Re: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
Sherif Mansour <cherifmansour@gmail.com> Wed, 25 July 2018 11:57 UTC
Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4D7130FCA for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 04:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I524qOhzwvW5 for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 04:57:25 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 531F5130E25 for <sacm@ietf.org>; Wed, 25 Jul 2018 04:57:25 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id h4-v6so6968073edi.6 for <sacm@ietf.org>; Wed, 25 Jul 2018 04:57:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Il2vgOtCp+t3uZ/OsmEESLlaPtYFTvtbyvmKlUV2bXE=; b=HgygoORfJpZXzB4nlPqJkn6+n5JvjO8W41m7GhVk1LD/oM0MQfxcEDIaizVCPB4rwJ ZF77Quk+X8i1UUot1a61oXAW/BXWZBWuCyNi20t/OGmiCGeqmgQ8g5lEIPqTkBhPs3QE G7T5u7epwgwG7qfJsTX83SyroG2rSXEGTAX3EkLKIBtQRJMgAfhnjbQw3vDJnVdzcdMx PkKnXHAmPnzmKSQY3Wvgw4pv7aS035DHcWAnRVK3Ys5NjPEmf4X+hN0RWccShHC7uB8T y5tMZ2lKyQmHoKO9kHloJAElzat27DB4fJWiU5G5ckAiSCDtpX+H1GTmEdfruyfgbpM+ /wRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Il2vgOtCp+t3uZ/OsmEESLlaPtYFTvtbyvmKlUV2bXE=; b=cu6kAR2bdh4+pBuHciuEHkbhl+SyX4qIINMvmMxG7yXwV3NQfGKf03ck9z1bvA1dAe XjIxFzyLhvpSgU9NEpEJhSZrY3A8HmC8wf56wHVnUpkPATBHEDq3UxpciuXwtoL3VKOc d8bAJUZU+VCE74+dtHp0d9eOh3NB7+0q25SvzgpCp7GMFZSDjYlUXkaycDHMiRxDgMXz DPLYmwWWSpdxt4D4GlWFerAzSImsCIQXCBC/D7G4t/6TjqJrYFeOUksjyjeo4VHsAsMl pY7/fFjUs2yds+SGIMjhFZANTMDjaMtUyRnHnsE2APCtXT05b/DUeSnpJrAAAk6v5fA8 caew==
X-Gm-Message-State: AOUpUlEXUwXCk6oO7qx7aM/jtHv8ERDAGUJfs10BwwRU2+3wb1+etC3o QvVp2PRbJwIykaduH9ED1bRFVBgn0uc5pKtfUtVZJg==
X-Google-Smtp-Source: AAOMgpdSzJrvQIi4WOWIMTrvrVocmlABWDz8ToLgN7VLM08gXXTbnj+KRH0b8hKiRF8LEMUkp/HRe58GAbH6hD/9KPY=
X-Received: by 2002:a50:95ab:: with SMTP id w40-v6mr21884140eda.33.1532519843824; Wed, 25 Jul 2018 04:57:23 -0700 (PDT)
MIME-Version: 1.0
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com> <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE741C5@DGGEML522-MBX.china.huawei.com> <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com>
In-Reply-To: <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Wed, 25 Jul 2018 12:57:12 +0100
Message-ID: <CAOxmg6tPdf8gP1U8mJB=h=aQsFX4SWSqK3yopONAsP6Ry9HBTQ@mail.gmail.com>
To: Adam Montville <adam.w.montville@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Jarrett Lu <jarrett.lu@oracle.com>, "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e706660571d19432"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/X0biiWi0VclcsdpKQlE7UwY_Xns>
Subject: Re: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 11:57:29 -0000
I would also consider looking into https://avro.apache.org its versitle enough and has been battle tested in large environments. On Wed, 25 Jul 2018 at 12:29 pm, Adam Montville <adam.w.montville@gmail.com> wrote: > Right, that’s a good point. I suppose that we could encode the YANG in > CDATA or the JSON equivalent, though I’m sure that would end up being > messy. YIN comes to mind, and then if we really wanted to do JSON, I think > there’s a way to convert from XML to JSON, though I’m not sure it preserves > everything that would need to be preserved. > > Still, I’m not sure ROLIE would be the “right” solution for a baseline > data model registry. It’s just something that came to mind as a possible > solution. > > Adam > > On Jul 24, 2018, at 10:12 PM, Xialiang (Frank, Network Integration > Technology Research Dept) <frank.xialiang@huawei.com> wrote: > > Hi Adam, > > Totally agree with you. > > Our draft is just a data model for baseline, which describes the > structured configuration parameters and status attributes for the network > device’s security baseline. > > Right now, we choose the YANG data model since it’s widely used for the > network device, and the new defined YANG push mechanism is very suitable > for the large scale security posture collection. > > > > In regard to ROLIE, it’s good and well suitable for the security incident > information exchange. But ROLIE currently only supports the xml or json > scheme, how to combine the ROLIE and YANG data model? Maybe you can give > more clarification. > > Anyway, we are interested with this direction, and looking forward to more > discussion and the new draft for it. > > > > Thanks! > > > > B.R. > > Frank > > > > *发件人:* Adam Montville [mailto:adam.w.montville@gmail.com > <adam.w.montville@gmail.com>] > *发送时间:* 2018年7月25日 3:34 > *收件人:* Sherif Mansour <cherifmansour@gmail.com> > *抄送:* Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Benjamin Kaduk < > kaduk@mit.edu>; Jarrett Lu <jarrett.lu@oracle.com>; Xialiang (Frank, > Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; > sacm@ietf.org > *主题:* Re: [sacm] minor comments on > draft-lin-sacm-nid-mp-security-baseline-03 > > > > For these "baseline" drafts, could we call them baseline data models > instead? To me, just calling them baseline is problematic - it's an > overloaded term. > > > > Moving on from that... I have a couple of follow-on questions related to > the idea of a data model registry... > > > > We are already considering the adoption of a draft known as the ROLIE > configuration checklist information type. Presumably, such configuration > checklists would be comparable to the data models expressed in this > registry right? Then, from that, would ROLIE be a suitable mechanism for > the data model registry, or would we want to reference data models in a > different way? > > > > Thoughts on any of that? > > > > Given that there seems to be some interest, I'll volunteer to draft > something containing ideas about how such a registry could work, and why > it'd be important. > > > > Adam > > > > > > On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com> > wrote: > > > > Hey Everyone, > > > > I second Adam's idea for a "baseline registry". > > 1) It's easier to change a registry vs a draft > > 2) Organizations might want to customize their own registries with their > own content - I will give two examples based on the thread above: > > > > As mentioned before some legacy systems only support Telnet, I remember a > few years ago a business still had some Vax/Alpha systems running and they > needed telnet. As a compensating control, we placed network restrictions > around those systems, placed a bastion hosts in front of it with an SSL web > terminal, that way secure communication took place between the rest of the > environment and the hardened host and then telnet to the legacy systems, > but at least the issue is contained in a small environment. > > > > For the passwords it depends as well for an org e.g. for app to app > credentials vs. human to app Or even customer to eCommerce app. > > - Take Google for example, for their staff to limit the impact on > phishing they have issued U2F secure tokens to their staff (See Link > <https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/>). > The password policy itself might be different as a result. > - Others like Apple have rolled password managers to all their staff (see > link > <https://appleinsider.com/articles/18/07/10/apple-looking-to-deploy-1password-company-wide-may-buy-out-apps-developer>). > This is addition to password complexity - and in a way make it easier to > manage. > - For app to app communication you want this to be seamless with > automated key rolling as well as "Break glass" functionality leveraging a > secrets vault such as https://www.vaultproject.io/ is an option. > - For customer facing sites, password policy might not be enough, thus > checking for password re-use, adding anomaly detection/brute-force > mitigation, 2factor such as U2F tokens, as well as graceful recovery might > be part of the policy. > > Having a baseline registry would help as the threat landscape changes for > existing technology or the ability to replicate similar baselines to new > technologies without the need for too much re-work. > > > > -Sherif > > > > On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) < > linqiushi@huawei.com> wrote: > > Hi Ben, Adam and Jarrett, > > Thanks a lot for raising your concerns. > > Please see my comments inline. > > Best Regards, > Jessica > > -----邮件原件----- > 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk > 发送时间: 2018年7月24日 2:01 > 收件人: sacm@ietf.org > 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 > > > During Jessica's talk I noticed a couple things I wanted to mention, > > but that didn't seem to merit getting up to the mic: > > > There's a container for 'telnet' admin access; my understanding is > > that there are not any applications out there that could be called > > "telnet" and are actually secure these days (but maybe I'm missing > > some!); e.g., kerberized telnet mostly only uses single-DES and a > > lousy cipher mode, with a vendor-specific option for triple-DES, which > > is deprecated as of my document that's currently at the RFC Editor. > > So we may want to have some text clarifying the situation and > > disrecommending its use (or even remove it entirely, if that's feasible). > > The "telnet" admin access listed in the current draft is not meant to > suggest the use of Telnet. In some legacy scenarios that the insecure > channel like Telnet has to be used, some configuration such as changing the > source port is recommended. We mentioned to disable the insecure channel, > but didn't clarify it in details in the draft. > You're right. The security baseline is intended to be a minimal set of > security controls and should be up-to-date. We'll remove it and other > similar security controls in the next version of draft. > > > Similarly, there's a pwd-sec-policy container that describes password > > security policies. While it's definitely true that password policies > > and mandatory change intervals are currently widely deployed, it's > > less clear whether their usage should still be considered useful or a > > best current practice -- I think I've seen some research go by that > > suggests that not requiring character classes or frequency of change > > can be just as secure (and, of course, if passwords can be avoided > entirely that can also help). > > As password security policy is the currently widely deployed mechanisms > and devices support it,maybe we can make it optional, such as a feature? > Currently the devices support this kind of feature, then it can be checked > whether this policy is enabled. > > >So, perhaps there is room for some qualifying text here as well. > > > -Ben > > (with no hats) > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > > > > > >
- [sacm] minor comments on draft-lin-sacm-nid-mp-se… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Jarrett Lu
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Linqiushi (Jessica, CSPL)
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Adam Montville
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Henk Birkholz
- [sacm] Pro/Con WRT To Registry (WAS: Re: minor co… Adam Montville
- [sacm] Terminology: Baseline Data Model (WAS: Re:… Adam Montville