IETF Logo Mail Archive

Re: [sacm] ECP Architecture Diagram Feedback

Sherif Mansour <cherifmansour@gmail.com> Mon, 09 April 2018 15:06 UTC

Return-Path: <cherifmansour@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B2F12711E for <sacm@ietfa.amsl.com>; Mon, 9 Apr 2018 08:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.901
X-Spam-Level:
X-Spam-Status: No, score=0.901 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRUpFFBCBIuD for <sacm@ietfa.amsl.com>; Mon, 9 Apr 2018 08:05:59 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 277CD1242F5 for <sacm@ietf.org>; Mon, 9 Apr 2018 08:05:59 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id o34so5184218uae.9 for <sacm@ietf.org>; Mon, 09 Apr 2018 08:05:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mU2IHePxMNySXP69b2TluGabPrwBDHywqlI+Idxg55I=; b=U6lm87u/Fic7N7myxJFxklLBnmCNNCGb2lPmld3zUVincaC3O9ULEwWIOowRNHUDsq pJ3pWY6fdr2CwzaiKse2lrn+E7fyokCq+Jaar0/dxElZ6dL3YpARW42OJaJ96B5X8zpT dwA4ZSTcnAkhfSStZNycQLmu/UgOqYvTTCd7zO/y+isEPNTCoJl75bT3KMn1CqZeYpas PB/AZOS7LgD/iMD2gpYsVzChC1aSTexWftbdOY7IKvOwwWvP6h9iC55uM4MfNkeRc2d3 GgnFVA5x54f/qPELwCiTh8pBSAMsdEFXlN5f/85+pyfSxIUZc9MQD4ZvF1X0sg8tVxHz xZ3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mU2IHePxMNySXP69b2TluGabPrwBDHywqlI+Idxg55I=; b=Gww+TuFyaV6gzHbEiiqkmsRzZv+vcL9En+Vm4OQm5GAuBTo+9PMQoVftOuwGLaKKTM j770GxwZv1FdXPfGKPF6yq+J7s75WUxgq72L0L8LVjOvzRmEiKdhj2QE/W25C9S7o727 jkcdZ3uYSECmagQNem18PnWZBDVMFNJVS188LaZCiM4ZPeIWp9KElr4hrcYylwvepLNx R/vvjIz50AX5hM9bRxy7qLt9Sjlbj+7A3oDfQOQDsIp/bpYUpfczuoWXwOdGiQcpc2RU i/1NFVRvSYdBkRVZkqeuIX8sOcd9Ry6OHRlvvd24yC2SscGBQxBTJp/03p+jr7+k5hYD CT8w==
X-Gm-Message-State: ALQs6tB0W6/mjz3VQLxfjaCWOI4Wcj5ZfGWu1hqO8wkyfqNCz2aDznOn NoJYlQENNHKWW2VOpaxuUk6bSR6np+rmue88cs8=
X-Google-Smtp-Source: AIpwx4+MSP69M0U7tVdRkSmorXy11lpa/KZrWUoOt82ybZjy7hyXYjcCTr7h6uMcOWeMaATK/pRqOOLno/1FDOGk5Yg=
X-Received: by 10.176.16.85 with SMTP id g21mr26312407uab.189.1523286358127; Mon, 09 Apr 2018 08:05:58 -0700 (PDT)
MIME-Version: 1.0
References: <DM5PR0901MB2197070C2CF8BA9A4283251CA5A60@DM5PR0901MB2197.namprd09.prod.outlook.com> <D0D3E5A5-2D22-4B3A-AD3E-27386CC43887@gmail.com> <DM5PR0901MB2197CA6B3C285DD17A0D1C04A5A50@DM5PR0901MB2197.namprd09.prod.outlook.com> <CAOxmg6tbzQBpqubuxn5DPFe1mcB7gjhX3hr5g8A4hMoexyki-A@mail.gmail.com> <DM5PR0901MB21977263C87CA80E2D277750A5A40@DM5PR0901MB2197.namprd09.prod.outlook.com> <CAOxmg6s1GMnbZO2pzR2baNJ_MCPwqacdcjm+8yA5Tjkh0-+fNQ@mail.gmail.com> <DM5PR0901MB21971D0D935BD3A6BB1E7A42A5BF0@DM5PR0901MB2197.namprd09.prod.outlook.com>
In-Reply-To: <DM5PR0901MB21971D0D935BD3A6BB1E7A42A5BF0@DM5PR0901MB2197.namprd09.prod.outlook.com>
From: Sherif Mansour <cherifmansour@gmail.com>
Date: Mon, 09 Apr 2018 15:05:46 +0000
Message-ID: <CAOxmg6tsRNVdbDQbm0qmcY=6_WqE4vXtJeHM0oxok5BzAntvEA@mail.gmail.com>
To: "Haynes Jr., Dan" <dhaynes@mitre.org>
Cc: "Montville, Adam W" <adam.w.montville@gmail.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="f403045e3632447a6c05696bbebd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/hQx2vyAaNW-gCAqw7k6ZZtTuZdM>
Subject: Re: [sacm] ECP Architecture Diagram Feedback
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 15:06:03 -0000

Hi Dan,
Let me respond later this evening, I am also happy to call if you have a
minute.

On Mon, 9 Apr 2018 at 3:48 pm, Haynes Jr., Dan <dhaynes@mitre.org> wrote:

> Thanks for the clarification Sherif!
>
>
>
> So, it sounds like beyond just a pub/sub interface for communicating with
> other components, you want it to also be able to manage jobs among other
> things. Does the list of current SACM tasks (collection, endpoint
> characterization, endpoint classification, evaluation) sound like the jobs
> you would want it to manage? The SACM tasks are defined here (
> https://github.com/sacmwg/draft-ietf-sacm-terminology/blob/master/draft-ietf-sacm-terminology.md
> ).
>
>
>
> Are there other capabilities that you would specifically like to see in
> the orchestrator?
>
>
>
> Also, how do others envision the orchestrator working?
>
>
>
> Thanks,
>
> Danny
>
>
>
> *From:* Sherif Mansour [mailto:cherifmansour@gmail.com]
>
> *Sent:* Saturday, April 07, 2018 6:18 AM
>
>
> *To:* Haynes Jr., Dan <dhaynes@mitre.org>
> *Cc:* Montville, Adam W <adam.w.montville@gmail.com>; sacm@ietf.org
> *Subject:* Re: [sacm] ECP Architecture Diagram Feedback
>
>
>
> In a devops model, you generally want to move from “the team that does
> stuff for other people” to “the team that builds capabilities for others”.
>
>
>
> In that case, stage-1 might look a little different. You would start with
> the Orchastrator. So there would be a Jenkins job the fires, hits the
> orchestrator, asks it to check a few end points, reads the results than
> makes an informed decision. There are several use cases for self service
> testing the main one right is to make sure end points have been hardened
> and there sre currently no known show stopers before the assets “hits the
> factory floor”.
>
>
>
> Ideally we want to get to a stage of self healing.
>
>
>
> Where a dev/sysadmin/other would ping the orchestrator to check an
> asset(s) identify issues, if those issues are mapped to specific “fixes”
> then the customer is also given the option to automagically schedule a
> patch/fix.
>
>
>
> All this means that the interface between the orchestrator and external
> parties needs to be thought out. The main value of the orchestrator is
> vendor independent management and self service automation.
>
>
>
> On Wed, 4 Apr 2018 at 9:12 pm, Haynes Jr., Dan <dhaynes@mitre.org> wrote:
>
> Hi Sherif,
>
>
>
> I think as long as we have standardized interfaces whether directly
> (posture manager <-> repository, evaluator <–> repository) or indirectly
> through the orchestrator, we should be able to swap posture managers in and
> out. One concern is that I am not sure we want to require an orchestrator
> in order to store information in the repository as the repository may be
> co-located with the posture manager or the orchestrator may be unnecessary
> for smaller or more limited networks. By keeping the components as-is with
> both direct and indirect interfaces, the architecture of the solution can
> be arranged in a manner that best supports the needs of the organization.
> One approach that might help is if we break out the diagram into different
> stages.
>
>
>
> Stage 1 – Reporting endpoint information to the repository via the server.
> Note: the repository may be co-located with posture manager on the server.
>
>
>
>                 Posture Manager          Endpoint
>
>                 +---------------+        +---------------+
>
>                 |               |        |               |
>
>                 | +-----------+ |        | +-----------+ |
>
>                 | | Posture   | |        | | Posture   | |
>
>                 | | Validator | |        | | Collector | |
>
>                 | +-----------+ |        | +-----------+ |
>
>                 |      |        |        |      |        |
>
>                 |      |        |        |      |        |
>
> Repository      |      |        |        |      |        |
>
> +--------+      | +-----------+ |<-------| +-----------+ |
>
> |        |      | | Posture   | | report | | Posture   | |
>
> |        |      | | Collection| |        | | Collection| |
>
> |        |<-----| | Manager   | |        | | Engine    | |
>
> |        | store| +-----------+ |        | +-----------+ |
>
> |        |      |               |        |               |
>
> |        |      |               |        |               |
>
> +--------+      +---------------+        +---------------+
>
>
>
> Stage 2 -  Evaluator queries information from the repository. If needed,
> the evaluator queries the endpoint for information via the posture manager.
>
>
>
>                                 Posture Manager          Endpoint
>
>                                 +---------------+        +---------------+
>
>                                 |               |        |               |
>
>                                 | +-----------+ |        | +-----------+ |
>
>                                 | | Posture   | |        | | Posture   | |
>
>                                 | | Validator | |        | | Collector | |
>
>                                 | +-----------+ |        | +-----------+ |
>
>                                 |      |        |        |      |        |
>
>                                 |      |        |        |      |        |
>
> Evaluator       Repository      |      |        |        |      |        |
>
> +------+        +--------+      | +-----------+ |<-------| +-----------+ |
>
> |      |        |        |      | | Posture   | | report | | Posture   | |
>
> |      |        |        |      | | Collection| |        | | Collection| |
>
> |      |<-----> |        |<-----| | Manager   | | query  | | Engine    | |
>
> |      |request/|        | store| +-----------+ |------->| +-----------+ |
>
> |      |respond |        |      |               |        |               |
>
> |      |        |        |      |               |        |               |
>
> +------+        +--------+      +---------------+        +---------------+
>
>
>
> Stage 3 – Evaluator, repository, and posture manager sharing information
> via the orchestrator.
>
>
>
>                 Orchestrator
>
> +-----------------------------------------------+
>
> |                                               |
>
> |                                               |
>
> +-----------------------------------------------+
>
>    ^                ^                   ^
>
>    |pub/sub         |pub/sub            |pub/sub
>
>    |                |                   |
>
>    |                |                   |
>
>    |                |                   v
>
>    |                |             Posture Manager          Endpoint
>
>    |                |           +---------------+        +---------------+
>
>    |                |           |               |        |               |
>
>    |                |           | +-----------+ |        | +-----------+ |
>
>    |                |           | | Posture   | |        | | Posture   | |
>
>    |                |           | | Validator | |        | | Collector | |
>
>    |                |           | +-----------+ |        | +-----------+ |
>
>    |                |           |      |        |        |      |        |
>
>    v                v           |      |        |        |      |        |
>
> Evaluator       Repository      |      |        |        |      |        |
>
> +------+        +--------+      | +-----------+ |<-------| +-----------+ |
>
> |      |        |        |      | | Posture   | | report | | Posture   | |
>
> |      |        |        |      | | Collection| |        | | Collection| |
>
> |      |        |        |      | | Manager   | | query  | | Engine    | |
>
> |      |        |        |      | +-----------+ |------->| +-----------+ |
>
> |      |        |        |      |               |        |               |
>
> |      |        |        |      |               |        |               |
>
> +------+        +--------+      +---------------+        +---------------+
>
>
>
> Regarding the invisible box of reference data, yes, the repository would
> support it. I don’t believe there is anything in the draft that prevents
> that type of data form being stored.
>
>
>
> Also, I agree that there should be an interface between the out-of-scope
> reporting system and the repository. This will eventually be supported by
> the interface that we create for accessing the repository.
>
>
>
> Lastly, can you provide more information on how you see this integrating
> into the DevOps model?
>
>
>
> Thanks,
>
> Danny
>
>
>
> *From:* Sherif Mansour [mailto:cherifmansour@gmail.com]
> *Sent:* Tuesday, April 03, 2018 5:36 PM
>
>
> *To:* Haynes Jr., Dan <dhaynes@mitre.org>
>
> *Cc:* Montville, Adam W <adam.w.montville@gmail.com>; sacm@ietf.org
>
>
> *Subject:* Re: [sacm] ECP Architecture Diagram Feedback
>
>
>
> Hi Danny,
>
> I would recommend that the Orchestrator sits between the posture manager
> and repository. This is for a few reasons, some tactical and some strategic:
>
>    - Strategically (Long term), it allows you to switch between posture
>    managers without having to do much (if any) changes on the repository, in
>    their all it means is it will be pulling data through the orchatrator, it
>    just happens to be from a different tool.
>    - Tactically (short term), is is because these connections currently
>    do not exist, so if you have many posture managers you need to develop
>    different integration in several areas (one connection for the orchestrator
>    & repository). By leveraging the orchastrator, you only need to create a
>    singe integration with the posture manager, it simply just needs more
>    features (i.e. the ability to pull security end point findings, both in raw
>    vendor specific data or in a uniform agreed data model).
>
> The second point is that there are a few "invisible" boxes. The first is
> reference data, a lot of the repository data would be enriched with
> information that is specific to the organization such as the team which
> owns specific assets or the context to which they are used. Now, on thing
> that is out of scope is the reporting, I am aware this is out of scope, but
> an organisation has not moved the needle in terms of security if they have
> detected security issues but not resolved them. It is therefore natural
> that there is an interface somewhere between the repository and a reporting
> system.
>
> Finally one key benefit of the orchestrator is automation and self
> service, there for an interface to allow it to work in a devops model would
> also increase its value, if the interface can (easily) integrate with
> Jenkins/Bamboo, or chef recipes / Ansible playbooks, this would go a long
> way for adoption.
>
> -Sherif
>
>
>
>
>
>
>
>
>
> On Tue, Apr 3, 2018 at 7:36 PM, Haynes Jr., Dan <dhaynes@mitre.org> wrote:
>
> Hi Adam,
>
>
>
> I hope it was a good trip out there and that you were able to see some of
> the sights!
>
>
>
> As far as scoping and the diagram, I think it’s worth nothing that all the
> components in it are in scope for ECP. It is just a matter of when we
> actually get to creating drafts for them (if that makes any sense). I think
> what you are looking for is a diagram that shows what we are currently
> working on? Or, maybe I am misunderstanding your comments?
>
>
>
> Thanks,
>
> Danny
>
>
>
> *From:* Adam Montville [mailto:adam.w.montville@gmail.com]
> *Sent:* Monday, April 02, 2018 3:33 PM
> *To:* Haynes Jr., Dan <dhaynes@mitre.org>
> *Cc:* sacm@ietf.org
> *Subject:* Re: [sacm] ECP Architecture Diagram Feedback
>
>
>
> Hi Danny,
>
>
>
> We missed you in London. I think the diagram is ok, but I do have scoping
> questions (just sent to the list) which may suggest some modification to
> the diagram once resolved. If the way I'm interpreting the ECP draft at
> this point is close to accurate, then it might be a good idea to add a
> horizontal scoping line between the left hand and the right hand of the
> diagram, where the posture manager is the first component on the right-hand
> side. Alternatively, an in-scope boundary box could be drawn around the
> appropriate components.
>
>
>
> What really matters is whether the diagram accurately depicts the intended
> scope of the draft from the authors' perspectives, and whether a typical
> reader would see it that way.
>
>
>
> Adam
>
>
>
> On Apr 2, 2018, at 1:32 PM, Haynes Jr., Dan <dhaynes@mitre.org> wrote:
>
>
>
> Hi Everyone,
>
> At IETF 101, we presented an updated architecture diagram [1] that was
> based on feedback from the September virtual interim [2][3] and was
> included in the ECP -01 draft [4]. During the meeting, we did not receive
> any feedback on the architecture diagram.
>
>
>
> As a result, we just wanted to follow-up on the list and see if there was
> any feedback or objections to the updated ECP architecture diagram that was
> proposed.
>
>
>
> Thanks,
>
> Danny
>
>
>
>
>
> [1]
> https://datatracker.ietf.org/meeting/101/materials/slides-101-sacm-endpoint-compliance-profile-00
>  (see slide 4)
>
> [2]
> https://datatracker.ietf.org/doc/slides-interim-2017-sacm-03-sessa-ecp/00/
>  (see slide 5)
>
> [3]
> https://datatracker.ietf.org/meeting/interim-2017-sacm-03/materials/minutes-interim-2017-sacm-03-201709260900-00
>  (see page 1 and 2)
>
> [4] https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/
>
>
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>
>
>
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>
>
>
>

v2.23.0 | Report a Bug | By Email