Re: [sacm] SACM Architecture Draft
Shawn Wells <shawn@redhat.com> Wed, 20 February 2019 16:44 UTC
Return-Path: <shawn@redhat.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6467D1277D2 for <sacm@ietfa.amsl.com>; Wed, 20 Feb 2019 08:44:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.089
X-Spam-Level:
X-Spam-Status: No, score=0.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id njWYC3h9UH9H for <sacm@ietfa.amsl.com>; Wed, 20 Feb 2019 08:44:27 -0800 (PST)
Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E02A1200D7 for <sacm@ietf.org>; Wed, 20 Feb 2019 08:44:27 -0800 (PST)
Received: by mail-qk1-f171.google.com with SMTP id h28so2363720qkk.7 for <sacm@ietf.org>; Wed, 20 Feb 2019 08:44:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=aguHiBH0xkxwOskLVm0IZFXLE+3EvAgXi3nS7aU5anQ=; b=RENtNeNF6XTdLOTwrRUJPRIuaLOSAeJqoPef2VGYckW6SufzfAWojPAHEGUJ5dwbkd y+EEB0q3473v3qE1dD4Tubkl7utj00umMOIcjfQNxc7XL7yWNILw2nRmPu2U1okTqHau s3s1fdPaUMnRdylo2jHbZPNmaZIpwjiat2tjJd54j2MlwV6pqBGArqQUK2H07128pL2g 2AIulX35laf2Ibn1ppxoXZ9QyXg/c6FLCn5Q+QE7vthLFod5GZeijdI6wbMwkH6rAcnY Q5tpi1UcHZEsTHyhqfAMPlMgOIf/zx/fIpiFjN/yrTTaP979krbimfjz6BYc+D+wQynJ 2N0A==
X-Gm-Message-State: AHQUAuaekV6gEprOVenrO4QERdJyTiI4GKwZ8KxXAUyT9vOWAjiNe/TH 4LxPYdAlimo7VJqErE9TcAffzA==
X-Google-Smtp-Source: AHgI3IZOhHuYXtSepj/HKrYlw70Iab8gKxcZMiW2LdDvLL0GBXHeIKmnk/xNQfwPWUGrSGkLxO1jUg==
X-Received: by 2002:a37:c097:: with SMTP id v23mr24344997qkv.62.1550681066384; Wed, 20 Feb 2019 08:44:26 -0800 (PST)
Received: from Shawns-MBP-2.fios-router.home (pool-74-96-216-48.washdc.fios.verizon.net. [74.96.216.48]) by smtp.gmail.com with ESMTPSA id e21sm12045112qkj.90.2019.02.20.08.44.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Feb 2019 08:44:25 -0800 (PST)
To: Ruben Oliva <david.oliva@verizon.net>, david.waltermire@nist.gov, bill.munyan.ietf@gmail.com, cherifmansour@gmail.com
Cc: jarrett.lu@oracle.com, adam.w.montville@gmail.com, sacm@ietf.org, jmfitz2@radium.ncsc.mil, chris.scott@eclipseengineering.com
References: <535075277.2497825.1550680711939.ref@mail.yahoo.com> <535075277.2497825.1550680711939@mail.yahoo.com>
From: Shawn Wells <shawn@redhat.com>
Message-ID: <0da26fd0-33b5-fdcd-2aee-99a0b1439142@redhat.com>
Date: Wed, 20 Feb 2019 11:44:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <535075277.2497825.1550680711939@mail.yahoo.com>
Content-Type: multipart/alternative; boundary="------------B23C6AB1EA658E684ED12EA6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/jLK2YOo5aD-icz10WZ1Y3wAPgBs>
Subject: Re: [sacm] SACM Architecture Draft
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 16:44:34 -0000
Must admit I have no context. What is SACM? Never heard of it before. -Shawn On 2/20/19 11:38 AM, Ruben Oliva wrote: > David and all: > > As we move towards a "repository-focused" model, the thought of a list > of repositories appears to make sense. > > > Are you aware of anyone keeping a list of repositories? > > > David Oliva > > > -----Original Message----- > From: Waltermire, David A. (Fed) > <david.waltermire=40nist.gov@dmarc.ietf.org> > To: Bill Munyan <bill.munyan.ietf@gmail.com>; Sherif Mansour > <cherifmansour@gmail.com> > Cc: Jarrett Lu <jarrett.lu@oracle.com>; Adam Montville > <adam.w.montville@gmail.com>; <sacm@ietf.org> <sacm@ietf.org> > Sent: Tue, Feb 19, 2019 10:29 am > Subject: Re: [sacm] SACM Architecture Draft > > Organizations will need to interact with repositories operated by > other organizations (e.g., the National Vulnerability Database, CVE > project, etc.) as well as local repositories that host historic > information. In some cases, clients might not know what to > specifically query, but may instead need to browse through hosted data > to find what information they are interested in. A request/response > communication pattern is ideal for this type of interaction. > A message bus is ideal for exchanging up-to-date information or for > notifying participating clients when new information is available from > a service. It might be best to allow for both types of solutions in > the SACM architecture. There are numerous ways to provide for a common > authentication model without performing all > authentication/communications through a message bus. > Where I see value in a message bus is for discovery of services, for > notifications of new data being available in a service, and to flow > new data through the system. I don’t think it is practical to force > all components to communicate only through the message bus. > Here is a potential flow with a hybrid of both types of communications. > 1) Client authenticates to the message bus and subscribes to > notifications of new configuration checklist data. > 2) A ROLIE server syndicates new checklist data from the NVD, from the > national checklist program repository using the ROLIE protocol. > 3) The ROLIE server notifies all clients that this data is available > over the message bus. > 4) A collection client queries the ROLIE server to retrieve new > checklist data, and to find relevant historic checklist data it needs > to collect for. It may also request SWID tags, OVAL definitions, and > other supporting information from local or remote services to > determine what to collect. > 5) Collection in performed, perhaps on an ongoing basis, and collected > data can then be published over the message bus and also stored to > directly associated storage locations (e.g., CMDBs). > A message bus only solution would complicate the communication in #4 > above, and would not account for remote communications in #2 and #4 at > all. In all cases above, communication can occur using standardized > interfaces. Some use a message bus, others use interfaces provided by > other protocols like ROLIE. This also allows for a cooperative > ecosystem, and doesn’t diminish from vendors providing solutions that > can plug in. > Regards, > Dave > *From:* sacm <sacm-bounces@ietf.org> *On Behalf Of * Bill Munyan > *Sent:* Tuesday, February 19, 2019 9:54 AM > *To:* Sherif Mansour <cherifmansour@gmail.com> > *Cc:* Jarrett Lu <jarrett.lu@oracle.com>; Adam Montville > <adam.w.montville@gmail.com>; <sacm@ietf.org> <sacm@ietf.org> > *Subject:* Re: [sacm] SACM Architecture Draft > Sherif, > Thanks for reading the draft and providing feedback! We really > appreciate it... I have some comments/questions in-line: > > Should the downstream users pull their data from the repo (an > authoritative data source) instead of the message bus? > > That way, there is a consistent view of that the current state of an > end-point security posture and analysis can be built on top if it. I > would not think it can be > done directly from the message bus. I also > would think the information from the repo would be bi directional? > [Bill M]: > The idea behind the message transfer system is to help define the > interfaces between components.. The intent here is really to help > create a "cooperative ecosystem", enabling vendors to plug in > components where they fit in the architecture, develop custom > components where necessary, etc. > Whether the "message transfer system" exists over a message bus, > integration pattern, REST interface, or other, the downstream > functions would have access to the repository (or repositories) over > some sort of "query" interface. In the case of XMPP being used as the > message transfer system, that interface could be a request using a > custom IQ stanza with query information, and a response with the > requested information. In a solution which consolidates a results > repository with reporting, there may just be a simple web application > to visualize the data. > I agree the information in the repository is bi-directional, and the > diagram is intended to reflect that. > > Equally had some question on the data ingest (message bus) I assume > there is an Access model as not everything on the message bus is to be > accessible by > everyone, is that taken into consideration? > [Bill M]: > I would also agree there would be an access model necessary, but that > can be solution-specific. Again using the XMPP-based solution, that > access model could be maintained through the orchestrator's roster, > roster groups, various pub-sub nodes, etc. Is there a particular > access model you had in mind when asking this question? Any > solution-based ideas on this certainly help me personally in > visualizing all the concepts. > > Should the Orchstrator have a direct connection to the Repo, there > are cases where the orchestrator needs reference data in order to tell > the posture > managers what to do and not just react to them. > Additionally there are cases where what the posture manager finds from > the collectors will be different than > what is on file in inventory > and the discrepancy. > [Bill M]: > In the first diagram, the orchestrator would have a connection to the > repo via the message transfer system. This is a great question that > will help us discover more about the interfaces we need to describe > further in the document. That "query" interface from the orchestrator > can assist in getting the necessary reference data before sending > collection requests off to the various collectors in the ecosystem. > Hope that helps! Glad to keep the conversation going as well, so > thank you again for your review and feedback. > Cheers, > Bill M. > On Mon, Feb 18, 2019 at 2:06 PM Sherif Mansour > <cherifmansour@gmail.com <mailto:cherifmansour@gmail.com>> wrote: > > Hey Everyone, > Sorry for popping in so infrequently. I have taken a brief look at > the architecture, and I have some feedback: > Should the downstream users pull their data from the repo (an > authoritative data source) instead of the message bus? > That way, there is a consistent view of that the current state of > an end-point security posture and analysis can be built on top if > it. I would not think it can be done directly from the message > bus. I also would think the information from the repo would be bi > directional? > Equally had some question on the data ingest (message bus) I > assume there is an Access model as not everything on the message > bus is to be accessible by everyone, is that taken into consideration? > image..png > Should the Orchstrator have a direct connection to the Repo, there > are cases where the orchestrator needs reference data in order to > tell the posture managers what to do and not just react to them. > Additionally there are cases where what the posture manager finds > from the collectors will be different than what is on file in > inventory and the discrepancy. > image.png > On Fri, Feb 15, 2019 at 12:05 PM Adam Montville > <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com>> > wrote: > > Hi Jarret, > Thank you for reading through the draft. Happy to talk about > some of these things today during the interim. I think we > would prefer that interfaces/capabilities are first described > abstractly — irrespective of any specific messaging solution — > and then use XMPP-Grid+ as an implementation example. > Kind regards, > Adam > > > On Feb 14, 2019, at 7:27 PM, Jarrett Lu > <jarrett.lu@oracle.com <mailto:jarrett.lu@oracle.com>> wrote: > Hi Adam & SACM, > I read the (active) architecture draft, and I believe it's > a good one. The hackathon work reflected in the draft > definitely carries some weight. > Some architecture entities could be expanded and described > at a more abstract level. For example, this draft appears > to equate "capabilities" with set of interfaces. Are SACM > capabilities supposed to be discoverable? If so, how > should it be represented? If capabilities/functional > interfaces are described in more general terms, and use > XMPP-grid+ as an example of how it meets the functional > requirements, this may make it appear less solution-centric. > I vote for including workflows in the architecture > document. It just reads better that way. It will increase > the document size and takes longer to finish. As long as > good progress is being made, is it really urgent to finish > and publisher the architecture document. > I think the Security Consideration section of the old > architecture draft is pretty good. Do XMPP-grid XEPs > adress the MitM, transport integrity and confidentiality > concerns mentioned there? > Regards. > - Jarrett > On 12/27/18 01:29 PM, Adam Montville wrote: > > Dear SACM, > Happy (belated) Holidays and a Happy New Year to you! > At our recent virtual interim meeting I promised to > post a note to the list regarding our architecture > draft to do three things: > > 1. Request review > 2. Indicate whether we (the authors) believe it's on > the right track > 3. Assuming 2 is good, a list of what's left to be done. > > So, we're going to start with 2, move on to 3, and > then end with 1... > Bill and I both believe that the architecture draft > is, indeed, on the right track. Henk, and possibly > others (Nancy?), have described this draft as being > too solutions-specific. Section 3, "Architectural > Overview" is intended to be the place in this draft to > describe the abstract ideas in the architecture. > Section 3.1 talks a little bit about the roles of the > SACM Components, and Section 3.2 provides the known > information about an XMPP-based instantiation of the > architecture (note Appendix A maps this instantiation > back to our SACM requirements, RFC8248). > Assuming that we are on the right track, then here's > what we think yet needs to be done: > > * Document specific Components, Capabilities, > Interfaces, and Workflows > > o IT Asset Management could probably stand to be > fleshed out > o Vulnerability Management is reasonable > documented in this draft, but may need work > o Configuration management probably needs to be > fleshed out as well (needs to be tied to SACM > Use Cases) > > * Determine where to document the above (in this > draft or in new drafts), which will determine how > long this draft takes to complete. > * Prague hackathon to continue the trend of > discovering an XMPP-based solution > * TODOs in the draft > > o Privacy Considerations > o Security Considerations > > * Flesh out our IANA Considerations > > o Will likely result in additional draft work > > Clearly, there's a lot to be done here, and we really > need your specific, actionable feedback on this draft. > Feel free to reach out here or to either of us directly. > This draft in GitHub: > https://github.com/sacmwg/draft-ietf-sacm-arch > This draft on the SACM documents page: > https://datatracker.ietf.org/doc/draft-ietf-sacm-arch/ > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-arch%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106737807&sdata=mgt4EPWcuBsLx3DR1sx01TbCEUlt6F37FpqKroSJNjI%3D&reserved=0> > Kind regards, > Adam & Bill > > _______________________________________________ > > sacm mailing list > > sacm@ietf..org <mailto:sacm@ietf.org> > > https://www.ietf.org/mailman/listinfo/sacm <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106747816&sdata=YVjK0x2u12K9Ds3GWE4ekxjJrQsGu7CxVlEXHyLduik%3D&reserved=0> > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106757821&sdata=g%2Bt4sWCXGlkpiUnrQcAUFZir6pSmRODJgcOSYI%2FWrZs%3D&reserved=0> > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106757821&sdata=g%2Bt4sWCXGlkpiUnrQcAUFZir6pSmRODJgcOSYI%2FWrZs%3D&reserved=0> > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccefa6df9e0a9432bedc908d6967a3e1d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636861849106767830&sdata=RDvylTUYEQKBFEyoecw35wfzIIBRGG7K4YxJ5250Lw8%3D&reserved=0> > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm -- Shawn Wells Chief Security Strategist North America Public Sector shawn@redhat.com | 443-534-0130
- [sacm] SACM Architecture Draft Adam Montville
- Re: [sacm] SACM Architecture Draft Jarrett Lu
- Re: [sacm] SACM Architecture Draft Adam Montville
- Re: [sacm] SACM Architecture Draft Sherif Mansour
- Re: [sacm] SACM Architecture Draft Bill Munyan
- Re: [sacm] SACM Architecture Draft Waltermire, David A. (Fed)
- Re: [sacm] SACM Architecture Draft Sherif Mansour
- Re: [sacm] SACM Architecture Draft Shawn Wells