Re: [sacm] SACM Architecture Draft
Sherif Mansour <cherifmansour@gmail.com> Tue, 19 February 2019 17:59 UTC
Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 264B2130F30 for <sacm@ietfa.amsl.com>; Tue, 19 Feb 2019 09:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.009
X-Spam-Level:
X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ux5X15Y-HaZ for <sacm@ietfa.amsl.com>; Tue, 19 Feb 2019 09:59:35 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 783B0130EAB for <sacm@ietf.org>; Tue, 19 Feb 2019 09:59:33 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id j19so17440150ljg.5 for <sacm@ietf.org>; Tue, 19 Feb 2019 09:59:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GFaRtXrHSjg6VPuIiuoj6J+CNjYn8gHVz5/e9UQFj90=; b=kbWAGt44ByajAUysS8tyH1IYi0+mL2h9IGeEW5IQvrlFkmYuXwyiT2ZD+jzcodWrx/ v0ZFKkYQTcp5csqb7vKaOWou3I8UvZ06k5wEElbV/t8rZwUcZ+huXpyk12/OobNGufMA IlLz7N7ElrgzsYfc0uAZAHT867BDbw/W/u1TIbI1Xv8at6Uwbk9/j+ouGazLFNwCIJZt LnL6vw6qNMAg31SQPntwHsZSJvOoG+FHc1vpio5Pl+ipyW+kT38BItPwLz3nbWGVhw/I +sEjruCAf6101c47aA+OLvjsWPYh/bhky8OtB7OkCylZEn/abGLR9Xt63Y9Xqujcjzam aStw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GFaRtXrHSjg6VPuIiuoj6J+CNjYn8gHVz5/e9UQFj90=; b=tvCpjylQzR4dKJy8pVnhZB0F9geuY/LZVqbvHYcvtpi1L7UTsgENN9kKJK8pPVgxeF w9LhrPJbLpu2wXRFIko2N+IVMUOPUqdqBCWOCDE1R8/SbpE04/M9IRyofeqQhPmqnNqc KIc4ovkXd8rMbtAcF4fYBT13UJdpBqB00D71gKnh1PUEgzndBZfYoP25eFl41v28IYCP /SlWJQCAH67Zv826d2s0O0GXgb+NHG6FksQUius8sMw2Ug3Or9Fp3OVKe0jXPTVyfIze 8/Z4sN9341VLuYAAkz4L6bG1DOayCD/JZh8K3a8b9OC3hBJXoGKrE9PaxZ0aMQb/Ud13 0E9Q==
X-Gm-Message-State: AHQUAubkzLiigF5pRCh/sTLY6zY3GEBtQxMYrof26xxKb33IZVyHAbfO XC7T7b/PLyybHTi6qWLl+KYWQl+ru4wOn8Y+sul+oBgR
X-Google-Smtp-Source: AHgI3IZu+7GI0LVoQCOxDk7A3qj9cKS0cTsR4HgKx3dTzkdJVwEqCN6iqzYXs2sUE2GdyrkgzwqFQLLwvHMWItE6q5U=
X-Received: by 2002:a2e:9209:: with SMTP id k9-v6mr18024736ljg.12.1550599170604; Tue, 19 Feb 2019 09:59:30 -0800 (PST)
MIME-Version: 1.0
References: <0AE1CB07-A9CF-4821-9F1B-4FCCF53C4AA3@gmail.com> <9e8f4cb9-d893-66cd-2900-183a6b0cc9e5@oracle.com> <332612F4-C281-42CE-85DD-5A2D862293F9@gmail.com> <CAOxmg6sGHR8e0wf0wGXEutNcPFY7sCzCw2H8oXScaP5Yurnm=g@mail.gmail.com> <CAKUOEQy78a3kGiYScBeJWLxN2Nuz8c5xNeGy=6262pVmGAwnmA@mail.gmail.com> <SN6PR09MB32649BCF672B3D9E449A3699F07C0@SN6PR09MB3264.namprd09.prod.outlook.com>
In-Reply-To: <SN6PR09MB32649BCF672B3D9E449A3699F07C0@SN6PR09MB3264.namprd09.prod.outlook.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Tue, 19 Feb 2019 17:59:17 +0000
Message-ID: <CAOxmg6sf70bJNkbGaAP9LK6QDcM-jAibh8SOpZMKMep1NJ1uDw@mail.gmail.com>
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
Cc: Bill Munyan <bill.munyan.ietf@gmail.com>, Jarrett Lu <jarrett.lu@oracle.com>, Adam Montville <adam.w.montville@gmail.com>, "<sacm@ietf.org>" <sacm@ietf.org>
Content-Type: multipart/related; boundary="000000000000c16af905824300ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/Cv1w21TK-AHUSBX-CoW1AO1JWk0>
Subject: Re: [sacm] SACM Architecture Draft
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 17:59:39 -0000
Hello David, Do you think there should be a distinction between reference data feeds such as NVD/Mitre/Other Threat Intel feeds, Inventory, and a security repository? I was assuming the repository in an authoritative data source which maps an asset to a security result and enriched with external feed sources e.g. NVD. The reason being you would need a data model and the ability of consistently tie the data sets together. I wasn't to focused on the interface, but it would be helpful to have an ADS that provides a source of truth of the security posture for any given point in time. I dug up an old diagram I sent out last year - it can use an update to give you an idea where I was going with this. The light blue boxes are end clients or CI/CD systems which would leverage SCAM orchestration The pink and orange boxes are inventories/datafeed/reference data which all feed into a repo which acts as a source of truth of the security posture for any given point in time. [image: image.png] On Tue, Feb 19, 2019 at 3:28 PM Waltermire, David A. (Fed) < david.waltermire@nist.gov> wrote: > Organizations will need to interact with repositories operated by other > organizations (e.g., the National Vulnerability Database, CVE project, > etc.) as well as local repositories that host historic information. In some > cases, clients might not know what to specifically query, but may instead > need to browse through hosted data to find what information they are > interested in. A request/response communication pattern is ideal for this > type of interaction. > > > > A message bus is ideal for exchanging up-to-date information or for > notifying participating clients when new information is available from a > service. It might be best to allow for both types of solutions in the SACM > architecture. There are numerous ways to provide for a common > authentication model without performing all authentication/communications > through a message bus. > > > > Where I see value in a message bus is for discovery of services, for > notifications of new data being available in a service, and to flow new > data through the system. I don’t think it is practical to force all > components to communicate only through the message bus. > > > > Here is a potential flow with a hybrid of both types of communications. > > > > 1) Client authenticates to the message bus and subscribes to notifications > of new configuration checklist data. > > 2) A ROLIE server syndicates new checklist data from the NVD, from the > national checklist program repository using the ROLIE protocol. > > 3) The ROLIE server notifies all clients that this data is available over > the message bus. > > 4) A collection client queries the ROLIE server to retrieve new checklist > data, and to find relevant historic checklist data it needs to collect for. > It may also request SWID tags, OVAL definitions, and other supporting > information from local or remote services to determine what to collect. > > 5) Collection in performed, perhaps on an ongoing basis, and collected > data can then be published over the message bus and also stored to directly > associated storage locations (e.g., CMDBs). > > > > A message bus only solution would complicate the communication in #4 > above, and would not account for remote communications in #2 and #4 at all. > In all cases above, communication can occur using standardized interfaces. > Some use a message bus, others use interfaces provided by other protocols > like ROLIE. This also allows for a cooperative ecosystem, and doesn’t > diminish from vendors providing solutions that can plug in. > > > > Regards, > > Dave > > > > *From:* sacm <sacm-bounces@ietf.org> *On Behalf Of * Bill Munyan > *Sent:* Tuesday, February 19, 2019 9:54 AM > *To:* Sherif Mansour <cherifmansour@gmail.com> > *Cc:* Jarrett Lu <jarrett.lu@oracle.com>; Adam Montville < > adam.w.montville@gmail.com>; <sacm@ietf.org> <sacm@ietf.org> > *Subject:* Re: [sacm] SACM Architecture Draft > > > > Sherif, > > > > Thanks for reading the draft and providing feedback! We really appreciate > it... I have some comments/questions in-line: > > > > > Should the downstream users pull their data from the repo (an > authoritative data source) instead of the message bus? > > > That way, there is a consistent view of that the current state of an > end-point security posture and analysis can be built on top if it. I would > not think it can be > done directly from the message bus. I also would > think the information from the repo would be bi directional? > > > > [Bill M]: > > The idea behind the message transfer system is to help define the > interfaces between components.. The intent here is really to help create a > "cooperative ecosystem", enabling vendors to plug in components where they > fit in the architecture, develop custom components where necessary, etc. > > > > Whether the "message transfer system" exists over a message bus, > integration pattern, REST interface, or other, the downstream functions > would have access to the repository (or repositories) over some sort of > "query" interface. In the case of XMPP being used as the message transfer > system, that interface could be a request using a custom IQ stanza with > query information, and a response with the requested information. In a > solution which consolidates a results repository with reporting, there may > just be a simple web application to visualize the data. > > > > I agree the information in the repository is bi-directional, and the > diagram is intended to reflect that. > > > > > Equally had some question on the data ingest (message bus) I assume > there is an Access model as not everything on the message bus is to be > accessible by > everyone, is that taken into consideration? > > > > [Bill M]: > > I would also agree there would be an access model necessary, but that can > be solution-specific. Again using the XMPP-based solution, that access > model could be maintained through the orchestrator's roster, roster groups, > various pub-sub nodes, etc. Is there a particular access model you had in > mind when asking this question? Any solution-based ideas on this certainly > help me personally in visualizing all the concepts. > > > > > Should the Orchstrator have a direct connection to the Repo, there are > cases where the orchestrator needs reference data in order to tell the > posture > managers what to do and not just react to them. Additionally > there are cases where what the posture manager finds from the collectors > will be different than > what is on file in inventory and the discrepancy. > > > > [Bill M]: > > In the first diagram, the orchestrator would have a connection to the repo > via the message transfer system. This is a great question that will help > us discover more about the interfaces we need to describe further in the > document. That "query" interface from the orchestrator can assist in > getting the necessary reference data before sending collection requests off > to the various collectors in the ecosystem. > > > > Hope that helps! Glad to keep the conversation going as well, so thank > you again for your review and feedback. > > > > Cheers, > > Bill M. > > > > > > On Mon, Feb 18, 2019 at 2:06 PM Sherif Mansour <cherifmansour@gmail.com> > wrote: > > Hey Everyone, > > Sorry for popping in so infrequently. I have taken a brief look at the > architecture, and I have some feedback: > > Should the downstream users pull their data from the repo (an > authoritative data source) instead of the message bus? > > That way, there is a consistent view of that the current state of an > end-point security posture and analysis can be built on top if it. I would > not think it can be done directly from the message bus. I also would think > the information from the repo would be bi directional? > > Equally had some question on the data ingest (message bus) I assume there > is an Access model as not everything on the message bus is to be accessible > by everyone, is that taken into consideration? > > [image: image..png] > > Should the Orchstrator have a direct connection to the Repo, there are > cases where the orchestrator needs reference data in order to tell the > posture managers what to do and not just react to them. Additionally there > are cases where what the posture manager finds from the collectors will be > different than what is on file in inventory and the discrepancy. > > [image: image.png] > > > > On Fri, Feb 15, 2019 at 12:05 PM Adam Montville < > adam.w.montville@gmail.com> wrote: > > Hi Jarret, > > > > Thank you for reading through the draft. Happy to talk about some of these > things today during the interim. I think we would prefer that > interfaces/capabilities are first described abstractly — irrespective of > any specific messaging solution — and then use XMPP-Grid+ as an > implementation example. > > > > Kind regards, > > > > Adam > > > > On Feb 14, 2019, at 7:27 PM, Jarrett Lu <jarrett.lu@oracle.com> wrote: > > > > Hi Adam & SACM, > > I read the (active) architecture draft, and I believe it's a good one. The > hackathon work reflected in the draft definitely carries some weight. > > Some architecture entities could be expanded and described at a more > abstract level. For example, this draft appears to equate "capabilities" > with set of interfaces. Are SACM capabilities supposed to be discoverable? > If so, how should it be represented? If capabilities/functional interfaces > are described in more general terms, and use XMPP-grid+ as an example of > how it meets the functional requirements, this may make it appear less > solution-centric. > > I vote for including workflows in the architecture document. It just reads > better that way. It will increase the document size and takes longer to > finish. As long as good progress is being made, is it really urgent to > finish and publisher the architecture document. > > I think the Security Consideration section of the old architecture draft > is pretty good. Do XMPP-grid XEPs adress the MitM, transport integrity and > confidentiality concerns mentioned there? > > Regards. > > - Jarrett > > > > On 12/27/18 01:29 PM, Adam Montville wrote: > > Dear SACM, > > > > Happy (belated) Holidays and a Happy New Year to you! > > > > At our recent virtual interim meeting I promised to post a note to the > list regarding our architecture draft to do three things: > > 1. Request review > 2. Indicate whether we (the authors) believe it's on the right track > 3. Assuming 2 is good, a list of what's left to be done. > > So, we're going to start with 2, move on to 3, and then end with 1... > > > > Bill and I both believe that the architecture draft is, indeed, on the > right track. Henk, and possibly others (Nancy?), have described this draft > as being too solutions-specific. Section 3, "Architectural Overview" is > intended to be the place in this draft to describe the abstract ideas in > the architecture. Section 3.1 talks a little bit about the roles of the > SACM Components, and Section 3.2 provides the known information about an > XMPP-based instantiation of the architecture (note Appendix A maps this > instantiation back to our SACM requirements, RFC8248). > > > > Assuming that we are on the right track, then here's what we think yet > needs to be done: > > > > - Document specific Components, Capabilities, Interfaces, and Workflows > > > - IT Asset Management could probably stand to be fleshed out > - Vulnerability Management is reasonable documented in this draft, > but may need work > - Configuration management probably needs to be fleshed out as well > (needs to be tied to SACM Use Cases) > > > - Determine where to document the above (in this draft or in new > drafts), which will determine how long this draft takes to complete. > - Prague hackathon to continue the trend of discovering an XMPP-based > solution > - TODOs in the draft > > > - Privacy Considerations > - Security Considerations > > > - Flesh out our IANA Considerations > > > - Will likely result in additional draft work > > > > > > Clearly, there's a lot to be done here, and we really need your specific, > actionable feedback on this draft. Feel free to reach out here or to either > of us directly. > > > > This draft in GitHub: https://github.com/sacmwg/draft-ietf-sacm-arch > > > > This draft on the SACM documents page: > https://datatracker.ietf.org/doc/draft-ietf-sacm-arch/ > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-arch%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106737807&sdata=mgt4EPWcuBsLx3DR1sx01TbCEUlt6F37FpqKroSJNjI%3D&reserved=0> > > > > > > Kind regards, > > > > Adam & Bill > > > > _______________________________________________ > > sacm mailing list > > sacm@ietf..org <sacm@ietf.org> > > https://www.ietf.org/mailman/listinfo/sacm <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106747816&sdata=YVjK0x2u12K9Ds3GWE4ekxjJrQsGu7CxVlEXHyLduik%3D&reserved=0> > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106757821&sdata=g%2Bt4sWCXGlkpiUnrQcAUFZir6pSmRODJgcOSYI%2FWrZs%3D&reserved=0> > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106757821&sdata=g%2Bt4sWCXGlkpiUnrQcAUFZir6pSmRODJgcOSYI%2FWrZs%3D&reserved=0> > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106767830&sdata=RDvylTUYEQKBFEyoecw35wfzIIBRGG7K4YxJ5250Lw8%3D&reserved=0> > >
- [sacm] SACM Architecture Draft Adam Montville
- Re: [sacm] SACM Architecture Draft Jarrett Lu
- Re: [sacm] SACM Architecture Draft Adam Montville
- Re: [sacm] SACM Architecture Draft Sherif Mansour
- Re: [sacm] SACM Architecture Draft Bill Munyan
- Re: [sacm] SACM Architecture Draft Waltermire, David A. (Fed)
- Re: [sacm] SACM Architecture Draft Sherif Mansour
- Re: [sacm] SACM Architecture Draft Shawn Wells