IETF Logo Mail Archive

Re: [sacm] ECP Architecture Diagram Feedback

"Haynes Jr., Dan" <dhaynes@mitre.org> Mon, 09 April 2018 14:48 UTC

Return-Path: <dhaynes@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32753126DED for <sacm@ietfa.amsl.com>; Mon, 9 Apr 2018 07:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.309
X-Spam-Level:
X-Spam-Status: No, score=-2.309 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4O8notJLMEX for <sacm@ietfa.amsl.com>; Mon, 9 Apr 2018 07:48:01 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 6849C1242F5 for <sacm@ietf.org>; Mon, 9 Apr 2018 07:48:01 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 6ECBA6C0074; Mon, 9 Apr 2018 10:48:00 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (unknown [129.83.29.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtpvmsrv1.mitre.org (Postfix) with ESMTPS id 4DF416C005C; Mon, 9 Apr 2018 10:48:00 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 9 Apr 2018 10:47:59 -0400
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Mon, 9 Apr 2018 10:47:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EE3AWvDv+k+AQGAOypGZQvSntXJsGfnHF0KB2+HixFc=; b=R73RiSipQyxpdd9kkT/ojrJ66irbSGQv2udc3Q5UVT5PtdxeqM6GwkjMj1UOraM4wH1CqRTgu7T6pXm/DxqLvEuBUMqIb93X0SL72C6jxE3Qi/gn9rZu6vbq9UXartNmWvfZU3f2FK0Y81q4r3PQ7xrFpxXCeAJHbSsUO5l9Stc=
Received: from DM5PR0901MB2197.namprd09.prod.outlook.com (10.167.106.167) by DM5PR0901MB2199.namprd09.prod.outlook.com (10.167.109.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.653.12; Mon, 9 Apr 2018 14:47:58 +0000
Received: from DM5PR0901MB2197.namprd09.prod.outlook.com ([fe80::e550:42b2:7e29:134b]) by DM5PR0901MB2197.namprd09.prod.outlook.com ([fe80::e550:42b2:7e29:134b%13]) with mapi id 15.20.0653.016; Mon, 9 Apr 2018 14:47:58 +0000
From: "Haynes Jr., Dan" <dhaynes@mitre.org>
To: Sherif Mansour <cherifmansour@gmail.com>
CC: "Montville, Adam W" <adam.w.montville@gmail.com>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] ECP Architecture Diagram Feedback
Thread-Index: AdPKr9yz9kq0dQvQQLu6DiaYCmftPQACXycAADAUbYAABoXogAAlG5CgAIxjlwAAaGZ4wA==
Date: Mon, 09 Apr 2018 14:47:58 +0000
Message-ID: <DM5PR0901MB21971D0D935BD3A6BB1E7A42A5BF0@DM5PR0901MB2197.namprd09.prod.outlook.com>
References: <DM5PR0901MB2197070C2CF8BA9A4283251CA5A60@DM5PR0901MB2197.namprd09.prod.outlook.com> <D0D3E5A5-2D22-4B3A-AD3E-27386CC43887@gmail.com> <DM5PR0901MB2197CA6B3C285DD17A0D1C04A5A50@DM5PR0901MB2197.namprd09.prod.outlook.com> <CAOxmg6tbzQBpqubuxn5DPFe1mcB7gjhX3hr5g8A4hMoexyki-A@mail.gmail.com> <DM5PR0901MB21977263C87CA80E2D277750A5A40@DM5PR0901MB2197.namprd09.prod.outlook.com> <CAOxmg6s1GMnbZO2pzR2baNJ_MCPwqacdcjm+8yA5Tjkh0-+fNQ@mail.gmail.com>
In-Reply-To: <CAOxmg6s1GMnbZO2pzR2baNJ_MCPwqacdcjm+8yA5Tjkh0-+fNQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dhaynes@mitre.org;
x-originating-ip: [192.160.51.88]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR0901MB2199; 7:dFRT6p7RQHWx1v7RgHEZHmnlFnOqR/WYAkYEsW98tfYvRgqd14f106YxdGAsrLE43E4qBuEg/088uVFfDlYwkpU+oPukbrmlq8Dv+SBDoRlWo8N6rlnpZITTSg7Q2h2KjhjrpIaeJJnwFTUtGPlXzxBYl7wwKK/K0RbWsKeNk8noCfgrZmBxnDLgAo4OnxmJaRWq9sr5Rpgpg3l9OauM8CHo0tJO31BZQJTsjztX1h1q6ZkaZbGDfkyKmzIBiQco
x-ms-exchange-antispam-srfa-diagnostics: SOS;
X-MS-Office365-Filtering-Correlation-Id: 19f6c974-b611-4185-b865-08d59e28e2a7
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(48565401081)(2017052603328)(7153060)(7193020); SRVR:DM5PR0901MB2199;
x-ms-traffictypediagnostic: DM5PR0901MB2199:
x-ld-processed: c620dc48-1d50-4952-8b39-df4d54d74d82,ExtAddr
x-microsoft-antispam-prvs: <DM5PR0901MB219900780DA18D1FA48299BFA5BF0@DM5PR0901MB2199.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(142945433499172)(120809045254105)(166708455590820)(192374486261705)(85827821059158)(21748063052155)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231221)(944501327)(52105095)(6055026)(6041310)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011); SRVR:DM5PR0901MB2199; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0901MB2199;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(366004)(39850400004)(39380400002)(396003)(51914003)(53754006)(199004)(189003)(105586002)(486006)(97736004)(19609705001)(5660300001)(2900100001)(3846002)(93886005)(316002)(790700001)(6116002)(59450400001)(99286004)(53546011)(5250100002)(102836004)(66066001)(76176011)(6916009)(229853002)(2906002)(7696005)(6506007)(606006)(86362001)(7736002)(3660700001)(476003)(53946003)(6246003)(446003)(106356001)(478600001)(25786009)(3280700002)(8936002)(54906003)(9686003)(26005)(1411001)(55016002)(11346002)(33656002)(81166006)(81156014)(53936002)(54896002)(8676002)(68736007)(74316002)(14454004)(4326008)(186003)(6306002)(236005)(966005)(6436002)(39060400002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR0901MB2199; H:DM5PR0901MB2197.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: V2GRUvrLGGAW82X2nkkX6bwSdWdsbWUP3ZLKk9OmbbjC3wSWFKe7GIqXcfxw7ydqVWjMnYG7uh1sBijPWaaW9SFW5Kd5C8MFvekEeD9hU2wgi0k+/zkVSaEbYwfU4m/Jr1oX6g50sEtb/kXhK4/cHkPuAlQ3sFd720aCn/7rgwBtiR5Tx9SjFD1ip/B1dB+yFBxCXC82XFtmW08SypAIm2TwjShtFcOlYJNZcvaNOYcqC3iMa61HcjEi8BRY2bHnemfTUAXNHwR/l9ciCnI5AqlCMOApL7hOMJl+8C4Mry4IVAKoCrb8KtR+lqxY1wObE8rKGGETl7DiDEyVcaARrMiWrgi8SzSaHZWjYJnRe7SfgDzpJWrubpAu0cgMmHFjvMo4FYyR1DFGtHBV3le1aYB7zADkj+rzK5+m4wynXT4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR0901MB21971D0D935BD3A6BB1E7A42A5BF0DM5PR0901MB2197_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 19f6c974-b611-4185-b865-08d59e28e2a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2018 14:47:58.0534 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0901MB2199
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/COpQ7wjaT9pDRcNE1Ve0XrjZAQM>
Subject: Re: [sacm] ECP Architecture Diagram Feedback
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 14:48:05 -0000

Thanks for the clarification Sherif!

So, it sounds like beyond just a pub/sub interface for communicating with other components, you want it to also be able to manage jobs among other things. Does the list of current SACM tasks (collection, endpoint characterization, endpoint classification, evaluation) sound like the jobs you would want it to manage? The SACM tasks are defined here (https://github.com/sacmwg/draft-ietf-sacm-terminology/blob/master/draft-ietf-sacm-terminology.md).

Are there other capabilities that you would specifically like to see in the orchestrator?

Also, how do others envision the orchestrator working?

Thanks,

Danny

From: Sherif Mansour [mailto:cherifmansour@gmail.com]
Sent: Saturday, April 07, 2018 6:18 AM
To: Haynes Jr., Dan <dhaynes@mitre.org>
Cc: Montville, Adam W <adam.w.montville@gmail.com>; sacm@ietf.org
Subject: Re: [sacm] ECP Architecture Diagram Feedback

In a devops model, you generally want to move from “the team that does stuff for other people” to “the team that builds capabilities for others”.

In that case, stage-1 might look a little different. You would start with the Orchastrator. So there would be a Jenkins job the fires, hits the orchestrator, asks it to check a few end points, reads the results than makes an informed decision. There are several use cases for self service testing the main one right is to make sure end points have been hardened and there sre currently no known show stopers before the assets “hits the factory floor”.

Ideally we want to get to a stage of self healing.

Where a dev/sysadmin/other would ping the orchestrator to check an asset(s) identify issues, if those issues are mapped to specific “fixes” then the customer is also given the option to automagically schedule a patch/fix.

All this means that the interface between the orchestrator and external parties needs to be thought out. The main value of the orchestrator is vendor independent management and self service automation.

On Wed, 4 Apr 2018 at 9:12 pm, Haynes Jr., Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>> wrote:
Hi Sherif,

I think as long as we have standardized interfaces whether directly (posture manager <-> repository, evaluator <–> repository) or indirectly through the orchestrator, we should be able to swap posture managers in and out. One concern is that I am not sure we want to require an orchestrator in order to store information in the repository as the repository may be co-located with the posture manager or the orchestrator may be unnecessary for smaller or more limited networks. By keeping the components as-is with both direct and indirect interfaces, the architecture of the solution can be arranged in a manner that best supports the needs of the organization.  One approach that might help is if we break out the diagram into different stages.

Stage 1 – Reporting endpoint information to the repository via the server. Note: the repository may be co-located with posture manager on the server.

                Posture Manager          Endpoint
                +---------------+        +---------------+
                |               |        |               |
                | +-----------+ |        | +-----------+ |
                | | Posture   | |        | | Posture   | |
                | | Validator | |        | | Collector | |
                | +-----------+ |        | +-----------+ |
                |      |        |        |      |        |
                |      |        |        |      |        |
Repository      |      |        |        |      |        |
+--------+      | +-----------+ |<-------| +-----------+ |
|        |      | | Posture   | | report | | Posture   | |
|        |      | | Collection| |        | | Collection| |
|        |<-----| | Manager   | |        | | Engine    | |
|        | store| +-----------+ |        | +-----------+ |
|        |      |               |        |               |
|        |      |               |        |               |
+--------+      +---------------+        +---------------+

Stage 2 -  Evaluator queries information from the repository. If needed, the evaluator queries the endpoint for information via the posture manager.



                                Posture Manager          Endpoint

                                +---------------+        +---------------+

                                |               |        |               |

                                | +-----------+ |        | +-----------+ |

                                | | Posture   | |        | | Posture   | |

                                | | Validator | |        | | Collector | |

                                | +-----------+ |        | +-----------+ |

                                |      |        |        |      |        |

                                |      |        |        |      |        |

Evaluator       Repository      |      |        |        |      |        |

+------+        +--------+      | +-----------+ |<-------| +-----------+ |

|      |        |        |      | | Posture   | | report | | Posture   | |

|      |        |        |      | | Collection| |        | | Collection| |

|      |<-----> |        |<-----| | Manager   | | query  | | Engine    | |

|      |request/|        | store| +-----------+ |------->| +-----------+ |

|      |respond |        |      |               |        |               |

|      |        |        |      |               |        |               |

+------+        +--------+      +---------------+        +---------------+

Stage 3 – Evaluator, repository, and posture manager sharing information via the orchestrator.


                Orchestrator

+-----------------------------------------------+

|                                               |

|                                               |

+-----------------------------------------------+

   ^                ^                   ^

   |pub/sub         |pub/sub            |pub/sub

   |                |                   |

   |                |                   |

   |                |                   v

   |                |             Posture Manager          Endpoint

   |                |           +---------------+        +---------------+

   |                |           |               |        |               |

   |                |           | +-----------+ |        | +-----------+ |

   |                |           | | Posture   | |        | | Posture   | |

   |                |           | | Validator | |        | | Collector | |

   |                |           | +-----------+ |        | +-----------+ |

   |                |           |      |        |        |      |        |

   v                v           |      |        |        |      |        |

Evaluator       Repository      |      |        |        |      |        |

+------+        +--------+      | +-----------+ |<-------| +-----------+ |

|      |        |        |      | | Posture   | | report | | Posture   | |

|      |        |        |      | | Collection| |        | | Collection| |

|      |        |        |      | | Manager   | | query  | | Engine    | |

|      |        |        |      | +-----------+ |------->| +-----------+ |

|      |        |        |      |               |        |               |

|      |        |        |      |               |        |               |

+------+        +--------+      +---------------+        +---------------+

Regarding the invisible box of reference data, yes, the repository would support it. I don’t believe there is anything in the draft that prevents that type of data form being stored.

Also, I agree that there should be an interface between the out-of-scope reporting system and the repository. This will eventually be supported by the interface that we create for accessing the repository.

Lastly, can you provide more information on how you see this integrating into the DevOps model?

Thanks,

Danny

From: Sherif Mansour [mailto:cherifmansour@gmail.com<mailto:cherifmansour@gmail.com>]
Sent: Tuesday, April 03, 2018 5:36 PM

To: Haynes Jr., Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>>
Cc: Montville, Adam W <adam.w.montville@gmail.com<mailto:adam.w.montville@gmail.com>>; sacm@ietf.org<mailto:sacm@ietf.org>

Subject: Re: [sacm] ECP Architecture Diagram Feedback

Hi Danny,
I would recommend that the Orchestrator sits between the posture manager and repository. This is for a few reasons, some tactical and some strategic:

  *   Strategically (Long term), it allows you to switch between posture managers without having to do much (if any) changes on the repository, in their all it means is it will be pulling data through the orchatrator, it just happens to be from a different tool.
  *   Tactically (short term), is is because these connections currently do not exist, so if you have many posture managers you need to develop different integration in several areas (one connection for the orchestrator & repository). By leveraging the orchastrator, you only need to create a singe integration with the posture manager, it simply just needs more features (i.e. the ability to pull security end point findings, both in raw vendor specific data or in a uniform agreed data model).

The second point is that there are a few "invisible" boxes. The first is reference data, a lot of the repository data would be enriched with information that is specific to the organization such as the team which owns specific assets or the context to which they are used. Now, on thing that is out of scope is the reporting, I am aware this is out of scope, but an organisation has not moved the needle in terms of security if they have detected security issues but not resolved them. It is therefore natural that there is an interface somewhere between the repository and a reporting system.

Finally one key benefit of the orchestrator is automation and self service, there for an interface to allow it to work in a devops model would also increase its value, if the interface can (easily) integrate with Jenkins/Bamboo, or chef recipes / Ansible playbooks, this would go a long way for adoption.

-Sherif






On Tue, Apr 3, 2018 at 7:36 PM, Haynes Jr., Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>> wrote:
Hi Adam,

I hope it was a good trip out there and that you were able to see some of the sights!

As far as scoping and the diagram, I think it’s worth nothing that all the components in it are in scope for ECP. It is just a matter of when we actually get to creating drafts for them (if that makes any sense). I think what you are looking for is a diagram that shows what we are currently working on? Or, maybe I am misunderstanding your comments?

Thanks,

Danny

From: Adam Montville [mailto:adam.w.montville@gmail.com<mailto:adam.w.montville@gmail.com>]
Sent: Monday, April 02, 2018 3:33 PM
To: Haynes Jr., Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>>
Cc: sacm@ietf.org<mailto:sacm@ietf.org>
Subject: Re: [sacm] ECP Architecture Diagram Feedback

Hi Danny,

We missed you in London. I think the diagram is ok, but I do have scoping questions (just sent to the list) which may suggest some modification to the diagram once resolved. If the way I'm interpreting the ECP draft at this point is close to accurate, then it might be a good idea to add a horizontal scoping line between the left hand and the right hand of the diagram, where the posture manager is the first component on the right-hand side. Alternatively, an in-scope boundary box could be drawn around the appropriate components.

What really matters is whether the diagram accurately depicts the intended scope of the draft from the authors' perspectives, and whether a typical reader would see it that way.

Adam

On Apr 2, 2018, at 1:32 PM, Haynes Jr., Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>> wrote:

Hi Everyone,

At IETF 101, we presented an updated architecture diagram [1] that was based on feedback from the September virtual interim [2][3] and was included in the ECP -01 draft [4]. During the meeting, we did not receive any feedback on the architecture diagram.

As a result, we just wanted to follow-up on the list and see if there was any feedback or objections to the updated ECP architecture diagram that was proposed.

Thanks,

Danny


[1] https://datatracker.ietf.org/meeting/101/materials/slides-101-sacm-endpoint-compliance-profile-00 (see slide 4)
[2] https://datatracker.ietf.org/doc/slides-interim-2017-sacm-03-sessa-ecp/00/ (see slide 5)
[3] https://datatracker.ietf.org/meeting/interim-2017-sacm-03/materials/minutes-interim-2017-sacm-03-201709260900-00 (see page 1 and 2)
[4] https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/

_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://www.ietf.org/mailman/listinfo/sacm


_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email