Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
Adam Montville <adam.w.montville@gmail.com> Tue, 24 July 2018 19:34 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2694130E0A for <sacm@ietfa.amsl.com>; Tue, 24 Jul 2018 12:34:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyD7p1hSLCXc for <sacm@ietfa.amsl.com>; Tue, 24 Jul 2018 12:34:24 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B581277C8 for <sacm@ietf.org>; Tue, 24 Jul 2018 12:34:23 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id n84-v6so9615543oib.9 for <sacm@ietf.org>; Tue, 24 Jul 2018 12:34:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=L8VE1TiDBq58PLG/feYLQCfawI7J6i0hq+Jf3yDc2zw=; b=WfHO1CpnOG7f8dk0aJb7CQmSj1rnjou7MK8G4jae2tTF8CMPtK4LxJnqu1BOUJz39e Hm8wMttCfgqofsYjiDcvEEIU8mLDjJHqfuiCCwMn/f5WE/y6Fy/kLrqFD2vo53U/U5or 0+9ILnGUum3hZARyOOK1Yz4olA22yOByTzjfoeytNjUX2buf5vkYQDEuzUn91Bf4kSGQ flCzZlHuEtcv3K9tJqe42iMAGvnEYU1sTGru6EMR8XXfCXV/3AJaMSIYTHvJmWOia2L6 nxCwbmgarOjOClNQIgeTaaU46ZQk+Kgr9alBlT6chqkxVnGmlDttM8V/U86fpGvji3Th gLjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=L8VE1TiDBq58PLG/feYLQCfawI7J6i0hq+Jf3yDc2zw=; b=dIw75fCt0hQ8s6tuPSWdlrDqadn1yPS28pH94bHgxeaG9uKfy2FKYbX0Jn7UzsLYfx yaxScuFRYxP4KLj7SOWh0AOpJBo02udLk7rssrgAeTK3mZerG3t19PHSMx46hXEgalpZ kE1IXU83MwfHIHMug2BSDzmWQp5V31xhTtQr42/D6vMnHw/XsyCg2DKTPxrZPi6BRi4S HOgxxU0S5QaYdVh6neOgqhO4gH/kOwU0x1i/bGFNtAcpfsn/HE0ybAve5grJCdh8usMF hzUP73yw2Mo/znuXiyXPxSSe7NdJH3ttJFDBfnoihpFVMVkpXFRbL1qmHUqtpmrBN7n6 PJtA==
X-Gm-Message-State: AOUpUlE9vb5Fzx1djP4bRG8lMrngBVj4BXFjMJMfNvApFr8vlzltxxuB dHPmzq5Y2ZjdBnEyE3hYwA0=
X-Google-Smtp-Source: AAOMgpdKOnTGxSVUsDQ3M9RI/v+KRXMQFynamNzMNZ4ypjXt6Kf+V2NXAApt2Hh0PtDaI0BROd1KvQ==
X-Received: by 2002:aca:1a0b:: with SMTP id a11-v6mr205200oia.316.1532460863017; Tue, 24 Jul 2018 12:34:23 -0700 (PDT)
Received: from afv.lan (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id q206-v6sm8223673oih.46.2018.07.24.12.34.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jul 2018 12:34:21 -0700 (PDT)
From: Adam Montville <adam.w.montville@gmail.com>
Message-Id: <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5827FDA6-BF6E-4F2E-B861-F352219287BF"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 24 Jul 2018 14:34:19 -0500
In-Reply-To: <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com>
Cc: "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, Benjamin Kaduk <kaduk@mit.edu>, Jarrett Lu <jarrett.lu@oracle.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
To: Sherif Mansour <cherifmansour@gmail.com>
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/9eZzABPrBI3xyEfoB9LlO87m0MM>
Subject: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 19:34:27 -0000
For these "baseline" drafts, could we call them baseline data models instead? To me, just calling them baseline is problematic - it's an overloaded term. Moving on from that... I have a couple of follow-on questions related to the idea of a data model registry... We are already considering the adoption of a draft known as the ROLIE configuration checklist information type. Presumably, such configuration checklists would be comparable to the data models expressed in this registry right? Then, from that, would ROLIE be a suitable mechanism for the data model registry, or would we want to reference data models in a different way? Thoughts on any of that? Given that there seems to be some interest, I'll volunteer to draft something containing ideas about how such a registry could work, and why it'd be important. Adam > On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com> wrote: > > Hey Everyone, > > I second Adam's idea for a "baseline registry". > 1) It's easier to change a registry vs a draft > 2) Organizations might want to customize their own registries with their own content - I will give two examples based on the thread above: > > As mentioned before some legacy systems only support Telnet, I remember a few years ago a business still had some Vax/Alpha systems running and they needed telnet. As a compensating control, we placed network restrictions around those systems, placed a bastion hosts in front of it with an SSL web terminal, that way secure communication took place between the rest of the environment and the hardened host and then telnet to the legacy systems, but at least the issue is contained in a small environment. > > For the passwords it depends as well for an org e.g. for app to app credentials vs. human to app Or even customer to eCommerce app. > Take Google for example, for their staff to limit the impact on phishing they have issued U2F secure tokens to their staff (See Link <https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/>). The password policy itself might be different as a result. > Others like Apple have rolled password managers to all their staff (see link <https://appleinsider.com/articles/18/07/10/apple-looking-to-deploy-1password-company-wide-may-buy-out-apps-developer>). This is addition to password complexity - and in a way make it easier to manage. > For app to app communication you want this to be seamless with automated key rolling as well as "Break glass" functionality leveraging a secrets vault such as https://www.vaultproject.io/ <https://www.vaultproject.io/> is an option. > For customer facing sites, password policy might not be enough, thus checking for password re-use, adding anomaly detection/brute-force mitigation, 2factor such as U2F tokens, as well as graceful recovery might be part of the policy. > Having a baseline registry would help as the threat landscape changes for existing technology or the ability to replicate similar baselines to new technologies without the need for too much re-work. > > -Sherif > > On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) <linqiushi@huawei.com <mailto:linqiushi@huawei.com>> wrote: > Hi Ben, Adam and Jarrett, > > Thanks a lot for raising your concerns. > > Please see my comments inline. > > Best Regards, > Jessica > > -----邮件原件----- > 发件人: sacm [mailto:sacm-bounces@ietf.org <mailto:sacm-bounces@ietf.org>] 代表 Benjamin Kaduk > 发送时间: 2018年7月24日 2:01 > 收件人: sacm@ietf.org <mailto:sacm@ietf.org> > 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 > > > During Jessica's talk I noticed a couple things I wanted to mention, > > but that didn't seem to merit getting up to the mic: > > > There's a container for 'telnet' admin access; my understanding is > > that there are not any applications out there that could be called > > "telnet" and are actually secure these days (but maybe I'm missing > > some!); e.g., kerberized telnet mostly only uses single-DES and a > > lousy cipher mode, with a vendor-specific option for triple-DES, which > > is deprecated as of my document that's currently at the RFC Editor. > > So we may want to have some text clarifying the situation and > > disrecommending its use (or even remove it entirely, if that's feasible). > > The "telnet" admin access listed in the current draft is not meant to suggest the use of Telnet. In some legacy scenarios that the insecure channel like Telnet has to be used, some configuration such as changing the source port is recommended. We mentioned to disable the insecure channel, but didn't clarify it in details in the draft. > You're right. The security baseline is intended to be a minimal set of security controls and should be up-to-date. We'll remove it and other similar security controls in the next version of draft. > > > Similarly, there's a pwd-sec-policy container that describes password > > security policies. While it's definitely true that password policies > > and mandatory change intervals are currently widely deployed, it's > > less clear whether their usage should still be considered useful or a > > best current practice -- I think I've seen some research go by that > > suggests that not requiring character classes or frequency of change > > can be just as secure (and, of course, if passwords can be avoided entirely that can also help). > > As password security policy is the currently widely deployed mechanisms and devices support it,maybe we can make it optional, such as a feature? > Currently the devices support this kind of feature, then it can be checked whether this policy is enabled. > > >So, perhaps there is room for some qualifying text here as well. > > > -Ben > > (with no hats) > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm <https://www.ietf.org/mailman/listinfo/sacm> > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm <https://www.ietf.org/mailman/listinfo/sacm> >
- [sacm] minor comments on draft-lin-sacm-nid-mp-se… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Jarrett Lu
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Linqiushi (Jessica, CSPL)
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Adam Montville
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Henk Birkholz
- [sacm] Pro/Con WRT To Registry (WAS: Re: minor co… Adam Montville
- [sacm] Terminology: Baseline Data Model (WAS: Re:… Adam Montville