| draft-ietf-sacm-terminology-14.txt | draft-ietf-sacm-terminology-15.txt | |||
|---|---|---|---|---|
| SACM Working Group H. Birkholz | SACM Working Group H. Birkholz | |||
| Internet-Draft Fraunhofer SIT | Internet-Draft Fraunhofer SIT | |||
| Intended status: Informational J. Lu | Intended status: Informational J. Lu | |||
| Expires: June 13, 2018 Oracle Corporation | Expires: December 15, 2018 Oracle Corporation | |||
| J. Strassner | J. Strassner | |||
| Huawei Technologies | Huawei Technologies | |||
| N. Cam-Winget | N. Cam-Winget | |||
| Cisco Systems | Cisco Systems | |||
| A. Montville | A. Montville | |||
| CIS | CIS | |||
| December 10, 2017 | June 13, 2018 | |||
| Security Automation and Continuous Monitoring (SACM) Terminology | Security Automation and Continuous Monitoring (SACM) Terminology | |||
| draft-ietf-sacm-terminology-14 | draft-ietf-sacm-terminology-15 | |||
| Abstract | Abstract | |||
| This memo documents terminology used in the documents produced by | This memo documents terminology used in the documents produced by | |||
| SACM (Security Automation and Continuous Monitoring). | SACM (Security Automation and Continuous Monitoring). | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 13, 2018. | This Internet-Draft will expire on December 15, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 | 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 25 | 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 26 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 28 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 26 | 8.2. Informative References . . . . . . . . . . . . . . . . . 28 | |||
| Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 27 | Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 29 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 1. Introduction | 1. Introduction | |||
| Our goal with this document is to improve our agreement on the | Our goal with this document is to improve our agreement on the | |||
| terminology used in documents produced by the IETF Working Group for | terminology used in documents produced by the IETF Working Group for | |||
| Security Automation and Continuous Monitoring. Agreeing on | Security Automation and Continuous Monitoring. Agreeing on | |||
| terminology should help reach consensus on which problems we're | terminology should help reach consensus on which problems we're | |||
| trying to solve, and propose solutions and decide which ones to use. | trying to solve, and propose solutions and decide which ones to use. | |||
| 2. Terms and Definitions | 2. Terms and Definitions | |||
| skipping to change at page 2, line 47 ¶ | skipping to change at page 2, line 47 ¶ | |||
| which the term is used in SACM. Note that explanatory or | which the term is used in SACM. Note that explanatory or | |||
| informational augmentation to definitions are segregated from the | informational augmentation to definitions are segregated from the | |||
| definitions themselves. The definition for the term immediately | definitions themselves. The definition for the term immediately | |||
| follows the term on the same line, whereas expositional text is | follows the term on the same line, whereas expositional text is | |||
| contained in subsequent paragraphs immediately following the | contained in subsequent paragraphs immediately following the | |||
| definition. | definition. | |||
| Assertion: Defined by the ITU in [X.1252] as "a statement made by an | Assertion: Defined by the ITU in [X.1252] as "a statement made by an | |||
| entity without accompanying evidence of its validity". | entity without accompanying evidence of its validity". | |||
| In the context of SACM, an assertion is the output of a SACM | ||||
| Component in the form of a SACM Statement (including metadata | ||||
| about the data source and data origin, e.g. timestamps). While | ||||
| the validity of an assertion about Content and Content Metadata | ||||
| cannot be verified without, for example, Integrity Proofing of the | ||||
| Data Source, an assertion (and therefore a SACM statement, | ||||
| respectively) of the validity of Statement Metadata can by enabled | ||||
| by including corresponding Integrity Evidence created by the Data | ||||
| Origin. | ||||
| Assessment: Defined in [RFC5209] as "the process of collecting | Assessment: Defined in [RFC5209] as "the process of collecting | |||
| posture for a set of capabilities on the endpoint (e.g., host- | posture for a set of capabilities on the endpoint (e.g., host- | |||
| based firewall) such that the appropriate validators may evaluate | based firewall) such that the appropriate validators may evaluate | |||
| the posture against compliance policy." | the posture against compliance policy." | |||
| Asset: Is a system resource, as defined in [RFC4949], that may be | Asset: Is a system resource, as defined in [RFC4949], that may be | |||
| composed of other assets. | composed of other assets. | |||
| Examples of Assets include: Endpoints, Software, Guidance, or | Examples of Assets include: Endpoints, Software, Guidance, or | |||
| X.509 public key certificates. An asset is not necessarily owned | X.509 public key certificates. An asset is not necessarily owned | |||
| skipping to change at page 3, line 22 ¶ | skipping to change at page 3, line 31 ¶ | |||
| Asset Management: The IT process by which assets are provisioned, | Asset Management: The IT process by which assets are provisioned, | |||
| updated, maintained and deprecated. | updated, maintained and deprecated. | |||
| Attribute: Is a data element, as defined in [RFC5209], that is | Attribute: Is a data element, as defined in [RFC5209], that is | |||
| atomic. | atomic. | |||
| In the context of SACM, attributes are "atomic" information | In the context of SACM, attributes are "atomic" information | |||
| elements and an equivalent to attribute-value-pairs. Attributes | elements and an equivalent to attribute-value-pairs. Attributes | |||
| can be components of Subjects. | can be components of Subjects. | |||
| Authentication: Defined in [RFC4949] as "the process of verifying a | Broken remnant of a term again, but this time left here to show how | |||
| claim that a system entity or system resource has a certain | much the last submit of -14 broke the document (this is actually not | |||
| attribute value." | a term definition, apparently, but if you are curious this was | |||
| "Authorization", became a second paragraph of expositional text to | ||||
| Authorization: Defined in [RFC4949] as "an approval that is granted | the definition of Attribute and now became the universal disclaimer | |||
| to a system entity to access a system resource." | of "please alter the structure of the document with care") - until | |||
| removal by a less annoyed editor: | ||||
| Defined in [RFC4949] as "an approval that is granted to a system | ||||
| entity to access a system resource." | ||||
| Capability: A set of features that are available from a SACM | Capability: A set of features that are available from a SACM | |||
| Component. | Component. | |||
| See also "capability" in [I-D.ietf-i2nsf-terminology]. | See also "capability" in [I-D.ietf-i2nsf-terminology]. | |||
| In the context of SACM, the extent of a SACM component's ability | In the context of SACM, the extent of a SACM component's ability | |||
| is enabled by the functions it is composed of. Capabilities are | is enabled by the functions it is composed of. Capabilities are | |||
| registered at a SACM broker (potentially also at a proxy or a | registered at a SACM broker (potentially also at a proxy or a | |||
| repository component if it includes broker functions) by a SACM | repository component if it includes broker functions) by a SACM | |||
| skipping to change at page 5, line 37 ¶ | skipping to change at page 5, line 50 ¶ | |||
| identifies a log-file directory, a registry entry. | identifies a log-file directory, a registry entry. | |||
| Configuration Drift: The disposition of endpoint characteristics to | Configuration Drift: The disposition of endpoint characteristics to | |||
| change over time. | change over time. | |||
| Configuration drift exists for both hardware components and | Configuration drift exists for both hardware components and | |||
| software components. Typically, the frequency and scale of | software components. Typically, the frequency and scale of | |||
| configuration drift of software components is significantly higher | configuration drift of software components is significantly higher | |||
| than the configuration drift of hardware components. | than the configuration drift of hardware components. | |||
| Consumer: Is a SACM Role that contains functions to receive | Consumer: A SACM Role that requires a SACM Component to include SACM | |||
| information from other SACM Components. | Functions enabling it to receive information from other SACM | |||
| Components. | ||||
| Content Element: Content elements constitute the payload data (SACM | Content Element: Content elements constitute the payload data (SACM | |||
| content) transferred via statement Subjects emitted by providers | content) transferred via statement Subjects emitted by providers | |||
| of information. Every content element Subject includes a specific | of information. Every content element Subject includes a specific | |||
| content Subject and a corresponding content metadata Subject. | content Subject and a corresponding content metadata Subject. | |||
| Content Metadata: Data about content Subjects. Every content- | Content Metadata: Data about content Subjects. Every content- | |||
| element includes a content metadata Subject. The Subject can | element includes a content metadata Subject. The Subject can | |||
| include any information element that can annotate the content | include any information element that can annotate the content | |||
| transferred. Examples include time stamps or data provenance | transferred. Examples include time stamps or data provenance | |||
| skipping to change at page 6, line 46 ¶ | skipping to change at page 7, line 8 ¶ | |||
| information. The termination points of provider of information | information. The termination points of provider of information | |||
| and consumer of information data is transferred between are | and consumer of information data is transferred between are | |||
| interfaces. In regard to data in motion, the interpretation of | interfaces. In regard to data in motion, the interpretation of | |||
| the roles consumer of information and provider of information | the roles consumer of information and provider of information | |||
| depends on the corresponding OSI layer (e.g. on layer2: between | depends on the corresponding OSI layer (e.g. on layer2: between | |||
| interfaces connected to a broadcast domain, on layer4: between | interfaces connected to a broadcast domain, on layer4: between | |||
| interfaces that maintain a TCP connection). In the context of | interfaces that maintain a TCP connection). In the context of | |||
| SACM, consumer of information and provider of information are SACM | SACM, consumer of information and provider of information are SACM | |||
| components. | components. | |||
| The SACM architecture and corresponding models focus on data in | ||||
| motion. | ||||
| Data At Rest: Data that is stored. | Data At Rest: Data that is stored. | |||
| Data at rest requires a data model to encode the data to be | Data at rest requires a data model to encode the data to be | |||
| stored. In the context of SACM, data at rest located on a SACM | stored. In the context of SACM, data at rest located on a SACM | |||
| component can be provided to other SACM components via | component can be provided to other SACM components via | |||
| discoverable capabilities. | discoverable capabilities. | |||
| In the context of SACM, data models for data at rest are out of | ||||
| scope. | ||||
| Data Integrity: Defined in [RFC4949] as "the property that data has | Data Integrity: Defined in [RFC4949] as "the property that data has | |||
| not been changed, destroyed, or lost in an unauthorized or | not been changed, destroyed, or lost in an unauthorized or | |||
| accidental manner." | accidental manner." | |||
| Data Origin: The SACM Component that initially acquired or produced | Data Origin: The SACM Component that initially acquired or produced | |||
| data about an endpoint. | data about an endpoint. | |||
| Data Origin enables a SACM component to identify the SACM | Data Origin enables a SACM component to identify the SACM | |||
| component that initially acquired or produced data about a | component that initially acquired or produced data about a | |||
| (target) endpoint (e.g. via collection from a data source) and | (target) endpoint (e.g. via collection from a data source) and | |||
| skipping to change at page 9, line 7 ¶ | skipping to change at page 9, line 14 ¶ | |||
| Endpoint Attributes typically constitute Attributes that can be | Endpoint Attributes typically constitute Attributes that can be | |||
| bundled into Subject (e.g. information about a specific network | bundled into Subject (e.g. information about a specific network | |||
| interface can be represented via a set of multiple AVP). | interface can be represented via a set of multiple AVP). | |||
| Endpoint Characteristics: The state, configuration and composition | Endpoint Characteristics: The state, configuration and composition | |||
| of the software components and (virtual) hardware components a | of the software components and (virtual) hardware components a | |||
| target endpoint is composed of, including observable behavior, | target endpoint is composed of, including observable behavior, | |||
| e.g. sys-calls, log-files, or PDU emission on a network. | e.g. sys-calls, log-files, or PDU emission on a network. | |||
| Endpoint Characterization: The description of the distinctive nature | In SACM work-flows, (Target) Endpoint Characteristics are | |||
| of an endpoint, that is based on its characteristics. | represented via Information Elements. | |||
| Endpoint Characterization Task: The task of endpoint | Endpoint Characterization Task: The task of endpoint | |||
| characterization that uses endpoint attributes that represent | characterization that uses endpoint attributes that represent | |||
| distinct endpoint characteristics. | distinct endpoint characteristics. | |||
| Endpoint Classification: The categorization of of the endpoint into | Endpoint Classification: The categorization of of the endpoint into | |||
| one or more taxonomic structures. | one or more taxonomic structures. | |||
| Endpoint classification requires declarative guidance in the form | Endpoint classification requires declarative guidance in the form | |||
| of an endpoint profile, discovery results and potentially | of an endpoint profile, discovery results and potentially | |||
| skipping to change at page 9, line 46 ¶ | skipping to change at page 10, line 5 ¶ | |||
| Evaluation Task: A task by which an endpoint's asserted attribute | Evaluation Task: A task by which an endpoint's asserted attribute | |||
| value is evaluated against a policy-compliant attribute value. | value is evaluated against a policy-compliant attribute value. | |||
| Evaluation Result: The resulting value from having evaluated a set | Evaluation Result: The resulting value from having evaluated a set | |||
| of posture attributes. | of posture attributes. | |||
| Expected Endpoint Attribute State: The policy-compliant state of an | Expected Endpoint Attribute State: The policy-compliant state of an | |||
| endpoint attribute that is to be compared against. | endpoint attribute that is to be compared against. | |||
| Guidance: Input directing SACM processes or tasks. | Sets of expected endpoint attribute states are transported as | |||
| declarative guidance in target endpoint profiles via the | ||||
| management plane. This, for example, can be a policy, but also a | ||||
| recorded past state. An expected state is represented by an | ||||
| Attribute or a Subject that represents a set of multiple attribute | ||||
| value pairs. | ||||
| Guidance: Machine-processable input directing SACM processes or | ||||
| tasks. | ||||
| Examples of such processes/tasks include automated device | ||||
| management, remediation, collection, evaluation. Guidance | ||||
| influences the behavior of a SACM Component and is considered | ||||
| content of the management plane. In the context of SACM, guidance | ||||
| is machine-readable and can be manually or automatically generated | ||||
| or provided. Typically, the tasks that provide guidance to SACM | ||||
| components have a low-frequency and tend to be sporadic. | ||||
| There are two types of guidance: | There are two types of guidance: | |||
| Declarative Guidance: Guidance that defines the configuration or | Declarative Guidance: Guidance that defines the configuration or | |||
| state an endpoint is supposed to be in, without providing specific | state an endpoint is supposed to be in, without providing specific | |||
| actions or methods to produce that desired state. Examples | actions or methods to produce that desired state. Examples | |||
| include Target Endpoint Profiles or network topology based | include Target Endpoint Profiles or network topology based | |||
| requirements. | requirements. | |||
| Imperative Guidance: Guidance that prescribes specific actions to | Imperative Guidance: Guidance that prescribes specific actions to | |||
| be conducted or methods to be used in order to achieve an outcome. | be conducted or methods to be used in order to achieve an outcome. | |||
| Examples include a targeted Collection Task or the IP-Address of a | Examples include a targeted Collection Task or the IP-Address of a | |||
| SACM Component that provides a registration function. | SACM Component that provides a registration function. | |||
| Prominent examples include: modification of the configuration of a | ||||
| SACM component or updating a target endpoint profile that resides | ||||
| on an evaluator. In essence, guidance is transported via the | ||||
| management plane. | ||||
| Endpoint Hardware Inventory: The set of hardware components that | Endpoint Hardware Inventory: The set of hardware components that | |||
| compose a specific endpoint representing its hardware | compose a specific endpoint representing its hardware | |||
| configuration. | configuration. | |||
| Hardware Component: A distinguishable physical component used to | ||||
| compose an endpoint. | ||||
| The composition of an endpoint can be changed over time by adding | ||||
| or removing hardware components. In essence, every physical | ||||
| endpoint is potentially a composite of multiple hardware | ||||
| components, typically resulting in a hierarchical composition of | ||||
| hardware components. The composition of hardware components is | ||||
| based on interconnects provided by specific hardware types (e.g. | ||||
| FRU in a chassis are connected via redundant busses). In general, | ||||
| a hardware component can be distinguished by its serial number. | ||||
| Occasionally, hardware components are referred to as power sucking | ||||
| aliens. | ||||
| Information Element: A representation of information about physical | Information Element: A representation of information about physical | |||
| and virtual "objects of interest". | and virtual "objects of interest". | |||
| Information elements are the building blocks that constitute the | Information elements are the building blocks that constitute the | |||
| SACM information model. In the context of SACM, an information | SACM information model. In the context of SACM, an information | |||
| element that expresses a single value with a specific name is | element that expresses a single value with a specific name is | |||
| referred to as an Attribute (analogous to an attribute-value- | referred to as an Attribute (analogous to an attribute-value- | |||
| pair). A set of attributes that is bundled into a more complex | pair). A set of attributes that is bundled into a more complex | |||
| composite information element is referred to as a Subject. Every | composite information element is referred to as a Subject. Every | |||
| information element in the SACM information model has a unique | information element in the SACM information model has a unique | |||
| skipping to change at page 10, line 44 ¶ | skipping to change at page 11, line 37 ¶ | |||
| While there is some overlap with a data model, [RFC3444] | While there is some overlap with a data model, [RFC3444] | |||
| distinguishes an information model as being protocol and | distinguishes an information model as being protocol and | |||
| implementation neutral whereas a data model would provide such | implementation neutral whereas a data model would provide such | |||
| details. The purpose of the SACM information model is to ensure | details. The purpose of the SACM information model is to ensure | |||
| interoperability between SACM data models (that are used as | interoperability between SACM data models (that are used as | |||
| transport encoding) and to provide a standardized set of | transport encoding) and to provide a standardized set of | |||
| information elements for communication between SACM components. | information elements for communication between SACM components. | |||
| Interaction Model: The definition of specific sequences regarding | Interaction Model: The definition of specific sequences regarding | |||
| the exchange of messages (data in motion), including, for example, | the exchange of messages (data in motion), including, for example, | |||
| conditional branching, thresholds and timers. An interaction | conditional branching, thresholds and timers. | |||
| model, for example, can be used to define operations, such as | ||||
| registration or discovery, on the control plane. A composition of | ||||
| data models for data in motion and a corresponding interaction | ||||
| model is a protocol. | ||||
| Internal Collector: Internal Collector: a collector that runs on a | An interaction model, for example, can be used to define | |||
| target endpoint to acquire information from that target endpoint. | operations, such as registration or discovery, on the control | |||
| plane. A composition of data models for data in motion and a | ||||
| corresponding interaction model is a protocol. | ||||
| Management Plane: Is an architectural component providing common | Internal Collector: A collector that runs on a target endpoint to | |||
| acquire information from that target endpoint. | ||||
| Management Plane: An architectural component providing common | ||||
| functions to steer the behavior of SACM components, e.g. their | functions to steer the behavior of SACM components, e.g. their | |||
| behavior on the control plane. | behavior on the control plane. | |||
| Prominent examples include: modification of the configuration of a | Typically, a SACM component can fulfill its purpose without | |||
| SACM component or updating a target endpoint profile that resides | continuous input from the management plane. In contrast, without | |||
| on an evaluator. In essence, guidance is transported via the | continuous availability of control plane functions a typical SACM | |||
| management plane. Typically, a SACM component can fulfill its | component could not function properly. In general, interaction on | |||
| purpose without continuous input from the management plane. In | the management plane is less frequent and less regular than on the | |||
| contrast, without continuous availability of control plane | control plane. Input via the management plane can be manual (e.g. | |||
| functions a typical SACM component could not function properly. | via a CLI), or can be automated via management plane functions | |||
| In general, interaction on the management plane is less frequent | that are part of other SACM components. | |||
| and less regular than on the control plane. Input via the | ||||
| management plane can be manual (e.g. via a CLI), or can be | Network Address: A layer-specific address that follows a layer- | |||
| automated via management plane functions that are part of other | specific address scheme. | |||
| SACM components. | ||||
| The following characteristics are a summery derived from the | ||||
| Common Information Model and ITU-T X.213. Each Network Interface | ||||
| of a specific layer can be associated with one or more addresses | ||||
| appropriate for that layer. There is no guarantee that a network | ||||
| address is globally unique. A dedicated authority entity can | ||||
| provide a level of assurance that a network address is unique in | ||||
| its given scope. In essence, there is always a scope to a network | ||||
| address, in which it is intended to be unique. | ||||
| Examples include: physical Ethernet port with a MAC address, layer | ||||
| 2 VLAN interface with a MAC address, layer 3 interface with | ||||
| multiple IPv6 addresses, layer 3 tunnel ingress or egress with an | ||||
| IPv4 address. | ||||
| Network Interface: An Endpoint is connected to a network via one or | ||||
| more Network Interfaces. Network Interfaces can be physical | ||||
| (Hardware Component) or logical (virtual Hardware component, i.e. | ||||
| a dedicated Software Component). Network Interfaces of an | ||||
| Endpoint can operate on different layers, most prominently what is | ||||
| now commonly called layer 2 and 3. Within a layer, interfaces can | ||||
| be nested. | ||||
| In SACM, the association of Endpoints and Network Addresses via | ||||
| Network Interfaces is vital to maintain interdependent autonomous | ||||
| processes that can be targeted at Target Endpoints, unambiguously. | ||||
| Examples include: physical Ethernet port, layer 2 VLAN interface, | ||||
| a MC-LAG setup, layer 3 Point-to-Point tunnel ingress or egress. | ||||
| Metadata: Data about data. | Metadata: Data about data. | |||
| In the SACM information model, data is referred to as Content. | In the SACM information model, data is referred to as Content. | |||
| Metadata about the content is referred to as Content-Metadata, | Metadata about the content is referred to as Content-Metadata, | |||
| respectively. Content and Content-Metadata are combined into | respectively. Content and Content-Metadata are combined into | |||
| Subjects called Content-Elements in the SACM information model. | Subjects called Content-Elements in the SACM information model. | |||
| Some information elements defined by the SACM information model | Some information elements defined by the SACM information model | |||
| can be part of the Content or the Content-Metadata. Therefore, if | can be part of the Content or the Content-Metadata. Therefore, if | |||
| an information element is considered data or data about data | an information element is considered data or data about data | |||
| depends on which kind of Subject it is associated with. The SACM | depends on which kind of Subject it is associated with. The SACM | |||
| information model also defines metadata about the data origin via | information model also defines metadata about the data origin via | |||
| the Subject Statement-Metadata. Typical examples of metadata are | the Subject Statement-Metadata. Typical examples of metadata are | |||
| time stamps, data origin or data source. | time stamps, data origin or data source. | |||
| Examples include: physical Ethernet port with a MAC address, layer | ||||
| 2 VLAN interface with a MAC address, layer 3 interface with | ||||
| multiple IPv6 addresses, layer 3 tunnel ingress or egress with an | ||||
| IPv4 address. | ||||
| Posture: Defined in [RFC5209] as "configuration and/or status of | Posture: Defined in [RFC5209] as "configuration and/or status of | |||
| hardware or software on an endpoint as it pertains to an | hardware or software on an endpoint as it pertains to an | |||
| organization's security policy." | organization's security policy." | |||
| This term is used within the scope of SACM to represent the | This term is used within the scope of SACM to represent the | |||
| configuration and state information that is collected from a | configuration and state information that is collected from a | |||
| target endpoint in the form of endpoint attributes (e.g. software/ | target endpoint in the form of endpoint attributes (e.g. software/ | |||
| hardware inventory, configuration settings, dynamically assigned | hardware inventory, configuration settings, dynamically assigned | |||
| addresses). This information may constitute one or more posture | addresses). This information may constitute one or more posture | |||
| attributes. | attributes. | |||
| skipping to change at page 13, line 8 ¶ | skipping to change at page 14, line 27 ¶ | |||
| component contains at least a basic set of control plane functions | component contains at least a basic set of control plane functions | |||
| and can contain data plane and management plane functions. A SACM | and can contain data plane and management plane functions. A SACM | |||
| component residing on an endpoint assigns one or more SACM roles | component residing on an endpoint assigns one or more SACM roles | |||
| to the corresponding endpoint due to the SACM functions it is | to the corresponding endpoint due to the SACM functions it is | |||
| composed of. A SACM component "resides on" an endpoint and an | composed of. A SACM component "resides on" an endpoint and an | |||
| endpoint "contains" a SACM component, correspondingly. For | endpoint "contains" a SACM component, correspondingly. For | |||
| example, a SACM component that is composed solely of functions | example, a SACM component that is composed solely of functions | |||
| that provide information would only take on the role of a | that provide information would only take on the role of a | |||
| provider. | provider. | |||
| SACM Component Discovery: The task of brokering appropriate SACM | SACM Component Discovery: The task of discovering the capabilities | |||
| components according to their capabilities or roles on request. | provided by SACM components within a SACM domain. | |||
| Input: Query | ||||
| Output: a list of SACM components including metadata | This is likely to be performed via an appropriate set of control | |||
| plane functions. | ||||
| SACM Component Label: A specific endpoint label that is used to | SACM Component Label: A specific endpoint label that is used to | |||
| identify a SACM component. | identify a SACM component. | |||
| In content-metadata, this label is called data origin. | In content-metadata, this label is called data origin. | |||
| SACM Content: The payload provided by SACM components to the SACM | SACM Content: The payload provided by SACM components to the SACM | |||
| domain on the data plane. | domain on the data plane. | |||
| SACM content includes the SACM data models. | SACM content includes the SACM data models. | |||
| SACM Domain: Endpoints that include a SACM component compose a SACM | SACM Domain: Endpoints that include a SACM component compose a SACM | |||
| domain. | domain. | |||
| (To be revised, additional definition content TBD, possible | (To be revised, additional definition content TBD, possible | |||
| dependencies to SACM architecture) | dependencies to SACM architecture) | |||
| SACM Function: A behavioral aspect of a SACM component that provides | ||||
| external SACM Interfaces or internal interfaces to other SACM | ||||
| Functionse. | ||||
| For example, a SACM Function with SACM Interfaces on the Control | ||||
| Plane can provide a brokering function to other SACM Components. | ||||
| Via Data Plane interfaces, a SACM Function can act as a provider | ||||
| and/or as a consumer of information. SACM Functions can be | ||||
| propagated as the Capabilities of a SACM Component and can be | ||||
| discovered by or negotiated with other SACM Components. | ||||
| SACM Interface: An interface, as defined in | SACM Interface: An interface, as defined in | |||
| [I-D.ietf-i2nsf-terminology], that provides SACM-specific | [I-D.ietf-i2nsf-terminology], that provides SACM-specific | |||
| operations. | operations. | |||
| [I-D.ietf-i2nsf-terminology] defines interface as a "set of | [I-D.ietf-i2nsf-terminology] defines interface as a "set of | |||
| operations one object knows it can invoke on, and expose to, | operations one object knows it can invoke on, and expose to, | |||
| another object," and further defines interface by stating that an | another object," and further defines interface by stating that an | |||
| interface "decouples the implementation of the operation from its | interface "decouples the implementation of the operation from its | |||
| specification. An interface is a subset of all operations that a | specification. An interface is a subset of all operations that a | |||
| given object implements. The same object may have multiple types | given object implements. The same object may have multiple types | |||
| skipping to change at page 14, line 27 ¶ | skipping to change at page 16, line 7 ¶ | |||
| the Roles of a Component from the Applications that use that | the Roles of a Component from the Applications that use that | |||
| Component." | Component." | |||
| In the context of SACM, SACM roles are associated with SACM | In the context of SACM, SACM roles are associated with SACM | |||
| components and are defined by the set of functions and interfaces | components and are defined by the set of functions and interfaces | |||
| a SACM component includes. There are three SACM roles: provider, | a SACM component includes. There are three SACM roles: provider, | |||
| consumer, and controller. The roles associated with a SACM | consumer, and controller. The roles associated with a SACM | |||
| component are determined by the purpose of the SACM functions and | component are determined by the purpose of the SACM functions and | |||
| corresponding SACM interfaces the SACM component is composed of. | corresponding SACM interfaces the SACM component is composed of. | |||
| SACM Statement: Is SACM component output that represents an | SACM Statement: Is an assertion that is made by a SACM Component. | |||
| assertion. | ||||
| Security Automation: The process of which security alerts can be | Security Automation: The process of which security alerts can be | |||
| automated through the use of different components to monitor, | automated through the use of different components to monitor, | |||
| analyze and assess endpoints and network traffic for the purposes | analyze and assess endpoints and network traffic for the purposes | |||
| of detecting misconfigurations, misbehaviors or threats. | of detecting misconfigurations, misbehaviors or threats. | |||
| Security Automation is intended to identify target endpoints that | Security Automation is intended to identify target endpoints that | |||
| cannot be trusted (see "trusted" in [RFC4949]. This goal is | cannot be trusted (see "trusted" in [RFC4949]. This goal is | |||
| achieved by creating and processing evidence (assessment | achieved by creating and processing evidence (assessment | |||
| statements) that a target endpoint is not a trusted system | statements) that a target endpoint is not a trusted system | |||
| skipping to change at page 15, line 17 ¶ | skipping to change at page 16, line 44 ¶ | |||
| State: A volatile set of endpoint attributes of a (target) endpoint | State: A volatile set of endpoint attributes of a (target) endpoint | |||
| that is affected by a reboot-cycle. | that is affected by a reboot-cycle. | |||
| Local state is created by the interaction of components with other | Local state is created by the interaction of components with other | |||
| components via the control plane, via processing data plane | components via the control plane, via processing data plane | |||
| payload, or via the functional properties of local hardware and | payload, or via the functional properties of local hardware and | |||
| software components. Dynamic configuration (e.g. IP address | software components. Dynamic configuration (e.g. IP address | |||
| distributed dynamically via an address distribution and management | distributed dynamically via an address distribution and management | |||
| services, such as DHCP) is considered state that is the result of | services, such as DHCP) is considered state that is the result of | |||
| the interaction with another component that provides configuration | the interaction with another component (e.g. provided by a DHCP | |||
| via the control plane (e.g. provided by a DHCP server with a | server with a specific configuration). | |||
| specific configuration). | ||||
| Examples: The static association of an IP address and a MAC | Examples: The static association of an IP address and a MAC | |||
| address in a DHCP server configuration, a directory-path that | address in a DHCP server configuration, a directory-path that | |||
| identifies a log-file directory, a registry entry. | identifies a log-file directory, a registry entry. | |||
| Statement: A statement is a subject defined in the SACM information | Statement: A statement is the root/top-level subject defined in the | |||
| model. | SACM information model. | |||
| When a statement is used to provide content to a SACM domain, it | A statement is used to bundle Content Elements into one subject | |||
| is a top-level subject that bundles Content Elements into one | and includes metadata about the data origin. | |||
| subject and includes metadata about the data origin. | ||||
| Subject: A semantic composite information element pertaining to a | Subject: A semantic composite information element pertaining to a | |||
| system entity that is a target endpoint. | system entity that is a target endpoint. | |||
| Like Attributes, subjects have a name and are composed of | Like Attributes, subjects have a name and are composed of | |||
| attributes and/or other subjects. Every IE that is part of a | attributes and/or other subjects. Every IE that is part of a | |||
| subject can have a quantitiy associated with it (e.g. zero-one, | subject can have a quantitiy associated with it (e.g. zero-one, | |||
| none-unbounded). The content IE of a subject can be an unordered | none-unbounded). The content IE of a subject can be an unordered | |||
| or an ordered list. | or an ordered list. | |||
| skipping to change at page 16, line 31 ¶ | skipping to change at page 18, line 9 ¶ | |||
| Every endpoint that is not specifically designated as an excluded | Every endpoint that is not specifically designated as an excluded | |||
| endpoint is a target endpoint. A target endpoint is not part of a | endpoint is a target endpoint. A target endpoint is not part of a | |||
| SACM domain unless it contains a SACM component (e.g. a SACM | SACM domain unless it contains a SACM component (e.g. a SACM | |||
| component that publishes collection results coming from an | component that publishes collection results coming from an | |||
| internal collector). | internal collector). | |||
| A target endpoint is similar to a device that is a Target of | A target endpoint is similar to a device that is a Target of | |||
| Evaluation (TOE) as defined in Common Criteria and as referenced | Evaluation (TOE) as defined in Common Criteria and as referenced | |||
| by {{RFC4949}. | by {{RFC4949}. | |||
| Target Endpoint Address: An address that is layer specific and which | ||||
| follows layer specific address schemes. | ||||
| Each interface of a specific layer can be associated with one or | ||||
| more addresses appropriate for that layer. There is no guarantee | ||||
| that an address is globally unique. In general, there is a scope | ||||
| to an address in which it is intended to be unique. | ||||
| Examples include: physical Ethernet port with a MAC address, layer | ||||
| 2 VLAN interface with a MAC address, layer 3 interface with | ||||
| multiple IPv6 addresses, layer 3 tunnel ingress or egress with an | ||||
| IPv4 address. | ||||
| Target Endpoint Characterization: The description of the distinctive | ||||
| nature of a target endpoint, that is based on its characteristics. | ||||
| Target Endpoint Characterization Record: A set of endpoint | Target Endpoint Characterization Record: A set of endpoint | |||
| attributes about a target endpoint that was encountered in a SACM | attributes about a target endpoint that was encountered in a SACM | |||
| domain, which are associated with that target endpoint as a result | domain, which are associated with that target endpoint as a result | |||
| of a Target Endpoint Characterization Task. | of a Target Endpoint Characterization Task. | |||
| A characterization record is intended to be a representation of an | A characterization record is intended to be a representation of an | |||
| endpoint. It cannot be assured that a record distinctly | endpoint. It cannot be assured that a record distinctly | |||
| represents a single target endpoint unless a set of one or more | represents a single target endpoint unless a set of one or more | |||
| endpoint attributes that compose a unique set of identifying | endpoint attributes that compose a unique set of identifying | |||
| endpoint attributes are included in the record. Otherwise, the | endpoint attributes are included in the record. Otherwise, the | |||
| skipping to change at page 17, line 23 ¶ | skipping to change at page 19, line 17 ¶ | |||
| corresponding record. The TE characterization task manages the | corresponding record. The TE characterization task manages the | |||
| representation of encountered target endpoints in the SACM domain | representation of encountered target endpoints in the SACM domain | |||
| in the form of characterization records. For example, the output | in the form of characterization records. For example, the output | |||
| of a target endpoint discovery task or a collection task can be | of a target endpoint discovery task or a collection task can be | |||
| processed by the characterization task and added to the record. | processed by the characterization task and added to the record. | |||
| The TE characterization Task also manages these representations of | The TE characterization Task also manages these representations of | |||
| target endpoints encountered in the SACM domain by splitting or | target endpoints encountered in the SACM domain by splitting or | |||
| merging the corresponding records as new or more refined endpoint | merging the corresponding records as new or more refined endpoint | |||
| attributes become available. | attributes become available. | |||
| Input: discovered target endpoint attributes, endpoint attribute | ||||
| collection, existing characterization records | ||||
| Output: target endpoint characterization records | ||||
| Target Endpoint Classification Task: The task of associating a class | Target Endpoint Classification Task: The task of associating a class | |||
| from an extensible list of classes with an endpoint | from an extensible list of classes with an endpoint | |||
| characterization record. TE classes function as imperative and | characterization record. TE classes function as imperative and | |||
| declarative guidance for collection, evaluation, remediation and | declarative guidance for collection, evaluation, remediation and | |||
| security posture assessment in general. | security posture assessment in general. | |||
| Input: endpoint characterization records (without classification), | ||||
| guidance (how to classify a record) | ||||
| Output: endpoint characterization records (with classification) | ||||
| Target Endpoint Discovery Task: The ongoing task of detecting | Target Endpoint Discovery Task: The ongoing task of detecting | |||
| previously unknown interaction of a potential target endpoint in | previously unknown interaction of a potential target endpoint in | |||
| the SACM domain. TE Discovery is not directly targeted at a | the SACM domain. TE Discovery is not directly targeted at a | |||
| specific target endpoint and therefore an un-targeted task. SACM | specific target endpoint and therefore an un-targeted task. SACM | |||
| Components conducting the discovery task as a part of their | Components conducting the discovery task as a part of their | |||
| function are typically distributed and located, for example, on | function are typically distributed and located, for example, on | |||
| infrastructure components or collect from those remotely via | infrastructure components or collect from those remotely via | |||
| appropriate interfaces. Examples of infrastructure components | appropriate interfaces. Examples of infrastructure components | |||
| that are of interest to the discovery task include routers, | that are of interest to the discovery task include routers, | |||
| switches, VM hosting or VM managing components, AAA servers, or | switches, VM hosting or VM managing components, AAA servers, or | |||
| servers handling dynamic address distribution. | servers handling dynamic address distribution. | |||
| Input: endpoint attributes acquired via local or remote interfaces | ||||
| Output: endpoint attributes including metadata such as data source | ||||
| or data origin | ||||
| Target Endpoint Identifier: The target endpoint discovery task and | Target Endpoint Identifier: The target endpoint discovery task and | |||
| the collection tasks can result in a set of identifying endpoint | the collection tasks can result in a set of identifying endpoint | |||
| attributes added to a corresponding Characterization Record. This | attributes added to a corresponding Characterization Record. This | |||
| subset of the endpoint attributes included in the record is used | subset of the endpoint attributes included in the record is used | |||
| as a target endpoint identifier, by which a specific target | as a target endpoint identifier, by which a specific target | |||
| endpoint can be referenced. Depending on the available | endpoint can be referenced. Depending on the available | |||
| identifying attributes, this reference can be ambiguous and is a | identifying attributes, this reference can be ambiguous and is a | |||
| "best-effort" mechanism. Every distinct set of identifying | "best-effort" mechanism. Every distinct set of identifying | |||
| endpoint attributes can be associated with a target endpoint label | endpoint attributes can be associated with a target endpoint label | |||
| that is unique in a SACM domain. | that is unique in a SACM domain. | |||
| Target Endpoint Label: A specific endpoint label that refers to a | Target Endpoint Label: An endpoint label that identifies a specific | |||
| target endpoint identifier used to identify a specific target | target endpoint. | |||
| endpoint (also referred to as TE label). In content-metadata, | ||||
| this label is called data source. | ||||
| Target Endpoint Profile: A bundle of expected or desired component | Target Endpoint Profile: A bundle of expected or desired component | |||
| composition, configurations and states that is associated with a | composition, configurations and states that is associated with a | |||
| target endpoint. | target endpoint. | |||
| The corresponding task by which the association with a target | The corresponding task by which the association with a target | |||
| endpoint takes places is the endpoint classification task. The | endpoint takes places is the endpoint classification task. The | |||
| task by which an endpoint profile is created is the endpoint | task by which an endpoint profile is created is the endpoint | |||
| characterization task. A type or class of target endpoints can be | characterization task. A type or class of target endpoints can be | |||
| defined via a target endpoint profile. Examples include: | defined via a target endpoint profile. Examples include: | |||
| skipping to change at page 19, line 28 ¶ | skipping to change at page 21, line 5 ¶ | |||
| SACM Component Authentication [TBD] | SACM Component Authentication [TBD] | |||
| SACM Component Authorization [TBD] | SACM Component Authorization [TBD] | |||
| SACM Component Registration [TBD] | SACM Component Registration [TBD] | |||
| Timestamps : Defined in [RFC4949] as "with respect to a data object, | Timestamps : Defined in [RFC4949] as "with respect to a data object, | |||
| a label or marking in which is recorded the time (time of day or | a label or marking in which is recorded the time (time of day or | |||
| other instant of elapsed time) at which the label or marking was | other instant of elapsed time) at which the label or marking was | |||
| affixed to the data object" and as "with respect to a recorded | affixed to the data object". | |||
| network event, a data field in which is recorded the time (time of | ||||
| day or other instant of elapsed time) at which the event took | ||||
| place.". | ||||
| This term is used in SACM to describe a recorded point in time at | A timestamp always requires context, i.e. additional information | |||
| which, for example, an information element is created or updated | elements that are associated with it. Therefore, all timestamps | |||
| on a target endpoint, and observed, transmitted or processed by a | wrt information elements are always metadata. Timestamps in SACM | |||
| SACM component. Timestamps can be created by target endpoints or | Content Elements may be generated outside a SACM Domain and may be | |||
| SACM components and are associated with SACM statements provided | encoded in an unknown representation. Inside a SACM domain the | |||
| or consumed by SACM components. Outside of the domain of SACM | representation of timestamps is well-defined and unambiguous. | |||
| components the assurance of correctness of time stamps is | ||||
| typically significantly lower than inside a SACM domain. In | ||||
| general, it cannot be simply assumed that the source of time a | ||||
| target endpoint uses is synchronized or trustworthy. | ||||
| Virtual Component: A target endpoint can be composed entirely of | Virtual Endpoint: An endpoint composed entirely of logical system | |||
| logical system entities (see [RFC4949]. | components (see [RFC4949]). | |||
| The most common example is a virtual machine/host running on a | The most common example is a virtual machine/host running on a | |||
| target endpoint. | target endpoint. Effectively, target endpoints can be nested and | |||
| at the time of this writing the most common example of target | ||||
| Effectively, target endpoints can be nested and at the time of | endpoint characteristics about virtual components is the | |||
| this writing the most common example of target endpoint | EntLogicalEntry in [RFC6933]. | |||
| characteristics about virtual components is the EntLogicalEntry in | ||||
| [RFC6933]. | ||||
| Vulnerability Assessment: An assessment specifically tailored to | Vulnerability Assessment: An assessment specifically tailored to | |||
| determining whether a set of endpoints is vulnerable according to | determining whether a set of endpoints is vulnerable according to | |||
| the information contained in the vulnerability description | the information contained in the vulnerability description | |||
| information. | information. | |||
| Vulnerability Description Information: Information pertaining to the | Vulnerability Description Information: Information pertaining to the | |||
| existence of a flaw or flaws in software, hardware, and/or | existence of a flaw or flaws in software, hardware, and/or | |||
| firmware, which could potentially have an adverse impact on | firmware, which could potentially have an adverse impact on | |||
| enterprise IT functionality and/or security. | enterprise IT functionality and/or security. | |||
| skipping to change at page 26, line 24 ¶ | skipping to change at page 28, line 21 ¶ | |||
| [RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M. | [RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M. | |||
| Chandramouli, "Entity MIB (Version 4)", RFC 6933, | Chandramouli, "Entity MIB (Version 4)", RFC 6933, | |||
| DOI 10.17487/RFC6933, May 2013, | DOI 10.17487/RFC6933, May 2013, | |||
| <https://www.rfc-editor.org/info/rfc6933>. | <https://www.rfc-editor.org/info/rfc6933>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-i2nsf-terminology] | [I-D.ietf-i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| Birkholz, "Interface to Network Security Functions (I2NSF) | Birkholz, "Interface to Network Security Functions (I2NSF) | |||
| Terminology", draft-ietf-i2nsf-terminology-04 (work in | Terminology", draft-ietf-i2nsf-terminology-05 (work in | |||
| progress), July 2017. | progress), January 2018. | |||
| [I-D.ietf-netmod-entity] | [I-D.ietf-netmod-entity] | |||
| Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A | Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A | |||
| YANG Data Model for Hardware Management", draft-ietf- | YANG Data Model for Hardware Management", draft-ietf- | |||
| netmod-entity-05 (work in progress), October 2017. | netmod-entity-08 (work in progress), January 2018. | |||
| [I-D.ietf-sacm-vuln-scenario] | [I-D.ietf-sacm-vuln-scenario] | |||
| Coffin, C., Cheikes, B., Schmidt, C., Haynes, D., | Coffin, C., Cheikes, B., Schmidt, C., Haynes, D., | |||
| Fitzgerald-McKay, J., and D. Waltermire, "SACM | Fitzgerald-McKay, J., and D. Waltermire, "SACM | |||
| Vulnerability Assessment Scenario", draft-ietf-sacm-vuln- | Vulnerability Assessment Scenario", draft-ietf-sacm-vuln- | |||
| scenario-02 (work in progress), September 2016. | scenario-02 (work in progress), September 2016. | |||
| [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | |||
| Information Models and Data Models", RFC 3444, | Information Models and Data Models", RFC 3444, | |||
| DOI 10.17487/RFC3444, January 2003, | DOI 10.17487/RFC3444, January 2003, | |||
| End of changes. 38 change blocks. | ||||
| 115 lines changed or deleted | 180 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||