| draft-ietf-sacm-arch-02.txt | draft-ietf-sacm-arch-03.txt | |||
|---|---|---|---|---|
| SACM Working Group A. Montville | SACM Working Group A. Montville | |||
| Internet-Draft B. Munyan | Internet-Draft B. Munyan | |||
| Intended status: Standards Track CIS | Intended status: Standards Track CIS | |||
| Expires: January 27, 2020 July 26, 2019 | Expires: March 9, 2020 September 06, 2019 | |||
| Security Automation and Continuous Monitoring (SACM) Architecture | Security Automation and Continuous Monitoring (SACM) Architecture | |||
| draft-ietf-sacm-arch-02 | draft-ietf-sacm-arch-03 | |||
| Abstract | Abstract | |||
| This memo defines a Security Automation and Continuous Monitoring | This memo defines a Security Automation and Continuous Monitoring | |||
| (SACM) architecture. This work is built upon [RFC8600], and is | (SACM) architecture. This work is built upon [RFC8600], and is | |||
| predicated upon information gleaned from SACM Use Cases and | predicated upon information gleaned from SACM Use Cases and | |||
| Requirements ([RFC7632] and [RFC8248] respectively), and terminology | Requirements ([RFC7632] and [RFC8248] respectively), and terminology | |||
| as found in [I-D.ietf-sacm-terminology]. | as found in [I-D.ietf-sacm-terminology]. | |||
| WORKING GROUP: The source for this draft is maintained in GitHub. | WORKING GROUP: The source for this draft is maintained in GitHub. | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 27, 2020. | This Internet-Draft will expire on March 9, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 | 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Architectural Overview . . . . . . . . . . . . . . . . . . . 3 | 3. Architectural Overview . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Relevant Workflows . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. Architectural Components . . . . . . . . . . . . . . . . 4 | |||
| 4.1. IT Asset Management . . . . . . . . . . . . . . . . . . . 5 | 3.1.1. Orchestrator . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Vulnerability Management . . . . . . . . . . . . . . . . 5 | 3.1.2. Repositories/CMDBs . . . . . . . . . . . . . . . . . 5 | |||
| 4.3. Configuration Management . . . . . . . . . . . . . . . . 6 | 3.1.3. Component Integration Service . . . . . . . . . . . . 5 | |||
| 5. Configuration Management Components, Interactions, and | 3.2. Sub-Architectures . . . . . . . . . . . . . . . . . . . . 6 | |||
| Capabilities . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.3. Downstream Uses . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Components . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.3.1. Reporting . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.2. Interactions . . . . . . . . . . . . . . . . . . . . . . 8 | 3.3.2. Analytics . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.3. Capabilities . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Sub-Architectural Components . . . . . . . . . . . . . . . . 7 | |||
| 6. Configuration Assessment Workflow . . . . . . . . . . . . . . 9 | 4.1. Collection Sub-Architecture . . . . . . . . . . . . . . . 7 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 | 4.1.1. Posture Collection Service . . . . . . . . . . . . . 8 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 4.1.2. Endpoint . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 4.1.3. Posture Attribute Repository . . . . . . . . . . . . 9 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4.2. Evaluation Sub-Architecture . . . . . . . . . . . . . . . 9 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 4.2.1. Posture Evaluation Service . . . . . . . . . . . . . 10 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 11 | 4.2.2. Policy Repository . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Mapping to RFC8248 . . . . . . . . . . . . . . . . . 13 | 4.2.3. Evaluation Results Repository . . . . . . . . . . . . 11 | |||
| Appendix B. Example Components . . . . . . . . . . . . . . . . . 16 | 5. Interactions . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| B.1. Policy Services . . . . . . . . . . . . . . . . . . . . . 16 | 6. Security Domain Workflows . . . . . . . . . . . . . . . . . . 12 | |||
| B.2. Software Inventory . . . . . . . . . . . . . . . . . . . 17 | 6.1. IT Asset Management . . . . . . . . . . . . . . . . . . . 12 | |||
| B.3. Datastream Collection . . . . . . . . . . . . . . . . . . 18 | 6.2. Vulnerability Management . . . . . . . . . . . . . . . . 13 | |||
| B.4. Network Configuration Collection . . . . . . . . . . . . 18 | 6.3. Configuration Management . . . . . . . . . . . . . . . . 13 | |||
| Appendix C. Exploring An XMPP-based Solution . . . . . . . . . . 19 | 7. Configuration Management Components and Capabilities . . . . 14 | |||
| 7.1. Components . . . . . . . . . . . . . . . . . . . . . . . 15 | ||||
| 7.2. Capabilities . . . . . . . . . . . . . . . . . . . . . . 15 | ||||
| 8. Configuration Assessment Workflow . . . . . . . . . . . . . . 15 | ||||
| 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 | ||||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | ||||
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | ||||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 18 | ||||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 18 | ||||
| Appendix A. Mapping to RFC8248 . . . . . . . . . . . . . . . . . 20 | ||||
| Appendix B. Example Components . . . . . . . . . . . . . . . . . 23 | ||||
| B.1. Policy Services . . . . . . . . . . . . . . . . . . . . . 23 | ||||
| B.2. Software Inventory . . . . . . . . . . . . . . . . . . . 24 | ||||
| B.3. Datastream Collection . . . . . . . . . . . . . . . . . . 25 | ||||
| B.4. Network Configuration Collection . . . . . . . . . . . . 25 | ||||
| Appendix C. Exploring An XMPP-based Solution . . . . . . . . . . 25 | ||||
| C.1. Example Architecture using XMPP-Grid and Endpoint Posture | C.1. Example Architecture using XMPP-Grid and Endpoint Posture | |||
| Collection Protocol . . . . . . . . . . . . . . . . . . . 22 | Collection Protocol . . . . . . . . . . . . . . . . . . . 29 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 1. Introduction | 1. Introduction | |||
| The purpose of this draft is to define an architectural approach for | The purpose of this draft is to define an architectural approach for | |||
| a SACM Domain, based on the spirit of use cases found in [RFC7632] | a SACM Domain, based on the spirit of use cases found in [RFC7632] | |||
| and requirements found in [RFC8248]. This approach gains the most | and requirements found in [RFC8248]. This approach gains the most | |||
| advantage by supporting a variety of collection systems, and intends | advantage by supporting a variety of collection systems, and intends | |||
| to enable a cooperative ecosystem of tools from disparate sources | to enable a cooperative ecosystem of tools from disparate sources | |||
| with minimal operator configuration. | with minimal operator configuration. | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| 3. Architectural Overview | 3. Architectural Overview | |||
| The generic approach proposed herein recognizes the need to obtain | The generic approach proposed herein recognizes the need to obtain | |||
| information from existing and future state collection systems, and | information from existing and future state collection systems, and | |||
| makes every attempt to respect [RFC7632] and [RFC8248]. At the | makes every attempt to respect [RFC7632] and [RFC8248]. At the | |||
| foundation of any architecture are entities, or components, that need | foundation of any architecture are entities, or components, that need | |||
| to communicate. They communicate by sharing information, where, in a | to communicate. They communicate by sharing information, where, in a | |||
| given flow, one or more components are consumers of information and | given flow, one or more components are consumers of information and | |||
| one or more components are providers of information. | one or more components are providers of information. | |||
| +--------------------+ | +--------------------+ | |||
| | Feeds/Repositories | | | Feeds/Repositories | | |||
| | of External Data | | | of External Data | | |||
| +--------------------+ | +---------+----------+ | |||
| | | + | |||
| | | ****************************************************** Enterprise Boundary *** | |||
| *****************************v**************** Enterprise Boundary ************ | + | |||
| * | * | +--------------+ | +--------------------+ | |||
| * +---------------+ | +--------------+ * | | Orchestrator | | | Repositories/CMDBs | | |||
| * | Orchestrators | | | Repositories | * | +------^-------+ | +----------^---------+ | |||
| * +------^--------+ | +----^---------+ * | | | | +--------------------+ | |||
| * | | | +----------------+ * | | | | | Downstream Uses | | |||
| * | | | | Downstream Uses| * | | | | | +----------------+ | | |||
| * | | | | +-----------+ | * | +-----------v----------v-------------v------+ | | Analytics | | | |||
| * +------v------------------v----------v------+ | |Evaluations| | * | | Component Integration Service <------> +----------------+ | | |||
| * | Message Transfer System <-------> +-----------+ | * | +----- -----^--------------------------^----+ | +----------------+ | | |||
| * +----------------------^--------------------+ | +-----------+ | * | | | | | Reporting | | | |||
| * | | | Analytics | | * | | | | +----------------+ | | |||
| * | | +-----------+ | * | +-----------v-------------------+ | +--------------------+ | |||
| * +-------------v------+ | +-----------+ | * | | Collection Sub-Architecture | | | |||
| * | Collection Systems | | | Reporting | | * | +-------------------------------+ | | |||
| * +--------------------+ | +-----------+ | * | +---------------------v---------+ | |||
| * +----------------+ * | | Evaluation Sub-Architecture | | |||
| ******************************************************************************* | +-------------------------------+ | |||
| Figure 1: Notional Architecture | Figure 1: Notional Architecture | |||
| As shown in Figure 1, the notional SACM architecture consists of some | As shown in Figure 1, the SACM architecture consists of some basic | |||
| basic SACM Components using a message transfer system to communicate. | SACM Components communicating using a component integration service. | |||
| The message transfer system is expected to maximally align with the | The component integration service is expected to maximally align with | |||
| requirements described in [RFC8248], which means that the message | the requirements described in [RFC8248], which means that the | |||
| transfer system will support brokered (i.e. point-to-point) and | component integration service will support brokered (i.e. point-to- | |||
| proxied data exchange. | point) and proxied data exchange. | |||
| The enterprise boundary is not intended to imply a physical boundary. | The enterprise boundary is not intended to imply a physical boundary. | |||
| Rather, the enterprise boundary is intended to be inclusive of | Rather, the enterprise boundary is intended to be inclusive of | |||
| various cloud environments and vendor-provided services in addition | various cloud environments and vendor-provided services in addition | |||
| to any physical systems the enterprise operates. | to any physical systems the enterprise operates. | |||
| 3.1. Architectural Components | ||||
| This document suggests a variety of players in a cooperative | This document suggests a variety of players in a cooperative | |||
| ecosystem - we call these players SACM Components. SACM Components | ecosystem - we call these players SACM Components. SACM Components | |||
| may be composed of other SACM Components, and each SACM Component | may be composed of other SACM Components, and each SACM Component | |||
| plays one, or more, of several roles relevant to the ecosystem. | plays one, or more, of several roles relevant to the ecosystem. | |||
| Generally each role is either a consumer of information or a provider | Generally each role is either a consumer of information or a provider | |||
| of information. | of information. The Figure 1 diagram illustrates a number of SACM | |||
| components which are architecturally significant and therefore | ||||
| warrant discussion and clarification. | ||||
| 4. Relevant Workflows | 3.1.1. Orchestrator | |||
| An Orchestration component exists to aid in the automation of | ||||
| configuration, coordination, and management for the ecosystem of SACM | ||||
| components. The Orchestrator performs control-plane operations, | ||||
| administration of an implementing organization's components | ||||
| (including endpoints, posture collection services, and downstream | ||||
| activities), scheduling of automated tasks, and any ad-hoc activities | ||||
| such as the initiation of collection or evaluation activities. The | ||||
| Orchestrator is the key administrative interface into the SACM | ||||
| architecture. | ||||
| 3.1.2. Repositories/CMDBs | ||||
| The Figure 1 diagram only includes a single reference to | ||||
| "Repositories/CMDBs", but in practice, a number of separate data | ||||
| repositories may exist, including posture attribute repositories, | ||||
| policy repositories, local vulnerability definition data | ||||
| repositories, and state assessment results repositories. These data | ||||
| repositories may exist separately or together in a single | ||||
| representation, and the design of these repositories may be as | ||||
| distinct as their intended purpose, such as the use of relational | ||||
| database management systems or graph/map implementations focused on | ||||
| the relationships between data elements. Each implementation of a | ||||
| SACM repository should focus on the relationships between data | ||||
| elements and implement the SACM information and data model(s). | ||||
| 3.1.3. Component Integration Service | ||||
| If each SACM component represents a set of services, capabilities, | ||||
| and/or functions, the Component Integration Service represents the | ||||
| "fabric" by which all those services, capabilities and functions are | ||||
| woven together. The Component Integration Service acts as a message | ||||
| broker, combining a canonical data model, a common command set, and a | ||||
| messaging infrastructure to allow other SACM components to | ||||
| communicate using a shared set of interfaces. The Component | ||||
| Integration Service's brokering capabilities enable the exchange of | ||||
| information, the orchestration of capabilities, message routing and | ||||
| reliable delivery. The Component Integration Service minimizes the | ||||
| dependencies from one system to another through the loose coupling of | ||||
| applications through messaging. | ||||
| The Component Integration Service should provide mechanisms for | ||||
| synchronous "request/response"-style messaging, asynchronous "send | ||||
| and forget" messaging, or publish/subscribe. It is the | ||||
| responsibility of the Component Integration Service to coordinate and | ||||
| manage the sending and receiving of messages. The Component | ||||
| Integration Service should allow components the ability to directly | ||||
| connect and produce or consume messages, or connect via message | ||||
| translators which can act as a proxy, transforming messages from a | ||||
| component format to one implementing a SACM data model. | ||||
| A number of pieces come together to form the Component Integration | ||||
| Service: | ||||
| 1. Common communication infrastructure: The physical communications | ||||
| infrastructure, providing a cross-platform, cross-language | ||||
| universal adapter between SACM components. This infrastructure | ||||
| commonly includes message routing capabilities to facilitate the | ||||
| correct routing of messages from SACM component to SACM | ||||
| component, as well as using Publish/Subscribe functionality to | ||||
| facilitate sending messages to all receivers. | ||||
| 2. Adapters: The use of a standard, canonical data model will likely | ||||
| require SACM components to translate component-specific | ||||
| information into the canonical format used by the message broker. | ||||
| 3. Common command/interaction structure: Just as PC architectures | ||||
| have a common set of commands to represent the different | ||||
| operations possible on a physical bus, there must be common | ||||
| interactions that all SACM components can understand. | ||||
| 3.2. Sub-Architectures | ||||
| The Figure 1 shows two components representing the architectural | ||||
| workflows involved in a cooperative ecosystem of SACM components: | ||||
| Collection and Evaluation. The following section, Architectural | ||||
| Workflows (TBD - ADD LINK) further expands on these components/ | ||||
| workflows. | ||||
| 3.3. Downstream Uses | ||||
| As depicted by Figure 1, a number of downstream uses exist in the | ||||
| cooperative ecosystem. Each notional SACM component represents | ||||
| distinct sub-architectures which will exchange information via the | ||||
| component integration services, using interactions described in this | ||||
| draft. | ||||
| 3.3.1. Reporting | ||||
| The Reporting component represents the capabilities of the SACM | ||||
| architecture dealing with the query and retrieval of collected | ||||
| posture attribute information, evaluation results, etc. in various | ||||
| display formats that are useful to a wide range of stakeholders. | ||||
| 3.3.2. Analytics | ||||
| The Analytics component represents the capabilities of the SACM | ||||
| architecture dealing with the discovery, interpretation, and | ||||
| communication of any meaningful patterns of data in order to inform | ||||
| effective decision making within the organization. | ||||
| 4. Sub-Architectural Components | ||||
| This section describes the workflows derived from the interactions | ||||
| with the two sub-architectures depicted in the Figure 1: Collection | ||||
| and Evaluation. | ||||
| 4.1. Collection Sub-Architecture | ||||
| The Collection sub-architecture, in a SACM context, is the mechanism | ||||
| by which posture attributes are collected from applicable endpoints | ||||
| and persisted to a repository, such as a configuration management | ||||
| database (CMDB). Orchestration components will choreograph endpoint | ||||
| data collection via interactions using the Component Integration | ||||
| Service as a message broker. Instructions to perform endpoint data | ||||
| collection are directed to a Posture Collection Service capable of | ||||
| performing collection activities utilizing any number of methods, | ||||
| such as SNMP, NETCONF/RESTCONF, SSH, WinRM, or host-based. | ||||
| +----------------------------------------------------------+ | ||||
| | Orchestrator | | ||||
| +-----------+----------------------------------------------+ | ||||
| | +------------------------------+ | ||||
| | | Posture Attribute Repository | | ||||
| | +--------------^---------------+ | ||||
| | | | ||||
| | | | ||||
| | Collected Data | ||||
| | ^ | ||||
| | | | ||||
| +-----------v------------------------------+---------------+ | ||||
| | Component Integration Service | | ||||
| +----+------------------^-----------+------------------^---+ | ||||
| | | | | | ||||
| | | | | | ||||
| v | v | | ||||
| Perform Collected Perform Collected | ||||
| Collection Data Collection Data | ||||
| | ^ | ^ | ||||
| | | | | | ||||
| | | | | | ||||
| +----v------------------+----+ +----v------------------+----+ | ||||
| | Posture Collection Service | | Posture Collection Service | | ||||
| +---^------------------------+ | | | ||||
| | | | +------------------------+ | | ||||
| | v | | Endpoint | | | ||||
| Events Queries | +------------------------+ | | ||||
| ^ | +----------------------------+ | ||||
| | | | ||||
| +---+-------------------v----+ | ||||
| | Endpoint | | ||||
| +----------------------------+ | ||||
| Figure 2: Collection Sub-Architecture | ||||
| 4.1.1. Posture Collection Service | ||||
| The Posture Collection Service (PCS) is the SACM component | ||||
| responsible for the collection of posture attributes from an endpoint | ||||
| or set of endpoints. A single PCS may be responsible for management | ||||
| of posture attribute collection from many endpoints. The PCS will | ||||
| interact with the Component Integration Service to receive collection | ||||
| instructions and to provide collected posture data for persistence to | ||||
| the Posture Attribute Repository. Collection instructions may be | ||||
| supplied in a variety of forms, including subscription to a publish/ | ||||
| subscribe topic to which the Component Integration Service has | ||||
| published instructions, via request/response-style synchronous | ||||
| messaging, or via asynchronous "send-and-forget" messaging. | ||||
| Collected posture information may then be supplied to the Component | ||||
| Integration Service via similar channels. The various interaction | ||||
| types are discussed later in this draft (TBD). | ||||
| 4.1.2. Endpoint | ||||
| Building upon [I-D.ietf-sacm-terminology], the SACM Collection Sub- | ||||
| Architecture augments the definition of an Endpoint as a component | ||||
| within an organization's management domain from which a Posture | ||||
| Collection Service will collect relevant posture attributes. | ||||
| 4.1.3. Posture Attribute Repository | ||||
| The Posture Attribute Repository is a SACM component responsible for | ||||
| the persistent storage of posture attributes collected via | ||||
| interactions between the Posture Collection Service and Endpoints. | ||||
| 4.2. Evaluation Sub-Architecture | ||||
| The Evaluation Sub-Architecture, in the SACM context, is the | ||||
| mechanism by which policy, expressed in the form of expected state, | ||||
| is compared with collected posture attributes to yield an evaluation | ||||
| result, that result being contextually dependent on the policy being | ||||
| evaluated. | ||||
| +---------------------------------------+ | ||||
| | Orchestrator | | ||||
| +-------------------+-------------------+ | ||||
| | | ||||
| | | ||||
| | | ||||
| +-------------------v-------------------+ | ||||
| | Component Integration Service | | ||||
| +--------+------------^--------^--------+ | ||||
| | | | | ||||
| | | | | ||||
| v | Retrieve +--------------------------------+ | ||||
| Perform | Posture <-------+ Posture Attribute Repository | | ||||
| Evaluation | Attributes +--------------------------------+ | ||||
| | | | ||||
| | | | ||||
| | | +--------------------------------+ | ||||
| | +-----Retrieve <------+ Policy Repository | | ||||
| | Policy +--------------------------------+ | ||||
| | | ||||
| +--------v------------------------------+ | ||||
| | Posture Evaluation Service | | ||||
| +----------------------------+----------+ | ||||
| | | ||||
| v | ||||
| Evaluation | ||||
| Results | ||||
| | | ||||
| | | ||||
| +--------------------v----------+ | ||||
| | Evaluation Results Repository | | ||||
| +-------------------------------+ | ||||
| Figure 3: Evaluation Sub-Architecture | ||||
| 4.2.1. Posture Evaluation Service | ||||
| The Posture Evaluation Service represents the SACM component | ||||
| responsible for coordinating the policy to be evaluated and the | ||||
| collected posture attributes relevant to that policy, as well as the | ||||
| comparison engine responsible for correctly determining compliance | ||||
| with the expected state. | ||||
| 4.2.2. Policy Repository | ||||
| The Policy Repository represents a persistent storage mechanism for | ||||
| the policy to be assessed against collected posture attributes to | ||||
| determine if an endpoint meets the defined expected state. Examples | ||||
| of information contained in a Policy Repository would be | ||||
| Vulnerability Definition Data or configuration recommendations as | ||||
| part of a CIS Benchmark or DISA STIG. | ||||
| 4.2.3. Evaluation Results Repository | ||||
| The Evaluation Results Repository persists the information | ||||
| representing the results of a particular posture assessment, | ||||
| indicating those posture attributes collected from various endpoints | ||||
| which either meet or do not meet the expected state defined by the | ||||
| assessed policy. Consideration should be made for the context of | ||||
| individual results. For example, meeting the expected state for a | ||||
| configuration attribute indicates a correct configuration of the | ||||
| endpoint, whereas meeting an expected state for a vulnerable software | ||||
| version indicates an incorrect and therefore vulnerable | ||||
| configuration. | ||||
| 5. Interactions | ||||
| SACM Components are intended to interact with other SACM Components. | ||||
| These interactions can be thought of, at the level of this | ||||
| architectural approach, as the combination of interfaces with their | ||||
| supported operations. Each interaction will convey a payload of | ||||
| information. The payload information is expected to contain sub- | ||||
| domain-specific characteristics and instructions. | ||||
| o *Publish/Subscribe*: A component publishes information to a | ||||
| messaging system and a set of other components, subscribed to that | ||||
| information type, receive the published information. | ||||
| o *Request/Response*: A request/response interaction can take a | ||||
| number of forms, but will always be synchronous operations | ||||
| involving the requesting component waiting/blocking until a | ||||
| response is received from the requested component or a timeout | ||||
| occurs. | ||||
| * *Information Request*: An information request is simply one | ||||
| component requesting information from another component, such | ||||
| as an Orchestrator requesting collection capabilities from a | ||||
| Posture Collection Service. | ||||
| * *Query*: A query interaction can take one of two forms, | ||||
| "selection" or "storage". | ||||
| + _Selection_: A component requests data from a repository. | ||||
| + _Storage_: A component provides data to be persisted in a | ||||
| repository. | ||||
| o *Directive*: Commonly referred to as "Send-and-Forget", a | ||||
| directive is an asynchronous interaction whereby a component | ||||
| requests information from another component but does not wait/ | ||||
| block for a response. The receiving component may reply later via | ||||
| callbacks or further interactions, but it is not mandatory. | ||||
| Each interaction will convey a payload of information. The payload | ||||
| information is expected to contain sub-domain-specific | ||||
| characteristics and instructions. | ||||
| 6. Security Domain Workflows | ||||
| This section describes three primary information security domains | This section describes three primary information security domains | |||
| from which workflows may be derived: IT Asset Management, | from which workflows may be derived: IT Asset Management, | |||
| Vulnerability Management, and Configuration Management. | Vulnerability Management, and Configuration Management. | |||
| 4.1. IT Asset Management | 6.1. IT Asset Management | |||
| Information Technology asset management is easier said than done. | Information Technology asset management is easier said than done. | |||
| The [CISCONTROLS] have two controls dealing with IT asset management. | The [CISCONTROLS] have two controls dealing with IT asset management. | |||
| Control 1, Inventory and Control of Hardware Assets, states, | Control 1, Inventory and Control of Hardware Assets, states, | |||
| "Actively manage (inventory, track, and correct) all hardware devices | "Actively manage (inventory, track, and correct) all hardware devices | |||
| on the network so that only authorized devices are given access, and | on the network so that only authorized devices are given access, and | |||
| unauthorized and unmanaged devices are found and prevented from | unauthorized and unmanaged devices are found and prevented from | |||
| gaining access." Control 2, Inventory and Control of Software | gaining access." Control 2, Inventory and Control of Software | |||
| Assets, states, "Actively manage (inventory, track, and correct) all | Assets, states, "Actively manage (inventory, track, and correct) all | |||
| software on the network so that only authorized software is installed | software on the network so that only authorized software is installed | |||
| skipping to change at page 5, line 41 ¶ | skipping to change at page 13, line 5 ¶ | |||
| o Identify and catalog new assets by executing Target Endpoint | o Identify and catalog new assets by executing Target Endpoint | |||
| Discovery Tasks | Discovery Tasks | |||
| o Provide information about its managed assets, including uniquely | o Provide information about its managed assets, including uniquely | |||
| identifying information (for that enterprise) | identifying information (for that enterprise) | |||
| o Handle software and/or hardware (including virtual assets) | o Handle software and/or hardware (including virtual assets) | |||
| o Represent cloud hybrid environments | o Represent cloud hybrid environments | |||
| 4.2. Vulnerability Management | 6.2. Vulnerability Management | |||
| Vulnerability management is a relatively established process. To | Vulnerability management is a relatively established process. To | |||
| paraphrase the [CISCONTROLS], continuous vulnerability management is | paraphrase the [CISCONTROLS], continuous vulnerability management is | |||
| the act of continuously acquiring, assessing, and taking subsequent | the act of continuously acquiring, assessing, and taking subsequent | |||
| action on new information in order to identify and remediate | action on new information in order to identify and remediate | |||
| vulnerabilities, therefore minimizing the window of opportunity for | vulnerabilities, therefore minimizing the window of opportunity for | |||
| attackers. | attackers. | |||
| A vulnerability assessment (i.e. vulnerability detection) is | A vulnerability assessment (i.e. vulnerability detection) is | |||
| performed in two steps: | performed in two steps: | |||
| skipping to change at page 6, line 36 ¶ | skipping to change at page 13, line 48 ¶ | |||
| by the endpoint management capabilities and available in a | by the endpoint management capabilities and available in a | |||
| Repository. However, in other cases, the necessary endpoint | Repository. However, in other cases, the necessary endpoint | |||
| information will not be readily available in a Repository and a | information will not be readily available in a Repository and a | |||
| Collection Task will be triggered to perform collection from the | Collection Task will be triggered to perform collection from the | |||
| target endpoint. Of course, some implementations of endpoint | target endpoint. Of course, some implementations of endpoint | |||
| management capabilities may prefer to enable operators to perform | management capabilities may prefer to enable operators to perform | |||
| this collection even when sufficient information can be provided by | this collection even when sufficient information can be provided by | |||
| the endpoint management capabilities (e.g. there may be freshness | the endpoint management capabilities (e.g. there may be freshness | |||
| requirements for information). | requirements for information). | |||
| 4.3. Configuration Management | 6.3. Configuration Management | |||
| Configuration management involves configuration assessment, which | Configuration management involves configuration assessment, which | |||
| requires state assessment. The [CISCONTROLS] specify two high-level | requires state assessment. The [CISCONTROLS] specify two high-level | |||
| controls concerning configuration management (Control 5 for non- | controls concerning configuration management (Control 5 for non- | |||
| network devices and Control 11 for network devices). As an aside, | network devices and Control 11 for network devices). As an aside, | |||
| these controls are listed separately because many enterprises have | these controls are listed separately because many enterprises have | |||
| different organizations for managing network infrastructure and | different organizations for managing network infrastructure and | |||
| workload endpoints. Merging the two controls results in the | workload endpoints. Merging the two controls results in the | |||
| following paraphrasing: Establish, implement, and actively manage | following paraphrasing: Establish, implement, and actively manage | |||
| (track, report on, correct) the security configuration of systems | (track, report on, correct) the security configuration of systems | |||
| skipping to change at page 7, line 32 ¶ | skipping to change at page 14, line 44 ¶ | |||
| o Configuration assessment tool queries configuration state | o Configuration assessment tool queries configuration state | |||
| repository to evaluate compliance | repository to evaluate compliance | |||
| o If information is stale or unavailable, configuration assessment | o If information is stale or unavailable, configuration assessment | |||
| tool triggers an ad hoc assessment | tool triggers an ad hoc assessment | |||
| The SACM architecture needs to support varying deployment models to | The SACM architecture needs to support varying deployment models to | |||
| accommodate the current state of the industry, but should strongly | accommodate the current state of the industry, but should strongly | |||
| encourage event-driven approaches to monitoring configuration. | encourage event-driven approaches to monitoring configuration. | |||
| 5. Configuration Management Components, Interactions, and Capabilities | 7. Configuration Management Components and Capabilities | |||
| This section provides more detail about the components, interactions, | This section provides more detail about the components and | |||
| and capabilities required when considering the aforementioned | capabilities required when considering the aforementioned | |||
| configuration management workflow. | configuration management workflow. | |||
| 5.1. Components | 7.1. Components | |||
| The following is a minimal list of SACM Components required to | The following is a minimal list of SACM Components required to | |||
| implement the aforementioned configuration assessment workflow. | implement the aforementioned configuration assessment workflow. | |||
| o Configuration Policy Feed: An external source of authoritative | o Configuration Policy Feed: An external source of authoritative | |||
| configuration recommendations. | configuration recommendations. | |||
| o Configuration Policy Repository: An internal repository of | o Configuration Policy Repository: An internal repository of | |||
| enterprise standard configurations. | enterprise standard configurations. | |||
| skipping to change at page 8, line 18 ¶ | skipping to change at page 15, line 32 ¶ | |||
| o Posture Attribute Repository: A component used for storing system | o Posture Attribute Repository: A component used for storing system | |||
| posture attribute values. | posture attribute values. | |||
| o Configuration Assessment Evaluator: A component responsible for | o Configuration Assessment Evaluator: A component responsible for | |||
| evaluating system posture attribute values against expected | evaluating system posture attribute values against expected | |||
| posture attribute values. | posture attribute values. | |||
| o Configuration Assessment Results Repository: A component used for | o Configuration Assessment Results Repository: A component used for | |||
| storing evaluation results. | storing evaluation results. | |||
| 5.2. Interactions | 7.2. Capabilities | |||
| SACM Components are intended to interact with other SACM Components. | ||||
| These interactions can be thought of, at the level of this | ||||
| architectural approach, as the combination of interfaces with their | ||||
| supported operations. | ||||
| o Store: One component stores information in another. | ||||
| o Ask: A component requests information from another. | ||||
| o Notify/Ask: A component notifies another component, which then | ||||
| asks the notifying component (or another component) for | ||||
| information. | ||||
| o Publish/Subscribe: A component publishes information to a | ||||
| messaging system and a set of other components, subscribed to that | ||||
| information type, receive the published information. | ||||
| o Tell: A component instructs another. | ||||
| TODO: Consider breaking out Notify, Publish, and Subscribe into | ||||
| separate line items, and adding Error (a type of Notify). Then | ||||
| consider explaining the necessary combinations relevant to the | ||||
| configuration assessment workflow below. | ||||
| Each interaction will convey a payload of information. The payload | ||||
| information is expected to contain sub-domain-specific | ||||
| characteristics and instructions. | ||||
| 5.3. Capabilities | ||||
| Per [RFC8248], solutions MUST support capability negotiation. | Per [RFC8248], solutions MUST support capability negotiation. | |||
| Components implementing specific interfaces and operations (i.e. | Components implementing specific interfaces and operations (i.e. | |||
| interactions) will need a method of describing their capabilities to | interactions) will need a method of describing their capabilities to | |||
| other components participating in the ecosystem; for example, "As a | other components participating in the ecosystem; for example, "As a | |||
| component in the ecosystem, I can assess the configuration of | component in the ecosystem, I can assess the configuration of | |||
| Windows, MacOS, and AWS using OVAL". | Windows, MacOS, and AWS using OVAL". | |||
| 6. Configuration Assessment Workflow | 8. Configuration Assessment Workflow | |||
| This section describes the components and interactions in a basic | This section describes the components and interactions in a basic | |||
| configuration assessment workflow. For simplicity, error conditions | configuration assessment workflow. For simplicity, error conditions | |||
| are recognized as being necessary and are not depicted. When one | are recognized as being necessary and are not depicted. When one | |||
| component messages another component, the message is expected to be | component messages another component, the message is expected to be | |||
| handled appropriately unless there is an error condition, or other | handled appropriately unless there is an error condition, or other | |||
| notification, messaged in return. | notification, messaged in return. | |||
| +-------------+ | +-------------+ | |||
| | Policy Feed | | | Policy Feed | | |||
| skipping to change at page 9, line 40 ¶ | skipping to change at page 16, line 28 ¶ | |||
| | +--------v------+ | | | | +--------v------+ | | | |||
| | | Collector | | | | | | Collector | | | | |||
| | +-------+-------+ | 4 +------------+ | | +-------+-------+ | 4 +------------+ | |||
| | | +-------> Posture | | | | +-------> Posture | | |||
| | +-------+-------+ | | Attribute | | | +-------+-------+ | | Attribute | | |||
| | | Target System | | | Repository | | | | Target System | | | Repository | | |||
| | +---------------+ | +------------+ | | +---------------+ | +------------+ | |||
| +-------------------+ | +-------------------+ | |||
| Collection Sub-Architecture | Collection Sub-Architecture | |||
| Figure 2: Configuration Assessment Component Interactions | Figure 4: Configuration Assessment Component Interactions | |||
| Figure 2 depicts configuration assessment components and their | Figure 4 depicts configuration assessment components and their | |||
| interactions, which are further described below. | interactions, which are further described below. | |||
| 1. Policy is stored in the Policy Repository: TODO - add specific | 1. Policy is stored in the Policy Repository: TODO - add specific | |||
| interaction options here. | interaction options here. | |||
| 2. The Orchestrator obtains collection information from the Policy | 2. The Orchestrator obtains collection information from the Policy | |||
| Repository: TODO - add specific interaction options here. | Repository: TODO - add specific interaction options here. | |||
| 3. The Orchestrator initiates collection to be performed by the | 3. The Orchestrator initiates collection to be performed by the | |||
| Collection Sub-Architecture: TODO - add specific interaction | Collection Sub-Architecture: TODO - add specific interaction | |||
| skipping to change at page 10, line 38 ¶ | skipping to change at page 17, line 23 ¶ | |||
| context required by the receiving component for the action being | context required by the receiving component for the action being | |||
| taken under different circumstances. For example, the Tell message | taken under different circumstances. For example, the Tell message | |||
| sent from an Orchestrator to a Collection sub-architecture might be | sent from an Orchestrator to a Collection sub-architecture might be | |||
| telling that Collector to watch a specific posture attribute and | telling that Collector to watch a specific posture attribute and | |||
| report only specific detected changes to the Posture Attribute | report only specific detected changes to the Posture Attribute | |||
| Repository, or it might be telling the Collector to gather that | Repository, or it might be telling the Collector to gather that | |||
| posture attribute immediately. Such details are expected to be | posture attribute immediately. Such details are expected to be | |||
| handled as part of that payload, not as part of the architecture | handled as part of that payload, not as part of the architecture | |||
| described herein. | described herein. | |||
| 7. Privacy Considerations | 9. Privacy Considerations | |||
| TODO | TODO | |||
| 8. Security Considerations | 10. Security Considerations | |||
| TODO | TODO | |||
| 9. IANA Considerations | 11. IANA Considerations | |||
| TODO: Revamp this section after the configuration assessment workflow | TODO: Revamp this section after the configuration assessment workflow | |||
| is fleshed out. | is fleshed out. | |||
| IANA tables can probably be used to make life a little easier. We | IANA tables can probably be used to make life a little easier. We | |||
| would like a place to enumerate: | would like a place to enumerate: | |||
| o Capability/operation semantics | o Capability/operation semantics | |||
| o SACM Component implementation identifiers | o SACM Component implementation identifiers | |||
| o SACM Component versions | o SACM Component versions | |||
| o Associations of SACM Components (and versions) to specific | o Associations of SACM Components (and versions) to specific | |||
| Capabilities | Capabilities | |||
| o Collection sub-architecture Identification | o Collection sub-architecture Identification | |||
| 10. References | 12. References | |||
| 10.1. Normative References | 12.1. Normative References | |||
| [I-D.ietf-sacm-ecp] | [I-D.ietf-sacm-ecp] | |||
| Haynes, D., Fitzgerald-McKay, J., and L. Lorenzin, | Haynes, D., Fitzgerald-McKay, J., and L. Lorenzin, | |||
| "Endpoint Posture Collection Profile", draft-ietf-sacm- | "Endpoint Posture Collection Profile", draft-ietf-sacm- | |||
| ecp-05 (work in progress), June 2019. | ecp-05 (work in progress), June 2019. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 11, line 42 ¶ | skipping to change at page 18, line 31 ¶ | |||
| Attributes (SWIMA) for PA-TNC", RFC 8412, | Attributes (SWIMA) for PA-TNC", RFC 8412, | |||
| DOI 10.17487/RFC8412, July 2018, | DOI 10.17487/RFC8412, July 2018, | |||
| <https://www.rfc-editor.org/info/rfc8412>. | <https://www.rfc-editor.org/info/rfc8412>. | |||
| [RFC8600] Cam-Winget, N., Ed., Appala, S., Pope, S., and P. Saint- | [RFC8600] Cam-Winget, N., Ed., Appala, S., Pope, S., and P. Saint- | |||
| Andre, "Using Extensible Messaging and Presence Protocol | Andre, "Using Extensible Messaging and Presence Protocol | |||
| (XMPP) for Security Information Exchange", RFC 8600, | (XMPP) for Security Information Exchange", RFC 8600, | |||
| DOI 10.17487/RFC8600, June 2019, | DOI 10.17487/RFC8600, June 2019, | |||
| <https://www.rfc-editor.org/info/rfc8600>. | <https://www.rfc-editor.org/info/rfc8600>. | |||
| 10.2. Informative References | 12.2. Informative References | |||
| [CISCONTROLS] | [CISCONTROLS] | |||
| "CIS Controls v7.0", n.d., | "CIS Controls v7.0", n.d., | |||
| <https://www.cisecurity.org/controls>. | <https://www.cisecurity.org/controls>. | |||
| [draft-birkholz-sacm-yang-content] | [draft-birkholz-sacm-yang-content] | |||
| Birkholz, H. and N. Cam-Winget, "YANG subscribed | Birkholz, H. and N. Cam-Winget, "YANG subscribed | |||
| notifications via SACM Statements", n.d., | notifications via SACM Statements", n.d., | |||
| <https://tools.ietf.org/html/ | <https://tools.ietf.org/html/ | |||
| draft-birkholz-sacm-yang-content-01>. | draft-birkholz-sacm-yang-content-01>. | |||
| skipping to change at page 12, line 20 ¶ | skipping to change at page 19, line 9 ¶ | |||
| n.d., <https://www.github.com/CISecurity/Integration>. | n.d., <https://www.github.com/CISecurity/Integration>. | |||
| [HACK102] "IETF 102 Hackathon - YANG Collection on Traditional | [HACK102] "IETF 102 Hackathon - YANG Collection on Traditional | |||
| Endpoints", n.d., | Endpoints", n.d., | |||
| <https://www.github.com/CISecurity/YANG>. | <https://www.github.com/CISecurity/YANG>. | |||
| [HACK103] "IETF 103 Hackathon - N/A", n.d., | [HACK103] "IETF 103 Hackathon - N/A", n.d., | |||
| <https://www.ietf.org/how/meetings/103/>. | <https://www.ietf.org/how/meetings/103/>. | |||
| [HACK104] "IETF 104 Hackathon - A simple XMPP client", n.d., | [HACK104] "IETF 104 Hackathon - A simple XMPP client", n.d., | |||
| <https://github.com/CISecurity/IETF104-Client>. | <https://github.com/CISecurity/SACM-Architecture>. | |||
| [HACK105] "IETF 105 Hackathon - A more robust XMPP client including | [HACK105] "IETF 105 Hackathon - A more robust XMPP client including | |||
| collection extensions", n.d., | collection extensions", n.d., | |||
| <https://github.com/CISecurity/IETF104-Client>. | <https://github.com/CISecurity/SACM-Architecture>. | |||
| [HACK99] "IETF 99 Hackathon - Vulnerability Scenario EPCP", n.d., | [HACK99] "IETF 99 Hackathon - Vulnerability Scenario EPCP", n.d., | |||
| <https://www.github.com/sacmwg/vulnerability-scenario/ | <https://www.github.com/sacmwg/vulnerability-scenario/ | |||
| ietf-hackathon>. | ietf-hackathon>. | |||
| [I-D.ietf-sacm-terminology] | [I-D.ietf-sacm-terminology] | |||
| Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and | Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and | |||
| A. Montville, "Security Automation and Continuous | A. Montville, "Security Automation and Continuous | |||
| Monitoring (SACM) Terminology", draft-ietf-sacm- | Monitoring (SACM) Terminology", draft-ietf-sacm- | |||
| terminology-16 (work in progress), December 2018. | terminology-16 (work in progress), December 2018. | |||
| skipping to change at page 17, line 43 ¶ | skipping to change at page 24, line 33 ¶ | |||
| Evaluator Repository | | | | | | | Evaluator Repository | | | | | | | |||
| +------+ +--------+ | +-----------+ |<-------| +-----------+ | | +------+ +--------+ | +-----------+ |<-------| +-----------+ | | |||
| | | | | | | Posture | | report | | Posture | | | | | | | | | Posture | | report | | Posture | | | |||
| | | | | | | Collection| | | | Collection| | | | | | | | | Collection| | | | Collection| | | |||
| | |<-----> | |<-----| | Manager | | query | | Engine | | | | |<-----> | |<-----| | Manager | | query | | Engine | | | |||
| | |request/| | store| +-----------+ |------->| +-----------+ | | | |request/| | store| +-----------+ |------->| +-----------+ | | |||
| | |respond | | | | | | | | |respond | | | | | | | |||
| | | | | | | | | | | | | | | | | | | |||
| +------+ +--------+ +---------------+ +---------------+ | +------+ +--------+ +---------------+ +---------------+ | |||
| Figure 3: EPCP Collection Architecture | Figure 5: EPCP Collection Architecture | |||
| In Figure 3, any of the communications between the Posture Manager | In Figure 5, any of the communications between the Posture Manager | |||
| and EPCP components to its left could be performed directly or | and EPCP components to its left could be performed directly or | |||
| indirectly using a given message transfer mechanism. For example, | indirectly using a given message transfer mechanism. For example, | |||
| the pub/sub interface between the Orchestrator and the Posture | the pub/sub interface between the Orchestrator and the Posture | |||
| Manager could be using a proprietary method or using [RFC8600] or | Manager could be using a proprietary method or using [RFC8600] or | |||
| some other pub/sub mechanism. Similarly, the store connection from | some other pub/sub mechanism. Similarly, the store connection from | |||
| the Posture Manager to the Repository could be performed internally | the Posture Manager to the Repository could be performed internally | |||
| to a given implementation, via a RESTful API invocation over HTTPS, | to a given implementation, via a RESTful API invocation over HTTPS, | |||
| or even over a pub/sub mechanism. | or even over a pub/sub mechanism. | |||
| Our assertion is that the Evaluator, Repository, Orchestrator, and | Our assertion is that the Evaluator, Repository, Orchestrator, and | |||
| skipping to change at page 19, line 51 ¶ | skipping to change at page 26, line 41 ¶ | |||
| extend the core XMPP structure to allow OVAL collection | extend the core XMPP structure to allow OVAL collection | |||
| instructions (OVAL objects) to inform posture attribute | instructions (OVAL objects) to inform posture attribute | |||
| collection. Collected system characteristics can be provided to | collection. Collected system characteristics can be provided to | |||
| the Concise MAP XMPP adapter using all 3 available XMPP | the Concise MAP XMPP adapter using all 3 available XMPP | |||
| capabilities: Publish/Subscribe, Information Query (iq - request/ | capabilities: Publish/Subscribe, Information Query (iq - request/ | |||
| response) stanzas, or direct Message stanzas. CDDL was created to | response) stanzas, or direct Message stanzas. CDDL was created to | |||
| map collected posture attributes to Concise MAP structure. The | map collected posture attributes to Concise MAP structure. The | |||
| XMPP adapter translates the incoming system characteristics and | XMPP adapter translates the incoming system characteristics and | |||
| stores the information in the MAP. | stores the information in the MAP. | |||
| Figure 4 depicts a slightly more detailed view of the architecture | Figure 6 depicts a slightly more detailed view of the architecture | |||
| (within the enterprise boundary) - one that fosters the development | (within the enterprise boundary) - one that fosters the development | |||
| of a pluggable ecosystem of cooperative tools. Existing collection | of a pluggable ecosystem of cooperative tools. Existing collection | |||
| mechanisms can be brought into this architecture by specifying the | mechanisms can be brought into this architecture by specifying the | |||
| interface of the collector and creating the XMPP-Grid Connector | interface of the collector and creating the XMPP-Grid Connector | |||
| binding for that interface. | binding for that interface. | |||
| Additionally, while not directly depicted in Figure 4, this | Additionally, while not directly depicted in Figure 6, this | |||
| architecture does allow point-to-point interfaces. In fact, | architecture does allow point-to-point interfaces. In fact, | |||
| [RFC8600] provides brokering capabilities to facilitate such point- | [RFC8600] provides brokering capabilities to facilitate such point- | |||
| to-point data transfers). Additionally, each of the SACM Components | to-point data transfers). Additionally, each of the SACM Components | |||
| depicted in Figure 4 may be a provider, a consumer, or both, | depicted in Figure 6 may be a provider, a consumer, or both, | |||
| depending on the workflow in context. | depending on the workflow in context. | |||
| +--------------+ +--------------+ | +--------------+ +--------------+ | |||
| | Orchestrator | | Repositories | | | Orchestrator | | Repositories | | |||
| +------^-------+ +------^-------+ | +------^-------+ +------^-------+ | |||
| | | | | | | |||
| | | | | | | |||
| +-------v--------------------------v--------+ +-----------------+ | +-------v--------------------------v--------+ +-----------------+ | |||
| | XMPP-Grid+ <-----> Downstream Uses | | | XMPP-Grid+ <-----> Downstream Uses | | |||
| +------------------------^------------------+ +-----------------+ | +------------------------^------------------+ +-----------------+ | |||
| skipping to change at page 20, line 35 ¶ | skipping to change at page 27, line 26 ¶ | |||
| | | | | |||
| +-------v------+ | +-------v------+ | |||
| | XMPP-Grid | | | XMPP-Grid | | |||
| | Connector(s) | | | Connector(s) | | |||
| +------^-------+ | +------^-------+ | |||
| | | | | |||
| +------v-------+ | +------v-------+ | |||
| | Collector(s) | | | Collector(s) | | |||
| +--------------+ | +--------------+ | |||
| Figure 4: XMPP-based Architecture | Figure 6: XMPP-based Architecture | |||
| [RFC8600] details a number of XMPP extensions (XEPs) that MUST be | [RFC8600] details a number of XMPP extensions (XEPs) that MUST be | |||
| utilized to meet the needs of [RFC7632] and [RFC8248]: | utilized to meet the needs of [RFC7632] and [RFC8248]: | |||
| o Service Discovery (XEP-0030): Service Discovery allows XMPP | o Service Discovery (XEP-0030): Service Discovery allows XMPP | |||
| entities to discover information about other XMPP entities. Two | entities to discover information about other XMPP entities. Two | |||
| kinds of information can be discovered: the identity and | kinds of information can be discovered: the identity and | |||
| capabilities of an entity, such as supported features, and items | capabilities of an entity, such as supported features, and items | |||
| associated with an entity. | associated with an entity. | |||
| o Publish-Subscribe (XEP-0060): The PubSub extension enables | o Publish-Subscribe (XEP-0060): The PubSub extension enables | |||
| entities to create nodes (topics) at a PubSub service and publish | entities to create nodes (topics) at a PubSub service and publish | |||
| information at those nodes. Once published, an event notification | information at those nodes. Once published, an event notification | |||
| is broadcast to all entities that have subscribed to that node. | is broadcast to all entities that have subscribed to that node. | |||
| At this point, [RFC8600] specifies fewer features than SACM requires, | At this point, [RFC8600] specifies fewer features than SACM requires, | |||
| and there are other XMPP extensions (XEPs) we need to consider to | and there are other XMPP extensions (XEPs) we need to consider to | |||
| meet the needs of [RFC7632] and [RFC8248]. In Figure 4 we therefore | meet the needs of [RFC7632] and [RFC8248]. In Figure 6 we therefore | |||
| use "XMPP-Grid+" to indicate something more than [RFC8600] alone, | use "XMPP-Grid+" to indicate something more than [RFC8600] alone, | |||
| even though we are not yet fully confident in the exact set of XMPP- | even though we are not yet fully confident in the exact set of XMPP- | |||
| related extensions we will require. The authors propose work to | related extensions we will require. The authors propose work to | |||
| extend (or modify) [RFC8600] to include additional XEPs - possibly | extend (or modify) [RFC8600] to include additional XEPs - possibly | |||
| the following: | the following: | |||
| o Entity Capabilities (XEP-0115): This extension defines the methods | o Entity Capabilities (XEP-0115): This extension defines the methods | |||
| for broadcasting and dynamically discovering an entities' | for broadcasting and dynamically discovering an entities' | |||
| capabilities. This information is transported via standard XMPP | capabilities. This information is transported via standard XMPP | |||
| presence. Example capabilities that could be discovered could | presence. Example capabilities that could be discovered could | |||
| skipping to change at page 22, line 38 ¶ | skipping to change at page 29, line 30 ¶ | |||
| useful in intermittent connection scenarios, or when entities | useful in intermittent connection scenarios, or when entities | |||
| disconnect and reconnect to the ecosystem. | disconnect and reconnect to the ecosystem. | |||
| o PubSub Chaining (XEP-0253): This extension describes the | o PubSub Chaining (XEP-0253): This extension describes the | |||
| federation of publishing nodes, enabling a publish node of one | federation of publishing nodes, enabling a publish node of one | |||
| server to be a subscriber to a publishing node of another server. | server to be a subscriber to a publishing node of another server. | |||
| C.1. Example Architecture using XMPP-Grid and Endpoint Posture | C.1. Example Architecture using XMPP-Grid and Endpoint Posture | |||
| Collection Protocol | Collection Protocol | |||
| Figure 5 depicts a further detailed view of the architecture | Figure 7 depicts a further detailed view of the architecture | |||
| including the Endpoint Posture Collection Protocol as the collection | including the Endpoint Posture Collection Protocol as the collection | |||
| subsystem, illustrating the idea of a pluggable ecosystem of | subsystem, illustrating the idea of a pluggable ecosystem of | |||
| cooperative tools. | cooperative tools. | |||
| +--------------------+ | +--------------------+ | |||
| | Feeds/Repositories | | | Feeds/Repositories | | |||
| | of External Data | | | of External Data | | |||
| +--------------------+ | +--------------------+ | |||
| | | | | |||
| ********************v************************* Enterprise Boundary ************ | ********************v************************* Enterprise Boundary ************ | |||
| skipping to change at page 23, line 48 ¶ | skipping to change at page 30, line 48 ¶ | |||
| * | | | * | * | | | * | |||
| * | +-----------|-------------------------Endpoint or Endpoint Proxy-------+| * | * | +-----------|-------------------------Endpoint or Endpoint Proxy-------+| * | |||
| * | |+----------v------------+ +----------------+ +----------------------+ || * | * | |+----------v------------+ +----------------+ +----------------------+ || * | |||
| * | || Communications Client | | Posture Client | | Posture Collector(s) | || * | * | || Communications Client | | Posture Client | | Posture Collector(s) | || * | |||
| * | |+-----------------------+ +----------------+ +----------------------+ || * | * | |+-----------------------+ +----------------+ +----------------------+ || * | |||
| * | +----------------------------------------------------------------------+| * | * | +----------------------------------------------------------------------+| * | |||
| * +-----------------Endpoint Posture Collection Profile---------------------+ * | * +-----------------Endpoint Posture Collection Profile---------------------+ * | |||
| * * | * * | |||
| ******************************************************************************* | ******************************************************************************* | |||
| Figure 5: XMPP-based Architecture including EPCP | Figure 7: XMPP-based Architecture including EPCP | |||
| Authors' Addresses | Authors' Addresses | |||
| Adam W. Montville | Adam W. Montville | |||
| Center for Internet Security | Center for Internet Security | |||
| 31 Tech Valley Drive | 31 Tech Valley Drive | |||
| East Greenbush, NY 12061 | East Greenbush, NY 12061 | |||
| USA | USA | |||
| Email: adam.montville.sdo@gmail.com | Email: adam.montville.sdo@gmail.com | |||
| End of changes. 38 change blocks. | ||||
| 119 lines changed or deleted | 410 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||