IETF Logo Mail Archive

Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

Sherif Mansour <cherifmansour@gmail.com> Tue, 24 July 2018 06:08 UTC

Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24304131051 for <sacm@ietfa.amsl.com>; Mon, 23 Jul 2018 23:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42rauW_Ki6qk for <sacm@ietfa.amsl.com>; Mon, 23 Jul 2018 23:08:33 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CABD2130F94 for <sacm@ietf.org>; Mon, 23 Jul 2018 23:08:32 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id b10-v6so3061066eds.4 for <sacm@ietf.org>; Mon, 23 Jul 2018 23:08:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2fB8rXe+IHR1DpxdlVMl46ioBhi6qlI2koM4oE95saY=; b=YIb2bUg0HRhmQLQDyjEVDSLq11h9C48e3oqSzjFMUYy68Jlx3I0kuH5ngwCOw9t1+8 R7lmPxbx4A45bYgpmzu0QtPNNJ4bfep9EOefBsX4jyJ7fztHPzlBOJ/uPsT6/AbUdUPW SUU14hnL6NldZlZxVml4x03hg9RN6wJBcMggqEjN0klIzbhP2xUdddsoQs00RO3bpfV4 yMvmd5SSCFGOR+BjyEXPE2OnL45OWjKbG+rT9rxo4NJxA1f/kdk6Qe6bczaAp0lF6PYq 2IyZ9JYVeGdOjdZ6Ha6IlxEzoaVqTVwP2YnXDrRsTVa6ExnLZ8qMiA4yJdK2B1SjZkQJ ZOcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2fB8rXe+IHR1DpxdlVMl46ioBhi6qlI2koM4oE95saY=; b=uXFAHtBGHu1qPOewE0YamY4xOKczr0x6roCY5DTfd06SqGcKDH0S4ndP+8SzLlbpHj D/rn8WaVl8Sk8aGMGld+hWQnT7jLdrkwchzwc+ugp3IPXVimBBzxznaJmNL78Eqht/84 wO59vkcW4MWa+uc0Wmp7IelHH2wggR7foc8R+N96cYK8MKEaHO5xiNvl1t5y45/u5Lfh ZAjYT2VyQIJYyVyzU9kVbOd8rQHthXo2iYQ1hxLyk/QQ9vC9p4Dyr0tsCwwuTJftxXAY jK4xTDQjKTrRKhdEMa0SAd8Au6uTmOTL2gCEchGvOotKKAwMdPw99z3ZgSWBQWXypVna V8Cg==
X-Gm-Message-State: AOUpUlEiybgD2CaUIQjR+QGKRCrmP81AnH4EOlT2yHmmI7br1L1Y1CfR Dq0kQ8epFi84jMtdDbcFPCOgVrYRPJI47BjAlko=
X-Google-Smtp-Source: AAOMgpcKo/5jTNH/hY90jem+nex/PVLV+fQ8ilALOLoFpGy7fInsgOPPPLaIc756srn6p0Mh29BxEQKnk+Ys24tGcpc=
X-Received: by 2002:a50:b807:: with SMTP id j7-v6mr16750732ede.206.1532412511289; Mon, 23 Jul 2018 23:08:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a50:f30c:0:0:0:0:0 with HTTP; Mon, 23 Jul 2018 23:08:30 -0700 (PDT)
In-Reply-To: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com>
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Tue, 24 Jul 2018 07:08:30 +0100
Message-ID: <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com>
To: "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Adam Montville <adam.w.montville@gmail.com>, Jarrett Lu <jarrett.lu@oracle.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000062868e0571b897ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/UYjCoejveqHWvqkabdjEgxZzHKc>
Subject: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 06:08:42 -0000

Hey Everyone,

I second Adam's idea for a "baseline registry".
1) It's easier to change a registry vs a draft
2) Organizations might want to customize their own registries with their
own content - I will give two examples based on the thread above:

As mentioned before some legacy systems only support Telnet, I remember a
few years ago a business still had some Vax/Alpha systems running and they
needed telnet. As a compensating control, we placed network restrictions
around those systems, placed a bastion hosts in front of it with an SSL web
terminal, that way secure communication took place between the rest of the
environment and the hardened host and then telnet to the legacy systems,
but at least the issue is contained in a small environment.

For the passwords it depends as well for an org e.g. for app to app
credentials vs. human to app Or even customer to eCommerce app.

   - Take Google for example, for their staff to limit the impact on
   phishing they have issued U2F secure tokens to their staff (See Link
   <https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/>).
   The password policy itself might be different as a result.
   - Others like Apple have rolled password managers to all their staff (see
   link
   <https://appleinsider.com/articles/18/07/10/apple-looking-to-deploy-1password-company-wide-may-buy-out-apps-developer>).
   This is addition to password complexity - and in a way make it easier to
   manage.
   - For app to app communication you want this to be seamless with
   automated key rolling as well as "Break glass" functionality leveraging a
   secrets vault such as https://www.vaultproject.io/ is an option.
   - For customer facing sites, password policy might not be enough, thus
   checking for password re-use, adding anomaly detection/brute-force
   mitigation, 2factor such as U2F tokens, as well as graceful recovery might
   be part of the policy.

Having a baseline registry would help as the threat landscape changes for
existing technology or the ability to replicate similar baselines to new
technologies without the need for too much re-work.

-Sherif

On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) <
linqiushi@huawei.com> wrote:

> Hi Ben, Adam and Jarrett,
>
> Thanks a lot for raising your concerns.
>
> Please see my comments inline.
>
> Best Regards,
> Jessica
>
> -----邮件原件-----
> 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk
> 发送时间: 2018年7月24日 2:01
> 收件人: sacm@ietf.org
> 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
>
> > During Jessica's talk I noticed a couple things I wanted to mention,
> > but that didn't seem to merit getting up to the mic:
>
> > There's a container for 'telnet' admin access; my understanding is
> > that there are not any applications out there that could be called
> > "telnet" and are actually secure these days (but maybe I'm missing
> > some!); e.g., kerberized telnet mostly only uses single-DES and a
> > lousy cipher mode, with a vendor-specific option for triple-DES, which
> > is deprecated as of my document that's currently at the RFC Editor.
> > So we may want to have some text clarifying the situation and
> > disrecommending its use (or even remove it entirely, if that's feasible).
>
> The "telnet" admin access listed in the current draft is not meant to
> suggest the use of Telnet. In some legacy scenarios that the insecure
> channel like Telnet has to be used, some configuration such as changing the
> source port is recommended. We mentioned to disable the insecure channel,
> but didn't clarify it in details in the draft.
> You're right. The security baseline is intended to be a minimal set of
> security controls and should be up-to-date. We'll remove it and other
> similar security controls in the next version of draft.
>
> > Similarly, there's a pwd-sec-policy container that describes password
> > security policies.  While it's definitely true that password policies
> > and mandatory change intervals are currently widely deployed, it's
> > less clear whether their usage should still be considered useful or a
> > best current practice -- I think I've seen some research go by that
> > suggests that not requiring character classes or frequency of change
> > can be just as secure (and, of course, if passwords can be avoided
> entirely that can also help).
>
> As password security policy is the currently widely deployed mechanisms
> and devices support it,maybe we can make it optional, such as a feature?
> Currently the devices support this kind of feature, then it can be checked
> whether this policy is enabled.
>
> >So, perhaps there is room for some qualifying text here as well.
>
> > -Ben
> > (with no hats)
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>

v2.23.0 | Report a Bug | By Email