IETF Logo Mail Archive

Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

Sherif Mansour <cherifmansour@gmail.com> Wed, 25 July 2018 13:04 UTC

Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FCAD130DC8 for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 06:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjLheZ3fngwq for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 06:04:43 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57EF12D949 for <sacm@ietf.org>; Wed, 25 Jul 2018 06:04:42 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id k15-v6so7179174edr.3 for <sacm@ietf.org>; Wed, 25 Jul 2018 06:04:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pDb5V0o8LWs7nyoukhxaFT9smQPQcI3qeywN/Zh53uQ=; b=ErFCbkB7+WRne8OCB7zPjOr5BtLwsFBUTs4CyNzrH9u2FF47eTHBaqSxTIYUUrySsg 42d9z328c8OKJWqry2jDTVYtVWRYfNiEz8fshi86GYC+ZEn+KOy1W9eI5MKNckOVlAtm lq5+zlsugVvupRPoQHN1DrbkxdrwTPfXzFR0OsTRueRP4MlEf2aHdfna/WpOpEbtnZCc Z2SREHmTxIqGA8QPpqVCDxeCupmtppvEKQKhdQVxixqDIy4KDtP52JD2ZoTOrooU2pn4 hJiFyxcXNosr3H4kaIC4XiGg24z6XMNK/E3SYnddLyi9RjGclsofMBgnTLxAI1R0bHhJ +wqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pDb5V0o8LWs7nyoukhxaFT9smQPQcI3qeywN/Zh53uQ=; b=CwFIWEUvqkmXZGWWiPneVEuCEbNqTAjbaowoddrPck4ZLh/gAwYH+tL1t+KM0XWlF4 uGvRg8Qrai551hKfIEO9ECdpk5Y0G2Lgld+3eQECRqrKYUZf0x1h/PznhQsKbZvvcrHu tdm7n9bnNRJyQBVHaEkXK3q9iPE5m0PxYwHG5uobkIDdJZQ7v1WNcKmSAuxCR2QQWKkD 9fBJmiQZ8Rk6iU+eSM/7wruoIj6Rxze8bOqa/+Mw2uctxwEMZRnvBTCxNXDSTGHVdfcq UM099McajR8NB/y5aucAMH0xXfJHRMsMIbY86OXW84Vysf1ddbIqFX3BUqy6NZieiPYd VJwQ==
X-Gm-Message-State: AOUpUlHUpyvzf3DSKFvpubEmakWYdRkwAGWbo9wqTTJVog9xgkHxa+iN exRXnVQ53fmMYWuGGWW3xL4dy8BoTyC6sqJAB/I=
X-Google-Smtp-Source: AAOMgpevkarbjZVAFRwyPa5ap3BUBkvC4cy9hzcO98UbpBb3aHE9QNbGFxyuVby7mcb7h4N1VJextSw5La+OUYXisq4=
X-Received: by 2002:a50:95ab:: with SMTP id w40-v6mr22127495eda.33.1532523881288; Wed, 25 Jul 2018 06:04:41 -0700 (PDT)
MIME-Version: 1.0
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com> <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE741C5@DGGEML522-MBX.china.huawei.com> <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com> <CAOxmg6tPdf8gP1U8mJB=h=aQsFX4SWSqK3yopONAsP6Ry9HBTQ@mail.gmail.com> <D4207B43-7A56-4A9D-8B95-A482B4E767DE@gmail.com>
In-Reply-To: <D4207B43-7A56-4A9D-8B95-A482B4E767DE@gmail.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Wed, 25 Jul 2018 14:04:30 +0100
Message-ID: <CAOxmg6sAHiOwOGeJsovqpmAM-83iUmrHukK3yp-VZzi_c-QrMg@mail.gmail.com>
To: Adam Montville <adam.w.montville@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Jarrett Lu <jarrett.lu@oracle.com>, "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008dd62e0571d285fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/6SxtChbr6W_Ajpui9HEEMWNNtxw>
Subject: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 13:04:47 -0000

No problem FYI its used in Kafka and Hadoop as well.

On Wed, 25 Jul 2018 at 1:51 pm, Adam Montville <adam.w.montville@gmail.com>
wrote:

> Thanks for the pointer, Sherif - will look at it.
>
>
> On Jul 25, 2018, at 6:57 AM, Sherif Mansour <cherifmansour@gmail.com>
> wrote:
>
> I would also consider looking into
> https://avro.apache.org its versitle enough and has been battle tested in
> large environments.
>
> On Wed, 25 Jul 2018 at 12:29 pm, Adam Montville <
> adam.w.montville@gmail.com> wrote:
>
>> Right, that’s a good point. I suppose that we could encode the YANG in
>> CDATA or the JSON equivalent, though I’m sure that would end up being
>> messy. YIN comes to mind, and then if we really wanted to do JSON, I think
>> there’s a way to convert from XML to JSON, though I’m not sure it preserves
>> everything that would need to be preserved.
>>
>> Still, I’m not sure ROLIE would be the “right” solution for a baseline
>> data model registry. It’s just something that came to mind as a possible
>> solution.
>>
>> Adam
>>
>> On Jul 24, 2018, at 10:12 PM, Xialiang (Frank, Network Integration
>> Technology Research Dept) <frank.xialiang@huawei.com> wrote:
>>
>> Hi Adam,
>>
>> Totally agree with you.
>>
>> Our draft is just a data model for baseline, which describes the
>> structured configuration parameters and status attributes for the network
>> device’s security baseline.
>>
>> Right now, we choose the YANG data model since it’s widely used for the
>> network device, and the new defined YANG push mechanism is very suitable
>> for the large scale security posture collection.
>>
>>
>>
>> In regard to ROLIE, it’s good and well suitable for the security incident
>> information exchange. But ROLIE currently only supports the xml or json
>> scheme, how to combine the ROLIE and YANG data model? Maybe you can give
>> more clarification.
>>
>> Anyway, we are interested with this direction, and looking forward to
>> more discussion and the new draft for it.
>>
>>
>>
>> Thanks!
>>
>>
>>
>> B.R.
>>
>> Frank
>>
>>
>>
>> *发件人:* Adam Montville [mailto:adam.w.montville@gmail.com
>> <adam.w.montville@gmail.com>]
>> *发送时间:* 2018年7月25日 3:34
>> *收件人:* Sherif Mansour <cherifmansour@gmail.com>
>> *抄送:* Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Benjamin Kaduk <
>> kaduk@mit.edu>; Jarrett Lu <jarrett.lu@oracle.com>; Xialiang (Frank,
>> Network Integration Technology Research Dept) <frank.xialiang@huawei.com>;
>> sacm@ietf.org
>> *主题:* Re: [sacm] minor comments on
>> draft-lin-sacm-nid-mp-security-baseline-03
>>
>>
>>
>> For these "baseline" drafts, could we call them baseline data models
>> instead? To me, just calling them baseline is problematic - it's an
>> overloaded term.
>>
>>
>>
>> Moving on from that... I have a couple of follow-on questions related to
>> the idea of a data model registry...
>>
>>
>>
>> We are already considering the adoption of a draft known as the ROLIE
>> configuration checklist information type. Presumably, such configuration
>> checklists would be comparable to the data models expressed in this
>> registry right? Then, from that, would ROLIE be a suitable mechanism for
>> the data model registry, or would we want to reference data models in a
>> different way?
>>
>>
>>
>> Thoughts on any of that?
>>
>>
>>
>> Given that there seems to be some interest, I'll volunteer to draft
>> something containing ideas about how such a registry could work, and why
>> it'd be important.
>>
>>
>>
>> Adam
>>
>>
>>
>>
>>
>> On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com>
>> wrote:
>>
>>
>>
>> Hey Everyone,
>>
>>
>>
>> I second Adam's idea for a "baseline registry".
>>
>> 1) It's easier to change a registry vs a draft
>>
>> 2) Organizations might want to customize their own registries with their
>> own content - I will give two examples based on the thread above:
>>
>>
>>
>> As mentioned before some legacy systems only support Telnet, I remember a
>> few years ago a business still had some Vax/Alpha systems running and they
>> needed telnet. As a compensating control, we placed network restrictions
>> around those systems, placed a bastion hosts in front of it with an SSL web
>> terminal, that way secure communication took place between the rest of the
>> environment and the hardened host and then telnet to the legacy systems,
>> but at least the issue is contained in a small environment.
>>
>>
>>
>> For the passwords it depends as well for an org e.g. for app to app
>> credentials vs. human to app Or even customer to eCommerce app.
>>
>>    - Take Google for example, for their staff to limit the impact on
>>    phishing they have issued U2F secure tokens to their staff (See Link
>>    <https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/>).
>>    The password policy itself might be different as a result.
>>    - Others like Apple have rolled password managers to all their staff (see
>>    link
>>    <https://appleinsider.com/articles/18/07/10/apple-looking-to-deploy-1password-company-wide-may-buy-out-apps-developer>).
>>    This is addition to password complexity - and in a way make it easier to
>>    manage.
>>    - For app to app communication you want this to be seamless with
>>    automated key rolling as well as "Break glass" functionality leveraging a
>>    secrets vault such as https://www.vaultproject.io/ is an option.
>>    - For customer facing sites, password policy might not be enough,
>>    thus checking for password re-use, adding anomaly detection/brute-force
>>    mitigation, 2factor such as U2F tokens, as well as graceful recovery might
>>    be part of the policy.
>>
>> Having a baseline registry would help as the threat landscape changes for
>> existing technology or the ability to replicate similar baselines to new
>> technologies without the need for too much re-work.
>>
>>
>>
>> -Sherif
>>
>>
>>
>> On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) <
>> linqiushi@huawei.com> wrote:
>>
>> Hi Ben, Adam and Jarrett,
>>
>> Thanks a lot for raising your concerns.
>>
>> Please see my comments inline.
>>
>> Best Regards,
>> Jessica
>>
>> -----邮件原件-----
>> 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk
>> 发送时间: 2018年7月24日 2:01
>> 收件人: sacm@ietf.org
>> 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
>>
>> > During Jessica's talk I noticed a couple things I wanted to mention,
>> > but that didn't seem to merit getting up to the mic:
>>
>> > There's a container for 'telnet' admin access; my understanding is
>> > that there are not any applications out there that could be called
>> > "telnet" and are actually secure these days (but maybe I'm missing
>> > some!); e.g., kerberized telnet mostly only uses single-DES and a
>> > lousy cipher mode, with a vendor-specific option for triple-DES, which
>> > is deprecated as of my document that's currently at the RFC Editor.
>> > So we may want to have some text clarifying the situation and
>> > disrecommending its use (or even remove it entirely, if that's
>> feasible).
>>
>> The "telnet" admin access listed in the current draft is not meant to
>> suggest the use of Telnet. In some legacy scenarios that the insecure
>> channel like Telnet has to be used, some configuration such as changing the
>> source port is recommended. We mentioned to disable the insecure channel,
>> but didn't clarify it in details in the draft.
>> You're right. The security baseline is intended to be a minimal set of
>> security controls and should be up-to-date. We'll remove it and other
>> similar security controls in the next version of draft.
>>
>> > Similarly, there's a pwd-sec-policy container that describes password
>> > security policies.  While it's definitely true that password policies
>> > and mandatory change intervals are currently widely deployed, it's
>> > less clear whether their usage should still be considered useful or a
>> > best current practice -- I think I've seen some research go by that
>> > suggests that not requiring character classes or frequency of change
>> > can be just as secure (and, of course, if passwords can be avoided
>> entirely that can also help).
>>
>> As password security policy is the currently widely deployed mechanisms
>> and devices support it,maybe we can make it optional, such as a feature?
>> Currently the devices support this kind of feature, then it can be
>> checked whether this policy is enabled.
>>
>> >So, perhaps there is room for some qualifying text here as well.
>>
>> > -Ben
>> > (with no hats)
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>>
>>
>>
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email