Re: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Thu, 26 July 2018 09:05 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1938F130F73 for <sacm@ietfa.amsl.com>; Thu, 26 Jul 2018 02:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PHOp9fEocT3K for <sacm@ietfa.amsl.com>; Thu, 26 Jul 2018 02:05:34 -0700 (PDT)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2266E130E16 for <sacm@ietf.org>; Thu, 26 Jul 2018 02:05:32 -0700 (PDT)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w6Q95EUS006370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 26 Jul 2018 11:05:15 +0200
Received: from [134.102.167.95] (134.102.167.95) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.399.0; Thu, 26 Jul 2018 11:05:08 +0200
To: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, Adam Montville <adam.w.montville@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: Sherif Mansour <cherifmansour@gmail.com>, "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, Jarrett Lu <jarrett.lu@oracle.com>, "sacm@ietf.org" <sacm@ietf.org>
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com> <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE741C5@DGGEML522-MBX.china.huawei.com> <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com> <20180725131835.GP92448@kduck.kaduk.org> <5D46260F-0016-4D87-B8B4-E523664D5BDD@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE749D9@DGGEML522-MBX.china.huawei.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <c197c527-c890-af84-63ab-f992d3c561e2@sit.fraunhofer.de>
Date: Thu, 26 Jul 2018 11:05:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BE749D9@DGGEML522-MBX.china.huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.167.95]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/hGFH-i8Xzcil6N6mxBccsNjCwYg>
Subject: Re: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 09:05:38 -0000

Hello all,

this thread starts to mix quite a few topics now :) Maybe we should try 
to segregate them?

* pro & con wrt to registry (incl. potential spec required, expert 
review, etc.) and or I-D

* YANG Push, which depends heavily on the upcoming development in 
NETCONF in the next months

* encoding (there is e.g. I-D.ietf-core-yang-cbor)

* terminology (as always) is difficult: "baseline data model" wrt to 
"security" could imply the existence of guidance how to derive the 
nominal values and BP (aka a framework that helps the reader to make use 
of the data model). That is not the case, right?

A small comment on encoding: If anyone wants to try to do a canonical 
mapping of XML structures to JSON or CBOR structures (and vice versa), I 
am happy to help. Please mind, that this would be an independent effort 
to representing YANG-modeled data in JSON or CBOR as that is already 
being done.

Viele Grüße,

Henk

On 07/26/2018 03:03 AM, Xialiang (Frank, Network Integration Technology 
Research Dept) wrote:
> Me too~~
> 
> Thanks for pointing it out, Ben. I will look at it.
> 
> -----邮件原件-----
> 发件人: Adam Montville [mailto:adam.w.montville@gmail.com]
> 发送时间: 2018年7月25日 21:20
> 收件人: Benjamin Kaduk <kaduk@mit.edu>
> 抄送: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; Sherif Mansour <cherifmansour@gmail.com>; Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Jarrett Lu <jarrett.lu@oracle.com>; sacm@ietf.org
> 主题: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
> 
> 
> 
>> On Jul 25, 2018, at 8:18 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>
>> On Wed, Jul 25, 2018 at 06:29:54AM -0500, Adam Montville wrote:
>>> Right, that’s a good point. I suppose that we could encode the YANG in CDATA or the JSON equivalent, though I’m sure that would end up being messy. YIN comes to mind, and then if we really wanted to do JSON, I think there’s a way to convert from XML to JSON, though I’m not sure it preserves everything that would need to be preserved.
>>
>> I'm probably confused (not interacting with YANG very much), but isn't
>> there a native XML encoding for YANG (e.g., the various "XML Mapping Rules"
>> sections of RFC 6020)?  Similarly RFC 7951 for a JSON mapping of YANG.
> 
> I'm sure I'm the one who is confused here - being completely new to YANG. I thought that YIN was the name given to the XML encoding for YANG. I was unaware of RFC 7951.
> 
>>
>> -Ben
>>
>>> Still, I’m not sure ROLIE would be the “right” solution for a baseline data model registry. It’s just something that came to mind as a possible solution.
>>>
>>> Adam
>>>
>>>> On Jul 24, 2018, at 10:12 PM, Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com> wrote:
>>>>
>>>> Hi Adam,
>>>> Totally agree with you.
>>>> Our draft is just a data model for baseline, which describes the structured configuration parameters and status attributes for the network device’s security baseline.
>>>> Right now, we choose the YANG data model since it’s widely used for the network device, and the new defined YANG push mechanism is very suitable for the large scale security posture collection.
>>>>
>>>> In regard to ROLIE, it’s good and well suitable for the security incident information exchange. But ROLIE currently only supports the xml or json scheme, how to combine the ROLIE and YANG data model? Maybe you can give more clarification.
>>>> Anyway, we are interested with this direction, and looking forward to more discussion and the new draft for it.
>>>>
>>>> Thanks!
>>>>
>>>> B.R.
>>>> Frank
>>>>
>>>> 发件人: Adam Montville [mailto:adam.w.montville@gmail.com]
>>>> 发送时间: 2018年7月25日 3:34
>>>> 收件人: Sherif Mansour <cherifmansour@gmail.com>
>>>> 抄送: Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Benjamin Kaduk
>>>> <kaduk@mit.edu>; Jarrett Lu <jarrett.lu@oracle.com>; Xialiang
>>>> (Frank, Network Integration Technology Research Dept)
>>>> <frank.xialiang@huawei.com>; sacm@ietf.org
>>>> 主题: Re: [sacm] minor comments on
>>>> draft-lin-sacm-nid-mp-security-baseline-03
>>>>
>>>> For these "baseline" drafts, could we call them baseline data models instead? To me, just calling them baseline is problematic - it's an overloaded term.
>>>>
>>>> Moving on from that... I have a couple of follow-on questions related to the idea of a data model registry...
>>>>
>>>> We are already considering the adoption of a draft known as the ROLIE configuration checklist information type. Presumably, such configuration checklists would be comparable to the data models expressed in this registry right? Then, from that, would ROLIE be a suitable mechanism for the data model registry, or would we want to reference data models in a different way?
>>>>
>>>> Thoughts on any of that?
>>>>
>>>> Given that there seems to be some interest, I'll volunteer to draft something containing ideas about how such a registry could work, and why it'd be important.
>>>>
>>>> Adam
>>>>
>>>>
>>>>
>>>> On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com> wrote:
>>>>
>>>> Hey Everyone,
>>>>
>>>> I second Adam's idea for a "baseline registry".
>>>> 1) It's easier to change a registry vs a draft
>>>> 2) Organizations might want to customize their own registries with their own content - I will give two examples based on the thread above:
>>>>
>>>> As mentioned before some legacy systems only support Telnet, I remember a few years ago a business still had some Vax/Alpha systems running and they needed telnet. As a compensating control, we placed network restrictions around those systems, placed a bastion hosts in front of it with an SSL web terminal, that way secure communication took place between the rest of the environment and the hardened host and then telnet to the legacy systems, but at least the issue is contained in a small environment.
>>>>
>>>> For the passwords it depends as well for an org e.g. for app to app credentials vs. human to app Or even customer to eCommerce app.
>>>> Take Google for example, for their staff to limit the impact on phishing they have issued U2F secure tokens to their staff (See Link). The password policy itself might be different as a result.
>>>> Others like Apple have rolled password managers to all their staff (see link). This is addition to password complexity - and in a way make it easier to manage.
>>>> For app to app communication you want this to be seamless with automated key rolling as well as "Break glass" functionality leveraging a secrets vault such as https://www.vaultproject.io/ is an option.
>>>> For customer facing sites, password policy might not be enough, thus checking for password re-use, adding anomaly detection/brute-force mitigation, 2factor such as U2F tokens, as well as graceful recovery might be part of the policy.
>>>> Having a baseline registry would help as the threat landscape changes for existing technology or the ability to replicate similar baselines to new technologies without the need for too much re-work.
>>>>
>>>> -Sherif
>>>>
>>>> On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) <linqiushi@huawei.com> wrote:
>>>> Hi Ben, Adam and Jarrett,
>>>>
>>>> Thanks a lot for raising your concerns.
>>>>
>>>> Please see my comments inline.
>>>>
>>>> Best Regards,
>>>> Jessica
>>>>
>>>> -----邮件原件-----
>>>> 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk
>>>> 发送时间: 2018年7月24日 2:01
>>>> 收件人: sacm@ietf.org
>>>> 主题: [sacm] minor comments on
>>>> draft-lin-sacm-nid-mp-security-baseline-03
>>>>
>>>>> During Jessica's talk I noticed a couple things I wanted to
>>>>> mention, but that didn't seem to merit getting up to the mic:
>>>>
>>>>> There's a container for 'telnet' admin access; my understanding is
>>>>> that there are not any applications out there that could be called
>>>>> "telnet" and are actually secure these days (but maybe I'm missing
>>>>> some!); e.g., kerberized telnet mostly only uses single-DES and a
>>>>> lousy cipher mode, with a vendor-specific option for triple-DES,
>>>>> which is deprecated as of my document that's currently at the RFC Editor.
>>>>> So we may want to have some text clarifying the situation and
>>>>> disrecommending its use (or even remove it entirely, if that's feasible).
>>>>
>>>> The "telnet" admin access listed in the current draft is not meant to suggest the use of Telnet. In some legacy scenarios that the insecure channel like Telnet has to be used, some configuration such as changing the source port is recommended. We mentioned to disable the insecure channel, but didn't clarify it in details in the draft.
>>>> You're right. The security baseline is intended to be a minimal set of security controls and should be up-to-date. We'll remove it and other similar security controls in the next version of draft.
>>>>
>>>>> Similarly, there's a pwd-sec-policy container that describes
>>>>> password security policies.  While it's definitely true that
>>>>> password policies and mandatory change intervals are currently
>>>>> widely deployed, it's less clear whether their usage should still
>>>>> be considered useful or a best current practice -- I think I've
>>>>> seen some research go by that suggests that not requiring character
>>>>> classes or frequency of change can be just as secure (and, of course, if passwords can be avoided entirely that can also help).
>>>>
>>>> As password security policy is the currently widely deployed mechanisms and devices support it,maybe we can make it optional, such as a feature?
>>>> Currently the devices support this kind of feature, then it can be checked whether this policy is enabled.
>>>>
>>>>> So, perhaps there is room for some qualifying text here as well.
>>>>
>>>>> -Ben
>>>>> (with no hats)
>>>> _______________________________________________
>>>> sacm mailing list
>>>> sacm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/sacm
>>>> _______________________________________________
>>>> sacm mailing list
>>>> sacm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/sacm
>>>>
>>>>
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>