||||
| Repository: TODO - add specific interaction options here. | ||||
| 5. The Orchestrator initiates the Evaluator (optionally with | ||||
| evaluation information gathered from the Policy Repository): TODO | ||||
| - add specific interaction options here | ||||
| 1. The Evaluator obtains evaluation information from the Policy | ||||
| Repository (optionally): TODO - add specific interaction | ||||
| options here | ||||
| 2. The Evaluator obtains relevant posture attributes from the | ||||
| Posture Attribute Repository: TODO - add specific interaction | ||||
| options here | ||||
| 6. Evaluation results are stored in the Evaluation Results | ||||
| Repository: TODO - add specific interaction options here | ||||
| In the above flow, the payload information is expected to convey the | ||||
| context required by the receiving component for the action being | ||||
| taken under different circumstances. For example, the Tell message | ||||
| sent from an Orchestrator to a Collection sub-architecture might be | ||||
| telling that Collector to watch a specific posture attribute and | ||||
| report only specific detected changes to the Posture Attribute | ||||
| Repository, or it might be telling the Collector to gather that | ||||
| posture attribute immediately. Such details are expected to be | ||||
| handled as part of that payload, not as part of the architecture | ||||
| described herein. | ||||
| 7. Privacy Considerations | ||||
| TODO | TODO | |||
| 6. Security Considerations | 8. Security Considerations | |||
| TODO | TODO | |||
| 7. IANA Considerations | 9. IANA Considerations | |||
| TODO: Revamp this section after the configuration assessment workflow | ||||
| is fleshed out. | ||||
| IANA tables can probably be used to make life a little easier. We | IANA tables can probably be used to make life a little easier. We | |||
| would like a place to enumerate: | would like a place to enumerate: | |||
| o Capability/operation semantics | o Capability/operation semantics | |||
| o SACM Component implementation identifiers | o SACM Component implementation identifiers | |||
| o SACM Component versions | o SACM Component versions | |||
| o Associations of SACM Components (and versions) to specific | o Associations of SACM Components (and versions) to specific | |||
| Capabilities | Capabilities | |||
| 8. References | o Collection sub-architecture Identification | |||
| 8.1. Normative References | 10. References | |||
| [I-D.ietf-mile-xmpp-grid] | 10.1. Normative References | |||
| Cam-Winget, N., Appala, S., Pope, S., and P. Saint-Andre, | ||||
| "Using XMPP for Security Information Exchange", draft- | ||||
| ietf-mile-xmpp-grid-09 (work in progress), December 2018. | ||||
| [I-D.ietf-sacm-ecp] | [I-D.ietf-sacm-ecp] | |||
| Haynes, D., Fitzgerald-McKay, J., and L. Lorenzin, | Haynes, D., Fitzgerald-McKay, J., and L. Lorenzin, | |||
| "Endpoint Posture Collection Profile", draft-ietf-sacm- | "Endpoint Posture Collection Profile", draft-ietf-sacm- | |||
| ecp-04 (work in progress), February 2019. | ecp-05 (work in progress), June 2019. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8412] Schmidt, C., Haynes, D., Coffin, C., Waltermire, D., and | [RFC8412] Schmidt, C., Haynes, D., Coffin, C., Waltermire, D., and | |||
| J. Fitzgerald-McKay, "Software Inventory Message and | J. Fitzgerald-McKay, "Software Inventory Message and | |||
| Attributes (SWIMA) for PA-TNC", RFC 8412, | Attributes (SWIMA) for PA-TNC", RFC 8412, | |||
| DOI 10.17487/RFC8412, July 2018, | DOI 10.17487/RFC8412, July 2018, | |||
| <https://www.rfc-editor.org/info/rfc8412>. | <https://www.rfc-editor.org/info/rfc8412>. | |||
| 8.2. Informative References | [RFC8600] Cam-Winget, N., Ed., Appala, S., Pope, S., and P. Saint- | |||
| Andre, "Using Extensible Messaging and Presence Protocol | ||||
| (XMPP) for Security Information Exchange", RFC 8600, | ||||
| DOI 10.17487/RFC8600, June 2019, | ||||
| <https://www.rfc-editor.org/info/rfc8600>. | ||||
| 10.2. Informative References | ||||
| [CISCONTROLS] | [CISCONTROLS] | |||
| "CIS Controls v7.0", n.d., | "CIS Controls v7.0", n.d., | |||
| <https://www.cisecurity.org/controls>. | <https://www.cisecurity.org/controls>. | |||
| [draft-birkholz-sacm-yang-content] | [draft-birkholz-sacm-yang-content] | |||
| Birkholz, H. and N. Cam-Winget, "YANG subscribed | Birkholz, H. and N. Cam-Winget, "YANG subscribed | |||
| notifications via SACM Statements", n.d., | notifications via SACM Statements", n.d., | |||
| <https://tools.ietf.org/html/ | <https://tools.ietf.org/html/ | |||
| draft-birkholz-sacm-yang-content-01>. | draft-birkholz-sacm-yang-content-01>. | |||
| skipping to change at page 17, line 22 ¶ | skipping to change at page 12, line 16 ¶ | |||
| n.d., <https://www.github.com/sacmwg/vulnerability- | n.d., <https://www.github.com/sacmwg/vulnerability- | |||
| scenario/ietf-hackathon>. | scenario/ietf-hackathon>. | |||
| [HACK101] "IETF 101 Hackathon - Configuration Assessment XMPP", | [HACK101] "IETF 101 Hackathon - Configuration Assessment XMPP", | |||
| n.d., <https://www.github.com/CISecurity/Integration>. | n.d., <https://www.github.com/CISecurity/Integration>. | |||
| [HACK102] "IETF 102 Hackathon - YANG Collection on Traditional | [HACK102] "IETF 102 Hackathon - YANG Collection on Traditional | |||
| Endpoints", n.d., | Endpoints", n.d., | |||
| <https://www.github.com/CISecurity/YANG>. | <https://www.github.com/CISecurity/YANG>. | |||
| [HACK103] "IETF 103 Hackathon - N/A", n.d., | ||||
| <https://www.ietf.org/how/meetings/103/>. | ||||
| [HACK104] "IETF 104 Hackathon - A simple XMPP client", n.d., | ||||
| <https://github.com/CISecurity/IETF104-Client>. | ||||
| [HACK105] "IETF 105 Hackathon - A more robust XMPP client including | ||||
| collection extensions", n.d., | ||||
| <https://github.com/CISecurity/IETF104-Client>. | ||||
| [HACK99] "IETF 99 Hackathon - Vulnerability Scenario EPCP", n.d., | [HACK99] "IETF 99 Hackathon - Vulnerability Scenario EPCP", n.d., | |||
| <https://www.github.com/sacmwg/vulnerability-scenario/ | <https://www.github.com/sacmwg/vulnerability-scenario/ | |||
| ietf-hackathon>. | ietf-hackathon>. | |||
| [I-D.ietf-sacm-terminology] | [I-D.ietf-sacm-terminology] | |||
| Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and | Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and | |||
| A. Montville, "Security Automation and Continuous | A. Montville, "Security Automation and Continuous | |||
| Monitoring (SACM) Terminology", draft-ietf-sacm- | Monitoring (SACM) Terminology", draft-ietf-sacm- | |||
| terminology-16 (work in progress), December 2018. | terminology-16 (work in progress), December 2018. | |||
| skipping to change at page 18, line 24 ¶ | skipping to change at page 13, line 24 ¶ | |||
| [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- | [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- | |||
| Oriented Lightweight Information Exchange (ROLIE)", | Oriented Lightweight Information Exchange (ROLIE)", | |||
| RFC 8322, DOI 10.17487/RFC8322, February 2018, | RFC 8322, DOI 10.17487/RFC8322, February 2018, | |||
| <https://www.rfc-editor.org/info/rfc8322>. | <https://www.rfc-editor.org/info/rfc8322>. | |||
| [XMPPEXT] "XMPP Extensions", n.d., <https://xmpp.org/extensions/>. | [XMPPEXT] "XMPP Extensions", n.d., <https://xmpp.org/extensions/>. | |||
| Appendix A. Mapping to RFC8248 | Appendix A. Mapping to RFC8248 | |||
| TODO: Consider removing or placing in a separate solution draft. | ||||
| This section provides a mapping of XMPP and XMPP Extensions to the | This section provides a mapping of XMPP and XMPP Extensions to the | |||
| relevant requirements from [RFC8248]. In the table below, the ID and | relevant requirements from [RFC8248]. In the table below, the ID and | |||
| Name columns provide the ID and Name of the requirement directly out | Name columns provide the ID and Name of the requirement directly out | |||
| of [RFC8248]. The Supported By column may contain one of several | of [RFC8248]. The Supported By column may contain one of several | |||
| values: | values: | |||
| o N/A: The requirement is not applicable to this architectural | o N/A: The requirement is not applicable to this architectural | |||
| exploration | exploration | |||
| o Architecture: This architecture (possibly assuming some | o Architecture: This architecture (possibly assuming some | |||
| skipping to change at page 21, line 36 ¶ | skipping to change at page 16, line 37 ¶ | |||
| | | | | | | | | | | |||
| | T-005 | Transfer Reliability | | | | T-005 | Transfer Reliability | | | |||
| | | | | | | | | | | |||
| | T-006 | Transfer-Layer Requirements | | | | T-006 | Transfer-Layer Requirements | | | |||
| | | | | | | | | | | |||
| | T-007 | Transfer Protocol Adoption | Architecture | | | T-007 | Transfer Protocol Adoption | Architecture | | |||
| +----------+----------------------------------------+---------------+ | +----------+----------------------------------------+---------------+ | |||
| Appendix B. Example Components | Appendix B. Example Components | |||
| TODO: Consider removing. | ||||
| B.1. Policy Services | B.1. Policy Services | |||
| Consider a policy server conforming to [RFC8322]. [RFC8322] | Consider a policy server conforming to [RFC8322]. [RFC8322] | |||
| describes a RESTful way based on the ATOM Publishing Protocol | describes a RESTful way based on the ATOM Publishing Protocol | |||
| ([RFC5023]) to find specific data collections. While this represents | ([RFC5023]) to find specific data collections. While this represents | |||
| a specific binding (i.e. RESTful API based on [RFC5023]), there is a | a specific binding (i.e. RESTful API based on [RFC5023]), there is a | |||
| more abstract way to look at ROLIE. | more abstract way to look at ROLIE. | |||
| ROLIE provides notional workspaces and collections, and provides the | ROLIE provides notional workspaces and collections, and provides the | |||
| concept of information categories and links. Strictly speaking, | concept of information categories and links. Strictly speaking, | |||
| skipping to change at page 22, line 40 ¶ | skipping to change at page 17, line 43 ¶ | |||
| Evaluator Repository | | | | | | | Evaluator Repository | | | | | | | |||
| +------+ +--------+ | +-----------+ |<-------| +-----------+ | | +------+ +--------+ | +-----------+ |<-------| +-----------+ | | |||
| | | | | | | Posture | | report | | Posture | | | | | | | | | Posture | | report | | Posture | | | |||
| | | | | | | Collection| | | | Collection| | | | | | | | | Collection| | | | Collection| | | |||
| | |<-----> | |<-----| | Manager | | query | | Engine | | | | |<-----> | |<-----| | Manager | | query | | Engine | | | |||
| | |request/| | store| +-----------+ |------->| +-----------+ | | | |request/| | store| +-----------+ |------->| +-----------+ | | |||
| | |respond | | | | | | | | |respond | | | | | | | |||
| | | | | | | | | | | | | | | | | | | |||
| +------+ +--------+ +---------------+ +---------------+ | +------+ +--------+ +---------------+ +---------------+ | |||
| Figure 4: EPCP Collection Architecture | Figure 3: EPCP Collection Architecture | |||
| In Figure 4, any of the communications between the Posture Manager | In Figure 3, any of the communications between the Posture Manager | |||
| and EPCP components to its left could be performed directly or | and EPCP components to its left could be performed directly or | |||
| indirectly using a given message transfer mechanism. For example, | indirectly using a given message transfer mechanism. For example, | |||
| the pub/sub interface between the Orchestrator and the Posture | the pub/sub interface between the Orchestrator and the Posture | |||
| Manager could be using a proprietary method or using | Manager could be using a proprietary method or using [RFC8600] or | |||
| [I-D.ietf-mile-xmpp-grid] or some other pub/sub mechanism. | some other pub/sub mechanism. Similarly, the store connection from | |||
| Similarly, the store connection from the Posture Manager to the | the Posture Manager to the Repository could be performed internally | |||
| Repository could be performed internally to a given implementation, | to a given implementation, via a RESTful API invocation over HTTPS, | |||
| via a RESTful API invocation over HTTPS, or even over a pub/sub | or even over a pub/sub mechanism. | |||
| mechanism. | ||||
| Our assertion is that the Evaluator, Repository, Orchestrator, and | Our assertion is that the Evaluator, Repository, Orchestrator, and | |||
| Posture Manager all have the potential to represent SACM Components | Posture Manager all have the potential to represent SACM Components | |||
| with specific capability interfaces that can be logically specified, | with specific capability interfaces that can be logically specified, | |||
| then bound to one or more specific transfer mechanisms (i.e. RESTful | then bound to one or more specific transfer mechanisms (i.e. RESTful | |||
| API, [RFC8322], [I-D.ietf-mile-xmpp-grid], and so on). | API, [RFC8322], [RFC8600], and so on). | |||
| B.3. Datastream Collection | B.3. Datastream Collection | |||
| [NIST800126], also known as SCAP 1.3, provides the technical | [NIST800126], also known as SCAP 1.3, provides the technical | |||
| specifications for a "datastream collection". The specification | specifications for a "datastream collection". The specification | |||
| describes the "datastream collection" as being "composed of SCAP data | describes the "datastream collection" as being "composed of SCAP data | |||
| streams and SCAP source components". A "datastream" provides an | streams and SCAP source components". A "datastream" provides an | |||
| encapsulation of the SCAP source components required to, for example, | encapsulation of the SCAP source components required to, for example, | |||
| perform configuration assessment on a given endpoint. These source | perform configuration assessment on a given endpoint. These source | |||
| components include XCCDF checklists, OVAL Definitions, and CPE | components include XCCDF checklists, OVAL Definitions, and CPE | |||
| skipping to change at page 24, line 5 ¶ | skipping to change at page 19, line 8 ¶ | |||
| incorporating a YANG Push client function and an XMPP-grid publisher | incorporating a YANG Push client function and an XMPP-grid publisher | |||
| function. [draft-birkholz-sacm-yang-content] further states "the | function. [draft-birkholz-sacm-yang-content] further states "the | |||
| output of the YANG Push client function is encapsulated in a SACM | output of the YANG Push client function is encapsulated in a SACM | |||
| Content Element envelope, which is again encapsulated in a SACM | Content Element envelope, which is again encapsulated in a SACM | |||
| statement envelope" which are published, essentially, via an XMPP- | statement envelope" which are published, essentially, via an XMPP- | |||
| Grid Connector for SACM Components also part of the XMPP-Grid. | Grid Connector for SACM Components also part of the XMPP-Grid. | |||
| This is a specific example of an existing collection mechanism being | This is a specific example of an existing collection mechanism being | |||
| adapted to the XMPP-Grid message transfer system. | adapted to the XMPP-Grid message transfer system. | |||
| Appendix C. Exploring An XMPP-based Solution | ||||
| TODO: Consider removing or placing in a separate draft. | ||||
| Ongoing work has been taking place around and during IETF hackathons. | ||||
| The list of hackathon efforts follows: | ||||
| o [HACK99]: A partial implementation of a vulnerability assessment | ||||
| scenario involving an [I-D.ietf-sacm-ecp] implementation, a | ||||
| [RFC8322] implementation, and a proprietary evaluator to pull the | ||||
| pieces together. | ||||
| o [HACK100]: Work to combine the vulnerability assessment scenario | ||||
| from [HACK99] with an XMPP-based YANG push model. | ||||
| o [HACK101]: A fully automated configuration assessment | ||||
| implementation using XMPP (specifically Publish/Subscribe | ||||
| capabilities) as a communication mechanism. | ||||
| o [HACK102]: An exploration of how we might model assessment, | ||||
| collection, and evaluation abstractly, and then rely on YANG | ||||
| expressions for the attributes of traditional endpoints. | ||||
| o [HACK103]: No SACM participation at the Bangkok hackathon. | ||||
| o [HACK104]: Basic XMPP-to-Concise MAP - Created an XMPP adapter | ||||
| that can accept basic posture attributes and translate them to | ||||
| Concise MAP. This hackathon only proved the concept that system | ||||
| characteristics information can be transported via XMPP and | ||||
| translated to a (very basic) concise MAP implementation. | ||||
| o [HACK105]: Advanced XMPP-to-Concise MAP: Full orchestration of | ||||
| collection capabilities using XMPP. Collector implementations | ||||
| extend the core XMPP structure to allow OVAL collection | ||||
| instructions (OVAL objects) to inform posture attribute | ||||
| collection. Collected system characteristics can be provided to | ||||
| the Concise MAP XMPP adapter using all 3 available XMPP | ||||
| capabilities: Publish/Subscribe, Information Query (iq - request/ | ||||
| response) stanzas, or direct Message stanzas. CDDL was created to | ||||
| map collected posture attributes to Concise MAP structure. The | ||||
| XMPP adapter translates the incoming system characteristics and | ||||
| stores the information in the MAP. | ||||
| Figure 4 depicts a slightly more detailed view of the architecture | ||||
| (within the enterprise boundary) - one that fosters the development | ||||
| of a pluggable ecosystem of cooperative tools. Existing collection | ||||
| mechanisms can be brought into this architecture by specifying the | ||||
| interface of the collector and creating the XMPP-Grid Connector | ||||
| binding for that interface. | ||||
| Additionally, while not directly depicted in Figure 4, this | ||||
| architecture does allow point-to-point interfaces. In fact, | ||||
| [RFC8600] provides brokering capabilities to facilitate such point- | ||||
| to-point data transfers). Additionally, each of the SACM Components | ||||
| depicted in Figure 4 may be a provider, a consumer, or both, | ||||
| depending on the workflow in context. | ||||
| +--------------+ +--------------+ | ||||
| | Orchestrator | | Repositories | | ||||
| +------^-------+ +------^-------+ | ||||
| | | | ||||
| | | | ||||
| +-------v--------------------------v--------+ +-----------------+ | ||||
| | XMPP-Grid+ <-----> Downstream Uses | | ||||
| +------------------------^------------------+ +-----------------+ | ||||
| | | ||||
| | | ||||
| +-------v------+ | ||||
| | XMPP-Grid | | ||||
| | Connector(s) | | ||||
| +------^-------+ | ||||
| | | ||||
| +------v-------+ | ||||
| | Collector(s) | | ||||
| +--------------+ | ||||
| Figure 4: XMPP-based Architecture | ||||
| [RFC8600] details a number of XMPP extensions (XEPs) that MUST be | ||||
| utilized to meet the needs of [RFC7632] and [RFC8248]: | ||||
| o Service Discovery (XEP-0030): Service Discovery allows XMPP | ||||
| entities to discover information about other XMPP entities. Two | ||||
| kinds of information can be discovered: the identity and | ||||
| capabilities of an entity, such as supported features, and items | ||||
| associated with an entity. | ||||
| o Publish-Subscribe (XEP-0060): The PubSub extension enables | ||||
| entities to create nodes (topics) at a PubSub service and publish | ||||
| information at those nodes. Once published, an event notification | ||||
| is broadcast to all entities that have subscribed to that node. | ||||
| At this point, [RFC8600] specifies fewer features than SACM requires, | ||||
| and there are other XMPP extensions (XEPs) we need to consider to | ||||
| meet the needs of [RFC7632] and [RFC8248]. In Figure 4 we therefore | ||||
| use "XMPP-Grid+" to indicate something more than [RFC8600] alone, | ||||
| even though we are not yet fully confident in the exact set of XMPP- | ||||
| related extensions we will require. The authors propose work to | ||||
| extend (or modify) [RFC8600] to include additional XEPs - possibly | ||||
| the following: | ||||
| o Entity Capabilities (XEP-0115): This extension defines the methods | ||||
| for broadcasting and dynamically discovering an entities' | ||||
| capabilities. This information is transported via standard XMPP | ||||
| presence. Example capabilities that could be discovered could | ||||
| include support for posture attribute collection, support for | ||||
| specific types of posture attribute collection such as EPCP, | ||||
| SWIMA, OVAL, or YANG. Other capabilities are still to be | ||||
| determined. | ||||
| o Ad Hoc Commands (XEP-0050): This extension allows an XMPP entity | ||||
| to advertise and execute application-specific commands. Typically | ||||
| the commands contain data forms (XEP-0004) in order to structure | ||||
| the information exchange. This extension may be usable for simple | ||||
| orchestration (i.e. "do assessment"). | ||||
| o HTTP File Upload (XEP-0363): The HTTP File Upload extension allows | ||||
| for large data sets to be published to a specific path on an HTTP | ||||
| server, and receive a URL from which that file can later be | ||||
| downloaded again. XMPP messages and IQs are meant to be compact, | ||||
| and large data sets, such as collected posture attributes, may | ||||
| exceed a message size threshold. Usage of this XEP allows those | ||||
| larger data sets to be persisted, thus necessitating only the | ||||
| download URL to be passed via XMPP messages. | ||||
| o Personal Eventing Protocol (XEP-0163): The Personal Eventing | ||||
| Protocol can be thought of as a virtual PubSub service, allowing | ||||
| an XMPP account to publish events only to their roster instead of | ||||
| a generic PubSub topic. This XEP may be useful in the cases when | ||||
| collection requests or queries are only intended for a subset of | ||||
| endpoints and not an entire subscriber set. | ||||
| o File Repository and Sharing (XEP-0214): This extension defines a | ||||
| method for XMPP entities to designate a set of file available for | ||||
| retrieval by other users of their choosing, and is based on PubSub | ||||
| Collections. | ||||
| o Easy User Onboarding (XEP-401): The goal of this extension is | ||||
| simplified client registration, and may be useful when adding new | ||||
| endpoints or SACM components to the ecosystem. | ||||
| o Bidirectional-streams Over Synchronous HTTP (BOSH) (XEP-0124): | ||||
| BOSH emulates the semantics of a long-lived, bidirectional TCP | ||||
| connection between two entities (aka "long polling"). Consider a | ||||
| SACM component that is updated dynamically, i.e. an internal | ||||
| vulnerability definition repository ingesting data from a Feed/ | ||||
| Repository of External Data, and a second SACM component such as | ||||
| an Orchestrator. Using BOSH, the Orchestrator can effectively | ||||
| continuously poll the vulnerability definition repository for | ||||
| changes/updates. | ||||
| o PubSub Collection Nodes (XEP-0248): Effectively an extension to | ||||
| XEP-0060 (Publish-Subscribe), PubSub Collections aim to simplify | ||||
| an entities' subscription to multiple related topics, and | ||||
| establishes a "node graph" relating parent nodes to its | ||||
| descendents. An example "node graph" could be rooted in a | ||||
| "vulnerability definitions" topic, and contain descendent topics | ||||
| for OS family-level vulnerability definitions (i.e. Windows), and | ||||
| further for OS family version-level definitions (i.e. Windows 10 | ||||
| or Windows Server 2016). | ||||
| o PubSub Since (XEP-0312): This extension enables a subscriber to | ||||
| automatically receive PubSub and Personal Eventing Protocol (PEP) | ||||
| notifications since its last logout time. This extension may be | ||||
| useful in intermittent connection scenarios, or when entities | ||||
| disconnect and reconnect to the ecosystem. | ||||
| o PubSub Chaining (XEP-0253): This extension describes the | ||||
| federation of publishing nodes, enabling a publish node of one | ||||
| server to be a subscriber to a publishing node of another server. | ||||
| C.1. Example Architecture using XMPP-Grid and Endpoint Posture | ||||
| Collection Protocol | ||||
| Figure 5 depicts a further detailed view of the architecture | ||||
| including the Endpoint Posture Collection Protocol as the collection | ||||
| subsystem, illustrating the idea of a pluggable ecosystem of | ||||
| cooperative tools. | ||||
| +--------------------+ | ||||
| | Feeds/Repositories | | ||||
| | of External Data | | ||||
| +--------------------+ | ||||
| | | ||||
| ********************v************************* Enterprise Boundary ************ | ||||
| * | * | ||||
| * +--------------+ | +-------------------+ +-------------+ * | ||||
| * | Orchestrator | | | Posture Attr Repo | | Policy Repo | * | ||||
| * +------^-------+ | +---------^---------+ +---^---------+ * | ||||
| * | | | | +----------------+ * | ||||
| * | | | | | Downstream Uses| * | ||||
| * | | | | | +-----------+ | * | ||||
| * +------v---------v-----------v---------------v--+ | |Evaluations| | * | ||||
| * | XMPP-Grid <-------> +-----------+ | * | ||||
| * +----------------^-------------------^----------+ | +-----------+ | * | ||||
| * | | | | Analytics | | * | ||||
| * | | | +-----------+ | * | ||||
| * | +-----v--------+ | +-----------+ | * | ||||
| * | | Results Repo | | | Reporting | | * | ||||
| * | +--------------+ | +-----------+ | * | ||||
| * | +----------------+ * | ||||
| * +---------v-----------+ * | ||||
| * | XMPP-Grid Connector | * | ||||
| * +---------^-----------+ * | ||||
| * | * | ||||
| * +-----------------v-------------------------------------------------------+ * | ||||
| * | | * | ||||
| * | +--Posture Collection Manager------------------------------------------+| * | ||||
| * | |+-----------------------+ +----------------+ +----------------------+ || * | ||||
| * | || Communications Server | | Posture Server | | Posture Validator(s) | || * | ||||
| * | |+----------^------------+ +----------------+ +----------------------+ || * | ||||
| * | +-----------|----------------------------------------------------------+| * | ||||
| * | | | * | ||||
| * | +-----------|-------------------------Endpoint or Endpoint Proxy-------+| * | ||||
| * | |+----------v------------+ +----------------+ +----------------------+ || * | ||||
| * | || Communications Client | | Posture Client | | Posture Collector(s) | || * | ||||
| * | |+-----------------------+ +----------------+ +----------------------+ || * | ||||
| * | +----------------------------------------------------------------------+| * | ||||
| * +-----------------Endpoint Posture Collection Profile---------------------+ * | ||||
| * * | ||||
| ******************************************************************************* | ||||
| Figure 5: XMPP-based Architecture including EPCP | ||||
| Authors' Addresses | Authors' Addresses | |||
| Adam W. Montville | Adam W. Montville | |||
| Center for Internet Security | Center for Internet Security | |||
| 31 Tech Valley Drive | 31 Tech Valley Drive | |||
| East Greenbush, NY 12061 | East Greenbush, NY 12061 | |||
| USA | USA | |||
| Email: adam.w.montville@gmail.com | Email: adam.montville.sdo@gmail.com | |||
| Bill Munyan | Bill Munyan | |||
| Center for Internet Security | Center for Internet Security | |||
| 31 Tech Valley Drive | 31 Tech Valley Drive | |||
| East Greenbush, NY 12061 | East Greenbush, NY 12061 | |||
| USA | USA | |||
| Email: bill.munyan.ietf@gmail.com | Email: bill.munyan.ietf@gmail.com | |||
| End of changes. 44 change blocks. | ||||
| 490 lines changed or deleted | 506 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||