[sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
"Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com> Wed, 25 July 2018 03:12 UTC
Return-Path: <frank.xialiang@huawei.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E824130E00 for <sacm@ietfa.amsl.com>; Tue, 24 Jul 2018 20:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q9A48mDbv9NF for <sacm@ietfa.amsl.com>; Tue, 24 Jul 2018 20:12:28 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3C33124BE5 for <sacm@ietf.org>; Tue, 24 Jul 2018 20:12:27 -0700 (PDT)
Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 0CE97BDE45344 for <sacm@ietf.org>; Wed, 25 Jul 2018 04:12:24 +0100 (IST)
Received: from DGGEML403-HUB.china.huawei.com (10.3.17.33) by LHREML712-CAH.china.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.399.0; Wed, 25 Jul 2018 04:12:24 +0100
Received: from DGGEML522-MBX.china.huawei.com ([169.254.7.38]) by DGGEML403-HUB.china.huawei.com ([fe80::74d9:c659:fbec:21fa%31]) with mapi id 14.03.0382.000; Wed, 25 Jul 2018 11:12:13 +0800
From: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>
To: Adam Montville <adam.w.montville@gmail.com>, Sherif Mansour <cherifmansour@gmail.com>
CC: "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, Benjamin Kaduk <kaduk@mit.edu>, Jarrett Lu <jarrett.lu@oracle.com>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
Thread-Index: AdQi9XPUSi3BUyqE/kOgQ7Oedw9cHP//uHgAgADhJYD//v6J0A==
Date: Wed, 25 Jul 2018 03:12:13 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F12BE741C5@DGGEML522-MBX.china.huawei.com>
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com> <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com>
In-Reply-To: <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.159.76]
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12BE741C5DGGEML522MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/1qh0kOxSfxteZmJTEigiAOCIQbI>
Subject: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 03:12:32 -0000
Hi Adam, Totally agree with you. Our draft is just a data model for baseline, which describes the structured configuration parameters and status attributes for the network device’s security baseline. Right now, we choose the YANG data model since it’s widely used for the network device, and the new defined YANG push mechanism is very suitable for the large scale security posture collection. In regard to ROLIE, it’s good and well suitable for the security incident information exchange. But ROLIE currently only supports the xml or json scheme, how to combine the ROLIE and YANG data model? Maybe you can give more clarification. Anyway, we are interested with this direction, and looking forward to more discussion and the new draft for it. Thanks! B.R. Frank 发件人: Adam Montville [mailto:adam.w.montville@gmail.com] 发送时间: 2018年7月25日 3:34 收件人: Sherif Mansour <cherifmansour@gmail.com> 抄送: Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Benjamin Kaduk <kaduk@mit.edu>; Jarrett Lu <jarrett.lu@oracle.com>; Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; sacm@ietf.org 主题: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 For these "baseline" drafts, could we call them baseline data models instead? To me, just calling them baseline is problematic - it's an overloaded term. Moving on from that... I have a couple of follow-on questions related to the idea of a data model registry... We are already considering the adoption of a draft known as the ROLIE configuration checklist information type. Presumably, such configuration checklists would be comparable to the data models expressed in this registry right? Then, from that, would ROLIE be a suitable mechanism for the data model registry, or would we want to reference data models in a different way? Thoughts on any of that? Given that there seems to be some interest, I'll volunteer to draft something containing ideas about how such a registry could work, and why it'd be important. Adam On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com<mailto:cherifmansour@gmail.com>> wrote: Hey Everyone, I second Adam's idea for a "baseline registry". 1) It's easier to change a registry vs a draft 2) Organizations might want to customize their own registries with their own content - I will give two examples based on the thread above: As mentioned before some legacy systems only support Telnet, I remember a few years ago a business still had some Vax/Alpha systems running and they needed telnet. As a compensating control, we placed network restrictions around those systems, placed a bastion hosts in front of it with an SSL web terminal, that way secure communication took place between the rest of the environment and the hardened host and then telnet to the legacy systems, but at least the issue is contained in a small environment. For the passwords it depends as well for an org e.g. for app to app credentials vs. human to app Or even customer to eCommerce app. * Take Google for example, for their staff to limit the impact on phishing they have issued U2F secure tokens to their staff (See Link<https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/>). The password policy itself might be different as a result. * Others like Apple have rolled password managers to all their staff (see link<https://appleinsider.com/articles/18/07/10/apple-looking-to-deploy-1password-company-wide-may-buy-out-apps-developer>). This is addition to password complexity - and in a way make it easier to manage. * For app to app communication you want this to be seamless with automated key rolling as well as "Break glass" functionality leveraging a secrets vault such as https://www.vaultproject.io/ is an option. * For customer facing sites, password policy might not be enough, thus checking for password re-use, adding anomaly detection/brute-force mitigation, 2factor such as U2F tokens, as well as graceful recovery might be part of the policy. Having a baseline registry would help as the threat landscape changes for existing technology or the ability to replicate similar baselines to new technologies without the need for too much re-work. -Sherif On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) <linqiushi@huawei.com<mailto:linqiushi@huawei.com>> wrote: Hi Ben, Adam and Jarrett, Thanks a lot for raising your concerns. Please see my comments inline. Best Regards, Jessica -----邮件原件----- 发件人: sacm [mailto:sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>] 代表 Benjamin Kaduk 发送时间: 2018年7月24日 2:01 收件人: sacm@ietf.org<mailto:sacm@ietf.org> 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 > During Jessica's talk I noticed a couple things I wanted to mention, > but that didn't seem to merit getting up to the mic: > There's a container for 'telnet' admin access; my understanding is > that there are not any applications out there that could be called > "telnet" and are actually secure these days (but maybe I'm missing > some!); e.g., kerberized telnet mostly only uses single-DES and a > lousy cipher mode, with a vendor-specific option for triple-DES, which > is deprecated as of my document that's currently at the RFC Editor. > So we may want to have some text clarifying the situation and > disrecommending its use (or even remove it entirely, if that's feasible). The "telnet" admin access listed in the current draft is not meant to suggest the use of Telnet. In some legacy scenarios that the insecure channel like Telnet has to be used, some configuration such as changing the source port is recommended. We mentioned to disable the insecure channel, but didn't clarify it in details in the draft. You're right. The security baseline is intended to be a minimal set of security controls and should be up-to-date. We'll remove it and other similar security controls in the next version of draft. > Similarly, there's a pwd-sec-policy container that describes password > security policies. While it's definitely true that password policies > and mandatory change intervals are currently widely deployed, it's > less clear whether their usage should still be considered useful or a > best current practice -- I think I've seen some research go by that > suggests that not requiring character classes or frequency of change > can be just as secure (and, of course, if passwords can be avoided entirely that can also help). As password security policy is the currently widely deployed mechanisms and devices support it,maybe we can make it optional, such as a feature? Currently the devices support this kind of feature, then it can be checked whether this policy is enabled. >So, perhaps there is room for some qualifying text here as well. > -Ben > (with no hats) _______________________________________________ sacm mailing list sacm@ietf.org<mailto:sacm@ietf.org> https://www.ietf.org/mailman/listinfo/sacm _______________________________________________ sacm mailing list sacm@ietf.org<mailto:sacm@ietf.org> https://www.ietf.org/mailman/listinfo/sacm
- [sacm] minor comments on draft-lin-sacm-nid-mp-se… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Jarrett Lu
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Linqiushi (Jessica, CSPL)
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Adam Montville
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Henk Birkholz
- [sacm] Pro/Con WRT To Registry (WAS: Re: minor co… Adam Montville
- [sacm] Terminology: Baseline Data Model (WAS: Re:… Adam Montville