IETF Logo Mail Archive

Re: [sacm] ECP Architecture Diagram Feedback

Sherif Mansour <cherifmansour@gmail.com> Sat, 07 April 2018 10:18 UTC

Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34DD12D574 for <sacm@ietfa.amsl.com>; Sat, 7 Apr 2018 03:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6l6FdNLA215B for <sacm@ietfa.amsl.com>; Sat, 7 Apr 2018 03:18:30 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E42612778E for <sacm@ietf.org>; Sat, 7 Apr 2018 03:18:30 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id a17so2205059uaf.13 for <sacm@ietf.org>; Sat, 07 Apr 2018 03:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qP/ZzYlEEP3uu+bl2FRSPHjw9o+FlvYrmxBQ3QhLuME=; b=aVF3LygwWwYoN/XqyRfhtVdtl2Ku0JhS7AYEsmycnnIQA9rZKoY8JRId4TY/V/a3Vq EqKtv45yfWyRutXlkBfybmO7l3o1VozFcQetE0Fz0JpTkmwlAzCWGqvPMfUNa+u2TQjB OqCufx3oqcv+bgR4Bn12gJCnnblwFhT75po0IHHRf7a2N7wvaZJNeUc9Nff5vnfRhSI4 avcdoqJeoJkhrcyAZ31JzWqcbH4pjw+AKjN8GL3SQi3ZUIeSauaKDpcDqQHXP6C7zyIR FlrUky32ofyG8lRyCpa7dhJqNGdJbDDsryoc5UJeyN26//+5tlVbHa+H6SDQcCos+8ik b22w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qP/ZzYlEEP3uu+bl2FRSPHjw9o+FlvYrmxBQ3QhLuME=; b=TokqarHCZ2dfCxRUB9O2BIyFfEzfLQkzE567kpK0t1CPWGQn8FoEFXgiswGEdVSAw2 dU0HDFriVA8eQl3hr/Ug30w7/cBPg/WwvDgaXAjyRlus2owk8r0xSf1IXzrLC7RmJS8j LC8OEMT7KVELXaRMUtgM1qjv3i6cLywqjtFponglWn7fQYD4sQZ+l0nz14rfRuR1UsoE Iwrg+RQP9RSPthB6XtsChz+rvedf+LmA2G5V5Q5hP9bKLSO9TwzZI4YlksBO9Hoq0ODu NCwjMLWtYqTNs3J30xqgN9l9lg1x2nH0/r+GxVHcdSUy+i+Z7QeBLrprWvM5vSE/sgTe Z7zQ==
X-Gm-Message-State: ALQs6tAO2TITxw9f3OlAq65Q/M2gQNqzCrqKsGtMAp/TgEV1pMtc0SsV QVvPBH8XqvSPiu10j1+h164MFgIe+G/XrVpsz1s=
X-Google-Smtp-Source: AIpwx48T5RTJe5lyy9u9vhMG1c2zH8tIN5TotEGLIOPQoS5ci1hU7Q4vRZ2fSw76zhMNHlmo+2SKF8uK5uJxIJHrRq4=
X-Received: by 10.176.26.132 with SMTP id j4mr18140761uai.99.1523096309089; Sat, 07 Apr 2018 03:18:29 -0700 (PDT)
MIME-Version: 1.0
References: <DM5PR0901MB2197070C2CF8BA9A4283251CA5A60@DM5PR0901MB2197.namprd09.prod.outlook.com> <D0D3E5A5-2D22-4B3A-AD3E-27386CC43887@gmail.com> <DM5PR0901MB2197CA6B3C285DD17A0D1C04A5A50@DM5PR0901MB2197.namprd09.prod.outlook.com> <CAOxmg6tbzQBpqubuxn5DPFe1mcB7gjhX3hr5g8A4hMoexyki-A@mail.gmail.com> <DM5PR0901MB21977263C87CA80E2D277750A5A40@DM5PR0901MB2197.namprd09.prod.outlook.com>
In-Reply-To: <DM5PR0901MB21977263C87CA80E2D277750A5A40@DM5PR0901MB2197.namprd09.prod.outlook.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Sat, 07 Apr 2018 10:18:18 +0000
Message-ID: <CAOxmg6s1GMnbZO2pzR2baNJ_MCPwqacdcjm+8yA5Tjkh0-+fNQ@mail.gmail.com>
To: "Haynes Jr., Dan" <dhaynes@mitre.org>
Cc: "Montville, Adam W" <adam.w.montville@gmail.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="f403045ee77e76499705693f7e01"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/ECJJjEDuv2itezgbK41sz_X_alY>
Subject: Re: [sacm] ECP Architecture Diagram Feedback
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Apr 2018 10:18:33 -0000

In a devops model, you generally want to move from “the team that does
stuff for other people” to “the team that builds capabilities for others”.

In that case, stage-1 might look a little different. You would start with
the Orchastrator. So there would be a Jenkins job the fires, hits the
orchestrator, asks it to check a few end points, reads the results than
makes an informed decision. There are several use cases for self service
testing the main one right is to make sure end points have been hardened
and there sre currently no known show stopers before the assets “hits the
factory floor”.

Ideally we want to get to a stage of self healing.

Where a dev/sysadmin/other would ping the orchestrator to check an asset(s)
identify issues, if those issues are mapped to specific “fixes” then the
customer is also given the option to automagically schedule a patch/fix.

All this means that the interface between the orchestrator and external
parties needs to be thought out. The main value of the orchestrator is
vendor independent management and self service automation.

On Wed, 4 Apr 2018 at 9:12 pm, Haynes Jr., Dan <dhaynes@mitre.org> wrote:

> Hi Sherif,
>
>
>
> I think as long as we have standardized interfaces whether directly
> (posture manager <-> repository, evaluator <–> repository) or indirectly
> through the orchestrator, we should be able to swap posture managers in and
> out. One concern is that I am not sure we want to require an orchestrator
> in order to store information in the repository as the repository may be
> co-located with the posture manager or the orchestrator may be unnecessary
> for smaller or more limited networks. By keeping the components as-is with
> both direct and indirect interfaces, the architecture of the solution can
> be arranged in a manner that best supports the needs of the organization.
> One approach that might help is if we break out the diagram into different
> stages.
>
>
>
> Stage 1 – Reporting endpoint information to the repository via the server.
> Note: the repository may be co-located with posture manager on the server.
>
>
>
>                 Posture Manager          Endpoint
>
>                 +---------------+        +---------------+
>
>                 |               |        |               |
>
>                 | +-----------+ |        | +-----------+ |
>
>                 | | Posture   | |        | | Posture   | |
>
>                 | | Validator | |        | | Collector | |
>
>                 | +-----------+ |        | +-----------+ |
>
>                 |      |        |        |      |        |
>
>                 |      |        |        |      |        |
>
> Repository      |      |        |        |      |        |
>
> +--------+      | +-----------+ |<-------| +-----------+ |
>
> |        |      | | Posture   | | report | | Posture   | |
>
> |        |      | | Collection| |        | | Collection| |
>
> |        |<-----| | Manager   | |        | | Engine    | |
>
> |        | store| +-----------+ |        | +-----------+ |
>
> |        |      |               |        |               |
>
> |        |      |               |        |               |
>
> +--------+      +---------------+        +---------------+
>
>
>
> Stage 2 -  Evaluator queries information from the repository. If needed,
> the evaluator queries the endpoint for information via the posture manager.
>
>
>
>                                 Posture Manager          Endpoint
>
>                                 +---------------+        +---------------+
>
>                                 |               |        |               |
>
>                                 | +-----------+ |        | +-----------+ |
>
>                                 | | Posture   | |        | | Posture   | |
>
>                                 | | Validator | |        | | Collector | |
>
>                                 | +-----------+ |        | +-----------+ |
>
>                                 |      |        |        |      |        |
>
>                                 |      |        |        |      |        |
>
> Evaluator       Repository      |      |        |        |      |        |
>
> +------+        +--------+      | +-----------+ |<-------| +-----------+ |
>
> |      |        |        |      | | Posture   | | report | | Posture   | |
>
> |      |        |        |      | | Collection| |        | | Collection| |
>
> |      |<-----> |        |<-----| | Manager   | | query  | | Engine    | |
>
> |      |request/|        | store| +-----------+ |------->| +-----------+ |
>
> |      |respond |        |      |               |        |               |
>
> |      |        |        |      |               |        |               |
>
> +------+        +--------+      +---------------+        +---------------+
>
>
>
> Stage 3 – Evaluator, repository, and posture manager sharing information
> via the orchestrator.
>
>
>
>                 Orchestrator
>
> +-----------------------------------------------+
>
> |                                               |
>
> |                                               |
>
> +-----------------------------------------------+
>
>    ^                ^                   ^
>
>    |pub/sub         |pub/sub            |pub/sub
>
>    |                |                   |
>
>    |                |                   |
>
>    |                |                   v
>
>    |                |             Posture Manager          Endpoint
>
>    |                |           +---------------+        +---------------+
>
>    |                |           |               |        |               |
>
>    |                |           | +-----------+ |        | +-----------+ |
>
>    |                |           | | Posture   | |        | | Posture   | |
>
>    |                |           | | Validator | |        | | Collector | |
>
>    |                |           | +-----------+ |        | +-----------+ |
>
>    |                |           |      |        |        |      |        |
>
>    v                v           |      |        |        |      |        |
>
> Evaluator       Repository      |      |        |        |      |        |
>
> +------+        +--------+      | +-----------+ |<-------| +-----------+ |
>
> |      |        |        |      | | Posture   | | report | | Posture   | |
>
> |      |        |        |      | | Collection| |        | | Collection| |
>
> |      |        |        |      | | Manager   | | query  | | Engine    | |
>
> |      |        |        |      | +-----------+ |------->| +-----------+ |
>
> |      |        |        |      |               |        |               |
>
> |      |        |        |      |               |        |               |
>
> +------+        +--------+      +---------------+        +---------------+
>
>
>
> Regarding the invisible box of reference data, yes, the repository would
> support it. I don’t believe there is anything in the draft that prevents
> that type of data form being stored.
>
>
>
> Also, I agree that there should be an interface between the out-of-scope
> reporting system and the repository. This will eventually be supported by
> the interface that we create for accessing the repository.
>
>
>
> Lastly, can you provide more information on how you see this integrating
> into the DevOps model?
>
>
>
> Thanks,
>
> Danny
>
>
>
> *From:* Sherif Mansour [mailto:cherifmansour@gmail.com]
> *Sent:* Tuesday, April 03, 2018 5:36 PM
>
>
> *To:* Haynes Jr., Dan <dhaynes@mitre.org>
>
> *Cc:* Montville, Adam W <adam.w.montville@gmail.com>; sacm@ietf.org
>
>
> *Subject:* Re: [sacm] ECP Architecture Diagram Feedback
>
>
>
> Hi Danny,
>
> I would recommend that the Orchestrator sits between the posture manager
> and repository. This is for a few reasons, some tactical and some strategic:
>
>    - Strategically (Long term), it allows you to switch between posture
>    managers without having to do much (if any) changes on the repository, in
>    their all it means is it will be pulling data through the orchatrator, it
>    just happens to be from a different tool.
>    - Tactically (short term), is is because these connections currently
>    do not exist, so if you have many posture managers you need to develop
>    different integration in several areas (one connection for the orchestrator
>    & repository). By leveraging the orchastrator, you only need to create a
>    singe integration with the posture manager, it simply just needs more
>    features (i.e. the ability to pull security end point findings, both in raw
>    vendor specific data or in a uniform agreed data model).
>
> The second point is that there are a few "invisible" boxes. The first is
> reference data, a lot of the repository data would be enriched with
> information that is specific to the organization such as the team which
> owns specific assets or the context to which they are used. Now, on thing
> that is out of scope is the reporting, I am aware this is out of scope, but
> an organisation has not moved the needle in terms of security if they have
> detected security issues but not resolved them. It is therefore natural
> that there is an interface somewhere between the repository and a reporting
> system.
>
> Finally one key benefit of the orchestrator is automation and self
> service, there for an interface to allow it to work in a devops model would
> also increase its value, if the interface can (easily) integrate with
> Jenkins/Bamboo, or chef recipes / Ansible playbooks, this would go a long
> way for adoption.
>
> -Sherif
>
>
>
>
>
>
>
>
>
> On Tue, Apr 3, 2018 at 7:36 PM, Haynes Jr., Dan <dhaynes@mitre.org> wrote:
>
> Hi Adam,
>
>
>
> I hope it was a good trip out there and that you were able to see some of
> the sights!
>
>
>
> As far as scoping and the diagram, I think it’s worth nothing that all the
> components in it are in scope for ECP. It is just a matter of when we
> actually get to creating drafts for them (if that makes any sense). I think
> what you are looking for is a diagram that shows what we are currently
> working on? Or, maybe I am misunderstanding your comments?
>
>
>
> Thanks,
>
> Danny
>
>
>
> *From:* Adam Montville [mailto:adam.w.montville@gmail.com]
> *Sent:* Monday, April 02, 2018 3:33 PM
> *To:* Haynes Jr., Dan <dhaynes@mitre.org>
> *Cc:* sacm@ietf.org
> *Subject:* Re: [sacm] ECP Architecture Diagram Feedback
>
>
>
> Hi Danny,
>
>
>
> We missed you in London. I think the diagram is ok, but I do have scoping
> questions (just sent to the list) which may suggest some modification to
> the diagram once resolved. If the way I'm interpreting the ECP draft at
> this point is close to accurate, then it might be a good idea to add a
> horizontal scoping line between the left hand and the right hand of the
> diagram, where the posture manager is the first component on the right-hand
> side. Alternatively, an in-scope boundary box could be drawn around the
> appropriate components.
>
>
>
> What really matters is whether the diagram accurately depicts the intended
> scope of the draft from the authors' perspectives, and whether a typical
> reader would see it that way.
>
>
>
> Adam
>
>
>
> On Apr 2, 2018, at 1:32 PM, Haynes Jr., Dan <dhaynes@mitre.org> wrote:
>
>
>
> Hi Everyone,
>
> At IETF 101, we presented an updated architecture diagram [1] that was
> based on feedback from the September virtual interim [2][3] and was
> included in the ECP -01 draft [4]. During the meeting, we did not receive
> any feedback on the architecture diagram.
>
>
>
> As a result, we just wanted to follow-up on the list and see if there was
> any feedback or objections to the updated ECP architecture diagram that was
> proposed.
>
>
>
> Thanks,
>
> Danny
>
>
>
>
>
> [1]
> https://datatracker.ietf.org/meeting/101/materials/slides-101-sacm-endpoint-compliance-profile-00
>  (see slide 4)
>
> [2]
> https://datatracker.ietf.org/doc/slides-interim-2017-sacm-03-sessa-ecp/00/
>  (see slide 5)
>
> [3]
> https://datatracker.ietf.org/meeting/interim-2017-sacm-03/materials/minutes-interim-2017-sacm-03-201709260900-00
>  (see page 1 and 2)
>
> [4] https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/
>
>
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>
>
>
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>
>
>

v2.23.0 | Report a Bug | By Email