Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
Sherif Mansour <cherifmansour@gmail.com> Wed, 25 July 2018 13:04 UTC
Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FCAD130DC8 for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 06:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjLheZ3fngwq for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 06:04:43 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57EF12D949 for <sacm@ietf.org>; Wed, 25 Jul 2018 06:04:42 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id k15-v6so7179174edr.3 for <sacm@ietf.org>; Wed, 25 Jul 2018 06:04:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pDb5V0o8LWs7nyoukhxaFT9smQPQcI3qeywN/Zh53uQ=; b=ErFCbkB7+WRne8OCB7zPjOr5BtLwsFBUTs4CyNzrH9u2FF47eTHBaqSxTIYUUrySsg 42d9z328c8OKJWqry2jDTVYtVWRYfNiEz8fshi86GYC+ZEn+KOy1W9eI5MKNckOVlAtm lq5+zlsugVvupRPoQHN1DrbkxdrwTPfXzFR0OsTRueRP4MlEf2aHdfna/WpOpEbtnZCc Z2SREHmTxIqGA8QPpqVCDxeCupmtppvEKQKhdQVxixqDIy4KDtP52JD2ZoTOrooU2pn4 hJiFyxcXNosr3H4kaIC4XiGg24z6XMNK/E3SYnddLyi9RjGclsofMBgnTLxAI1R0bHhJ +wqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pDb5V0o8LWs7nyoukhxaFT9smQPQcI3qeywN/Zh53uQ=; b=CwFIWEUvqkmXZGWWiPneVEuCEbNqTAjbaowoddrPck4ZLh/gAwYH+tL1t+KM0XWlF4 uGvRg8Qrai551hKfIEO9ECdpk5Y0G2Lgld+3eQECRqrKYUZf0x1h/PznhQsKbZvvcrHu tdm7n9bnNRJyQBVHaEkXK3q9iPE5m0PxYwHG5uobkIDdJZQ7v1WNcKmSAuxCR2QQWKkD 9fBJmiQZ8Rk6iU+eSM/7wruoIj6Rxze8bOqa/+Mw2uctxwEMZRnvBTCxNXDSTGHVdfcq UM099McajR8NB/y5aucAMH0xXfJHRMsMIbY86OXW84Vysf1ddbIqFX3BUqy6NZieiPYd VJwQ==
X-Gm-Message-State: AOUpUlHUpyvzf3DSKFvpubEmakWYdRkwAGWbo9wqTTJVog9xgkHxa+iN exRXnVQ53fmMYWuGGWW3xL4dy8BoTyC6sqJAB/I=
X-Google-Smtp-Source: AAOMgpevkarbjZVAFRwyPa5ap3BUBkvC4cy9hzcO98UbpBb3aHE9QNbGFxyuVby7mcb7h4N1VJextSw5La+OUYXisq4=
X-Received: by 2002:a50:95ab:: with SMTP id w40-v6mr22127495eda.33.1532523881288; Wed, 25 Jul 2018 06:04:41 -0700 (PDT)
MIME-Version: 1.0
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com> <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE741C5@DGGEML522-MBX.china.huawei.com> <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com> <CAOxmg6tPdf8gP1U8mJB=h=aQsFX4SWSqK3yopONAsP6Ry9HBTQ@mail.gmail.com> <D4207B43-7A56-4A9D-8B95-A482B4E767DE@gmail.com>
In-Reply-To: <D4207B43-7A56-4A9D-8B95-A482B4E767DE@gmail.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Wed, 25 Jul 2018 14:04:30 +0100
Message-ID: <CAOxmg6sAHiOwOGeJsovqpmAM-83iUmrHukK3yp-VZzi_c-QrMg@mail.gmail.com>
To: Adam Montville <adam.w.montville@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Jarrett Lu <jarrett.lu@oracle.com>, "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008dd62e0571d285fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/6SxtChbr6W_Ajpui9HEEMWNNtxw>
Subject: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 13:04:47 -0000
No problem FYI its used in Kafka and Hadoop as well. On Wed, 25 Jul 2018 at 1:51 pm, Adam Montville <adam.w.montville@gmail.com> wrote: > Thanks for the pointer, Sherif - will look at it. > > > On Jul 25, 2018, at 6:57 AM, Sherif Mansour <cherifmansour@gmail.com> > wrote: > > I would also consider looking into > https://avro.apache.org its versitle enough and has been battle tested in > large environments. > > On Wed, 25 Jul 2018 at 12:29 pm, Adam Montville < > adam.w.montville@gmail.com> wrote: > >> Right, that’s a good point. I suppose that we could encode the YANG in >> CDATA or the JSON equivalent, though I’m sure that would end up being >> messy. YIN comes to mind, and then if we really wanted to do JSON, I think >> there’s a way to convert from XML to JSON, though I’m not sure it preserves >> everything that would need to be preserved. >> >> Still, I’m not sure ROLIE would be the “right” solution for a baseline >> data model registry. It’s just something that came to mind as a possible >> solution. >> >> Adam >> >> On Jul 24, 2018, at 10:12 PM, Xialiang (Frank, Network Integration >> Technology Research Dept) <frank.xialiang@huawei.com> wrote: >> >> Hi Adam, >> >> Totally agree with you. >> >> Our draft is just a data model for baseline, which describes the >> structured configuration parameters and status attributes for the network >> device’s security baseline. >> >> Right now, we choose the YANG data model since it’s widely used for the >> network device, and the new defined YANG push mechanism is very suitable >> for the large scale security posture collection. >> >> >> >> In regard to ROLIE, it’s good and well suitable for the security incident >> information exchange. But ROLIE currently only supports the xml or json >> scheme, how to combine the ROLIE and YANG data model? Maybe you can give >> more clarification. >> >> Anyway, we are interested with this direction, and looking forward to >> more discussion and the new draft for it. >> >> >> >> Thanks! >> >> >> >> B.R. >> >> Frank >> >> >> >> *发件人:* Adam Montville [mailto:adam.w.montville@gmail.com >> <adam.w.montville@gmail.com>] >> *发送时间:* 2018年7月25日 3:34 >> *收件人:* Sherif Mansour <cherifmansour@gmail.com> >> *抄送:* Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Benjamin Kaduk < >> kaduk@mit.edu>; Jarrett Lu <jarrett.lu@oracle.com>; Xialiang (Frank, >> Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; >> sacm@ietf.org >> *主题:* Re: [sacm] minor comments on >> draft-lin-sacm-nid-mp-security-baseline-03 >> >> >> >> For these "baseline" drafts, could we call them baseline data models >> instead? To me, just calling them baseline is problematic - it's an >> overloaded term. >> >> >> >> Moving on from that... I have a couple of follow-on questions related to >> the idea of a data model registry... >> >> >> >> We are already considering the adoption of a draft known as the ROLIE >> configuration checklist information type. Presumably, such configuration >> checklists would be comparable to the data models expressed in this >> registry right? Then, from that, would ROLIE be a suitable mechanism for >> the data model registry, or would we want to reference data models in a >> different way? >> >> >> >> Thoughts on any of that? >> >> >> >> Given that there seems to be some interest, I'll volunteer to draft >> something containing ideas about how such a registry could work, and why >> it'd be important. >> >> >> >> Adam >> >> >> >> >> >> On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com> >> wrote: >> >> >> >> Hey Everyone, >> >> >> >> I second Adam's idea for a "baseline registry". >> >> 1) It's easier to change a registry vs a draft >> >> 2) Organizations might want to customize their own registries with their >> own content - I will give two examples based on the thread above: >> >> >> >> As mentioned before some legacy systems only support Telnet, I remember a >> few years ago a business still had some Vax/Alpha systems running and they >> needed telnet. As a compensating control, we placed network restrictions >> around those systems, placed a bastion hosts in front of it with an SSL web >> terminal, that way secure communication took place between the rest of the >> environment and the hardened host and then telnet to the legacy systems, >> but at least the issue is contained in a small environment. >> >> >> >> For the passwords it depends as well for an org e.g. for app to app >> credentials vs. human to app Or even customer to eCommerce app. >> >> - Take Google for example, for their staff to limit the impact on >> phishing they have issued U2F secure tokens to their staff (See Link >> <https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/>). >> The password policy itself might be different as a result. >> - Others like Apple have rolled password managers to all their staff (see >> link >> <https://appleinsider.com/articles/18/07/10/apple-looking-to-deploy-1password-company-wide-may-buy-out-apps-developer>). >> This is addition to password complexity - and in a way make it easier to >> manage. >> - For app to app communication you want this to be seamless with >> automated key rolling as well as "Break glass" functionality leveraging a >> secrets vault such as https://www.vaultproject.io/ is an option. >> - For customer facing sites, password policy might not be enough, >> thus checking for password re-use, adding anomaly detection/brute-force >> mitigation, 2factor such as U2F tokens, as well as graceful recovery might >> be part of the policy. >> >> Having a baseline registry would help as the threat landscape changes for >> existing technology or the ability to replicate similar baselines to new >> technologies without the need for too much re-work. >> >> >> >> -Sherif >> >> >> >> On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) < >> linqiushi@huawei.com> wrote: >> >> Hi Ben, Adam and Jarrett, >> >> Thanks a lot for raising your concerns. >> >> Please see my comments inline. >> >> Best Regards, >> Jessica >> >> -----邮件原件----- >> 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk >> 发送时间: 2018年7月24日 2:01 >> 收件人: sacm@ietf.org >> 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 >> >> > During Jessica's talk I noticed a couple things I wanted to mention, >> > but that didn't seem to merit getting up to the mic: >> >> > There's a container for 'telnet' admin access; my understanding is >> > that there are not any applications out there that could be called >> > "telnet" and are actually secure these days (but maybe I'm missing >> > some!); e.g., kerberized telnet mostly only uses single-DES and a >> > lousy cipher mode, with a vendor-specific option for triple-DES, which >> > is deprecated as of my document that's currently at the RFC Editor. >> > So we may want to have some text clarifying the situation and >> > disrecommending its use (or even remove it entirely, if that's >> feasible). >> >> The "telnet" admin access listed in the current draft is not meant to >> suggest the use of Telnet. In some legacy scenarios that the insecure >> channel like Telnet has to be used, some configuration such as changing the >> source port is recommended. We mentioned to disable the insecure channel, >> but didn't clarify it in details in the draft. >> You're right. The security baseline is intended to be a minimal set of >> security controls and should be up-to-date. We'll remove it and other >> similar security controls in the next version of draft. >> >> > Similarly, there's a pwd-sec-policy container that describes password >> > security policies. While it's definitely true that password policies >> > and mandatory change intervals are currently widely deployed, it's >> > less clear whether their usage should still be considered useful or a >> > best current practice -- I think I've seen some research go by that >> > suggests that not requiring character classes or frequency of change >> > can be just as secure (and, of course, if passwords can be avoided >> entirely that can also help). >> >> As password security policy is the currently widely deployed mechanisms >> and devices support it,maybe we can make it optional, such as a feature? >> Currently the devices support this kind of feature, then it can be >> checked whether this policy is enabled. >> >> >So, perhaps there is room for some qualifying text here as well. >> >> > -Ben >> > (with no hats) >> _______________________________________________ >> sacm mailing list >> sacm@ietf.org >> https://www.ietf.org/mailman/listinfo/sacm >> _______________________________________________ >> sacm mailing list >> sacm@ietf.org >> https://www.ietf.org/mailman/listinfo/sacm >> >> >> >> >> >> >
- [sacm] minor comments on draft-lin-sacm-nid-mp-se… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Jarrett Lu
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Linqiushi (Jessica, CSPL)
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Adam Montville
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Henk Birkholz
- [sacm] Pro/Con WRT To Registry (WAS: Re: minor co… Adam Montville
- [sacm] Terminology: Baseline Data Model (WAS: Re:… Adam Montville