Re: [sacm] SACM Architecture Draft

Bill Munyan <bill.munyan.ietf@gmail.com> Tue, 19 February 2019 14:54 UTC

Return-Path: <bill.munyan.ietf@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 461EF130EC3 for <sacm@ietfa.amsl.com>; Tue, 19 Feb 2019 06:54:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZI_MTY3Gy9L for <sacm@ietfa.amsl.com>; Tue, 19 Feb 2019 06:54:36 -0800 (PST)
Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B60FF12870E for <sacm@ietf.org>; Tue, 19 Feb 2019 06:54:35 -0800 (PST)
Received: by mail-ot1-x344.google.com with SMTP id 32so34488605ota.12 for <sacm@ietf.org>; Tue, 19 Feb 2019 06:54:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=saCK+Hlz3Znj8Y+R79suib+nJKGaEiultqYCyipZW8c=; b=GQZJGI9lSyE540wHH7idCmnzEmphP8MWyRrGK4ue9cRNasAmhDZ2zrnXNFzQ4ups38 2ljAo7dggW2FA2HpcF8LR/MinSxSfcp5bb9MN8FESJJGH/NRqglxTXJ4y3lS5R9A7gia lBoIn9zDujWX2htwExgmvz/92Gmk9zSiw6ewea7m9tL91SA0UG31zvHbkyDV3B4siB0e CudI3XY+h/wf14zSmTrSJg/P3arffPfFqFgfeoM0ekH89OqBKIWF1lEc3Qsjgdwv5LZ1 i3rU1+RWsrZEED/GR0xCP8OzmlXXYq+wk4TBZtmr/6HKQr4TbiWAmIQu1zVvRUPev+1q 8lRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=saCK+Hlz3Znj8Y+R79suib+nJKGaEiultqYCyipZW8c=; b=Jf5TmRZcpjwdQMQW+GKmXM6calV3yjVi8UUP+YqgACsWAsmKxupTe2kn0Tr5xbqS6L cC3z3uad6ZzXfmTQqkeRoNsAL9ZuWwgqOaEO/2+CieqN+P+AUkyft9eCv+/3OFo9syC3 Eu7pDC+fxTRTx5CxrABJvd89a1ZEyY3yISPKavQbbyCkpQLvI1YDJtpct+dyNKssnWwg JnRc2HfPEjkxSoCVXWlhL+FntfW3TmEB0N3mtpKkCIIGGyAjyQlWSBT+p/T3egCGTvWk mP1H20mwDKtMwH0Ohr+iKT6WQdd6fhmhC/1HSqetWmk0IL8EQXhiA/a5OhM0wLIWzBGa oANw==
X-Gm-Message-State: AHQUAuYbHorLDkJMhGUTBj3UEZDIlTDmYUsYjCxhsL9tlFDVKqIOOxu7 CVLFnjagjblw475tTQfP1Bttl4vsS3sZioGkm5c=
X-Google-Smtp-Source: AHgI3Ia9eSRcoODcR+rMiK/kRW9zbZmD/s8bTGdxuiSis6ctiAz5/ASoFMAB0g7nxqB+FSVXG1xxQCAGcCKLnJMFd4k=
X-Received: by 2002:aca:5083:: with SMTP id e125mr2821200oib.9.1550588074758; Tue, 19 Feb 2019 06:54:34 -0800 (PST)
MIME-Version: 1.0
References: <0AE1CB07-A9CF-4821-9F1B-4FCCF53C4AA3@gmail.com> <9e8f4cb9-d893-66cd-2900-183a6b0cc9e5@oracle.com> <332612F4-C281-42CE-85DD-5A2D862293F9@gmail.com> <CAOxmg6sGHR8e0wf0wGXEutNcPFY7sCzCw2H8oXScaP5Yurnm=g@mail.gmail.com>
In-Reply-To: <CAOxmg6sGHR8e0wf0wGXEutNcPFY7sCzCw2H8oXScaP5Yurnm=g@mail.gmail.com>
From: Bill Munyan <bill.munyan.ietf@gmail.com>
Date: Tue, 19 Feb 2019 09:54:21 -0500
Message-ID: <CAKUOEQy78a3kGiYScBeJWLxN2Nuz8c5xNeGy=6262pVmGAwnmA@mail.gmail.com>
To: Sherif Mansour <cherifmansour@gmail.com>
Cc: Adam Montville <adam.w.montville@gmail.com>, Jarrett Lu <jarrett.lu@oracle.com>, "<sacm@ietf.org>" <sacm@ietf.org>
Content-Type: multipart/related; boundary="00000000000064803b0582406be1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/31uUFMu5uEretMIteWmSgSH-Ngc>
Subject: Re: [sacm] SACM Architecture Draft
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 14:54:40 -0000

Sherif,

Thanks for reading the draft and providing feedback!  We really appreciate
it...  I have some comments/questions in-line:

> Should the downstream users pull their data from the repo (an
authoritative data source) instead of the message bus?
> That way, there is a consistent view of that the current state of an
end-point security posture and analysis can be built on top if it. I would
not think it can be > done directly from the message bus. I also would
think the information from the repo would be bi directional?

[Bill M]:
The idea behind the message transfer system is to help define the
interfaces between components.  The intent here is really to help create a
"cooperative ecosystem", enabling vendors to plug in components where they
fit in the architecture, develop custom components where necessary, etc.

Whether the "message transfer system" exists over a message bus,
integration pattern, REST interface, or other, the downstream functions
would have access to the repository (or repositories) over some sort of
"query" interface.  In the case of XMPP being used as the message transfer
system, that interface could be a request using a custom IQ stanza with
query information, and a response with the requested information.  In a
solution which consolidates a results repository with reporting, there may
just be a simple web application to visualize the data.

I agree the information in the repository is bi-directional, and the
diagram is intended to reflect that.

> Equally had some question on the data ingest (message bus) I assume there
is an Access model as not everything on the message bus is to be accessible
by > everyone, is that taken into consideration?

[Bill M]:
I would also agree there would be an access model necessary, but that can
be solution-specific.  Again using the XMPP-based solution, that access
model could be maintained through the orchestrator's roster, roster groups,
various pub-sub nodes, etc.  Is there a particular access model you had in
mind when asking this question?  Any solution-based ideas on this certainly
help me personally in visualizing all the concepts.

> Should the Orchstrator have a direct connection to the Repo, there are
cases where the orchestrator needs reference data in order to tell the
posture > managers what to do and not just react to them. Additionally
there are cases where what the posture manager finds from the collectors
will be different than > what is on file in inventory and the discrepancy.

[Bill M]:
In the first diagram, the orchestrator would have a connection to the repo
via the message transfer system.  This is a great question that will help
us discover more about the interfaces we need to describe further in the
document.  That "query" interface from the orchestrator can assist in
getting the necessary reference data before sending collection requests off
to the various collectors in the ecosystem.

Hope that helps!  Glad to keep the conversation going as well, so thank you
again for your review and feedback.

Cheers,
Bill M.


On Mon, Feb 18, 2019 at 2:06 PM Sherif Mansour <cherifmansour@gmail.com>;
wrote:

> Hey Everyone,
> Sorry for popping in so infrequently. I have taken a brief look at the
> architecture, and I have some feedback:
> Should the downstream users pull their data from the repo (an
> authoritative data source) instead of the message bus?
> That way, there is a consistent view of that the current state of an
> end-point security posture and analysis can be built on top if it. I would
> not think it can be done directly from the message bus. I also would think
> the information from the repo would be bi directional?
> Equally had some question on the data ingest (message bus) I assume there
> is an Access model as not everything on the message bus is to be accessible
> by everyone, is that taken into consideration?
> [image: image.png]
> Should the Orchstrator have a direct connection to the Repo, there are
> cases where the orchestrator needs reference data in order to tell the
> posture managers what to do and not just react to them. Additionally there
> are cases where what the posture manager finds from the collectors will be
> different than what is on file in inventory and the discrepancy.
> [image: image.png]
>
> On Fri, Feb 15, 2019 at 12:05 PM Adam Montville <
> adam.w.montville@gmail.com>; wrote:
>
>> Hi Jarret,
>>
>> Thank you for reading through the draft. Happy to talk about some of
>> these things today during the interim. I think we would prefer that
>> interfaces/capabilities are first described abstractly — irrespective of
>> any specific messaging solution — and then use XMPP-Grid+ as an
>> implementation example.
>>
>> Kind regards,
>>
>> Adam
>>
>> On Feb 14, 2019, at 7:27 PM, Jarrett Lu <jarrett.lu@oracle.com>; wrote:
>>
>> Hi Adam & SACM,
>>
>> I read the (active) architecture draft, and I believe it's a good one.
>> The hackathon work reflected in the draft definitely carries some weight.
>>
>> Some architecture entities could be expanded and described at a more
>> abstract level. For example, this draft appears to equate "capabilities"
>> with set of interfaces. Are SACM capabilities supposed to be discoverable?
>> If so, how should it be represented? If capabilities/functional interfaces
>> are described in more general terms, and use XMPP-grid+ as an example of
>> how it meets the functional requirements, this may make it appear less
>> solution-centric.
>>
>> I vote for including workflows in the architecture document. It just
>> reads better that way. It will increase the document size and takes longer
>> to finish. As long as good progress is being made, is it really urgent to
>> finish and publisher the architecture document.
>>
>> I think the Security Consideration section of the old architecture draft
>> is pretty good. Do XMPP-grid XEPs adress the MitM, transport integrity and
>> confidentiality concerns mentioned there?
>>
>> Regards.
>>
>> - Jarrett
>>
>> On 12/27/18 01:29 PM, Adam Montville wrote:
>>
>> Dear SACM,
>>
>> Happy (belated) Holidays and a Happy New Year to you!
>>
>> At our recent virtual interim meeting I promised to post a note to the
>> list regarding our architecture draft to do three things:
>>
>>    1. Request review
>>    2. Indicate whether we (the authors) believe it's on the right track
>>    3. Assuming 2 is good, a list of what's left to be done.
>>
>> So, we're going to start with 2, move on to 3, and then end with 1...
>>
>> Bill and I both believe that the architecture draft is, indeed, on the
>> right track. Henk, and possibly others (Nancy?), have described this draft
>> as being too solutions-specific. Section 3, "Architectural Overview" is
>> intended to be the place in this draft to describe the abstract ideas in
>> the architecture. Section 3.1 talks a little bit about the roles of the
>> SACM Components, and Section 3.2 provides the known information about an
>> XMPP-based instantiation of the architecture (note Appendix A maps this
>> instantiation back to our SACM requirements, RFC8248).
>>
>> Assuming that we are on the right track, then here's what we think yet
>> needs to be done:
>>
>>
>>    - Document specific Components, Capabilities, Interfaces, and
>>    Workflows
>>       - IT Asset Management could probably stand to be fleshed out
>>       - Vulnerability Management is reasonable documented in this draft,
>>       but may need work
>>       - Configuration management probably needs to be fleshed out as
>>       well (needs to be tied to SACM Use Cases)
>>    - Determine where to document the above (in this draft or in new
>>    drafts), which will determine how long this draft takes to complete.
>>    - Prague hackathon to continue the trend of discovering an XMPP-based
>>    solution
>>    - TODOs in the draft
>>       - Privacy Considerations
>>       - Security Considerations
>>    - Flesh out our IANA Considerations
>>       - Will likely result in additional draft work
>>
>>
>>
>> Clearly, there's a lot to be done here, and we really need your specific,
>> actionable feedback on this draft. Feel free to reach out here or to either
>> of us directly.
>>
>> This draft in GitHub: https://github.com/sacmwg/draft-ietf-sacm-arch
>>
>> This draft on the SACM documents page:
>> https://datatracker.ietf.org/doc/draft-ietf-sacm-arch/
>>
>>
>> Kind regards,
>>
>> Adam & Bill
>>
>>
>> _______________________________________________
>> sacm mailing listsacm@ietf.orghttps://www.ietf.org/mailman/listinfo/sacm
>>
>>
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>>
>>
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>