Re: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
Benjamin Kaduk <kaduk@mit.edu> Wed, 25 July 2018 13:18 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5AEB130DEF for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 06:18:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcJVW_dHYOrH for <sacm@ietfa.amsl.com>; Wed, 25 Jul 2018 06:18:45 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0195F1292AD for <sacm@ietf.org>; Wed, 25 Jul 2018 06:18:44 -0700 (PDT)
X-AuditID: 1209190d-36bff70000004bb0-da-5b5878b3c59b
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id C5.72.19376.3B8785B5; Wed, 25 Jul 2018 09:18:43 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w6PDIfQ4002490; Wed, 25 Jul 2018 09:18:41 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6PDIa8p006127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Jul 2018 09:18:38 -0400
Date: Wed, 25 Jul 2018 08:18:36 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Adam Montville <adam.w.montville@gmail.com>
Cc: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, Sherif Mansour <cherifmansour@gmail.com>, "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>, Jarrett Lu <jarrett.lu@oracle.com>, "sacm@ietf.org" <sacm@ietf.org>
Message-ID: <20180725131835.GP92448@kduck.kaduk.org>
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com> <CAOxmg6tULvLsCE0xp42i5iD6a8V3kC0X94f7G47O2dnLB-G6MQ@mail.gmail.com> <67EDB697-DF05-4E39-A0D8-94B5F285497E@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE741C5@DGGEML522-MBX.china.huawei.com> <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1FF32A1A-D3CC-44E1-875F-D91B49526732@gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIKsWRmVeSWpSXmKPExsUixCmqrLu5IiLa4FanusWWh20sFt+2/2ez +NN1gNmiv/8eq8WDppuMFi+WdjE6sHnsnHWX3aPlyFtWjyVLfjJ5fHx6iyWAJYrLJiU1J7Ms tUjfLoErY1p3J3PBPMeKI4e/szYwnjTpYuTkkBAwkTh24BdLFyMXh5DAYiaJ/xf2skM4Gxkl Jl97xwjhXGWSePRuKStIC4uAqsSUj1vBbDYBFYmG7svMILaIgL7EzRknwRqYBeYxSdy4/pcR JCEsUCPxbe9EdhCbF2jfhaaFUPvOMUnsOjqFCSIhKHFy5hMWEJtZQF3iz7xLQFM5gGxpieX/ OCDC8hLNW2eDLeMUsJX4df0hG4gtKqAssbfvEPsERsFZSCbNQjJpFsKkWUgmLWBkWcUom5Jb pZubmJlTnJqsW5ycmJeXWqRrpJebWaKXmlK6iREcF5K8Oxj/3fU6xCjAwajEw/vBLjxaiDWx rLgy9xCjJAeTkihvkGdEtBBfUn5KZUZicUZ8UWlOavEhRgkOZiURXpfDQOW8KYmVValF+TAp aQ4WJXHeezVAKYH0xJLU7NTUgtQimKwMB4eSBK8qMP6FBItS01Mr0jJzShDSTBycIMN5gIYL gdTwFhck5hZnpkPkTzHac/TcmzKJmeMUmPzzfiqQ3Nc9bRKzEEtefl6qlDivMUibAEhbRmke 3GRQypPI3l/zilEc6FFh3oxyoCoeYLqEm/0KaC0T0FrR5FCQtSWJCCmpBsbZb13nhYTveniv WZKncpV147aP/9W/XT8ZL8R0flvOhE3rvJLvPjibn//hhFa1u7fWVDPGBRqOreejXFWitgSk XbPfZfE57vwS3RT+KwGS656b9tgKRdRdum8hVfro7t6lUncPv972UVSH76hwNXs7t0bp9Ow7 xW5rtY4LyO5Zk5HwI+TUbwUlluKMREMt5qLiRACQwpSnVAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/s5MCuFkp2e4Zrggyvalrvgpm3rw>
Subject: Re: [sacm] 答复: minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 13:18:48 -0000
On Wed, Jul 25, 2018 at 06:29:54AM -0500, Adam Montville wrote: > Right, that’s a good point. I suppose that we could encode the YANG in CDATA or the JSON equivalent, though I’m sure that would end up being messy. YIN comes to mind, and then if we really wanted to do JSON, I think there’s a way to convert from XML to JSON, though I’m not sure it preserves everything that would need to be preserved. I'm probably confused (not interacting with YANG very much), but isn't there a native XML encoding for YANG (e.g., the various "XML Mapping Rules" sections of RFC 6020)? Similarly RFC 7951 for a JSON mapping of YANG. -Ben > Still, I’m not sure ROLIE would be the “right” solution for a baseline data model registry. It’s just something that came to mind as a possible solution. > > Adam > > > On Jul 24, 2018, at 10:12 PM, Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com> wrote: > > > > Hi Adam, > > Totally agree with you. > > Our draft is just a data model for baseline, which describes the structured configuration parameters and status attributes for the network device’s security baseline. > > Right now, we choose the YANG data model since it’s widely used for the network device, and the new defined YANG push mechanism is very suitable for the large scale security posture collection. > > > > In regard to ROLIE, it’s good and well suitable for the security incident information exchange. But ROLIE currently only supports the xml or json scheme, how to combine the ROLIE and YANG data model? Maybe you can give more clarification. > > Anyway, we are interested with this direction, and looking forward to more discussion and the new draft for it. > > > > Thanks! > > > > B.R. > > Frank > > > > 发件人: Adam Montville [mailto:adam.w.montville@gmail.com] > > 发送时间: 2018年7月25日 3:34 > > 收件人: Sherif Mansour <cherifmansour@gmail.com> > > 抄送: Linqiushi (Jessica, CSPL) <linqiushi@huawei.com>; Benjamin Kaduk <kaduk@mit.edu>; Jarrett Lu <jarrett.lu@oracle.com>; Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; sacm@ietf.org > > 主题: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 > > > > For these "baseline" drafts, could we call them baseline data models instead? To me, just calling them baseline is problematic - it's an overloaded term. > > > > Moving on from that... I have a couple of follow-on questions related to the idea of a data model registry... > > > > We are already considering the adoption of a draft known as the ROLIE configuration checklist information type. Presumably, such configuration checklists would be comparable to the data models expressed in this registry right? Then, from that, would ROLIE be a suitable mechanism for the data model registry, or would we want to reference data models in a different way? > > > > Thoughts on any of that? > > > > Given that there seems to be some interest, I'll volunteer to draft something containing ideas about how such a registry could work, and why it'd be important. > > > > Adam > > > > > > > > On Jul 24, 2018, at 1:08 AM, Sherif Mansour <cherifmansour@gmail.com> wrote: > > > > Hey Everyone, > > > > I second Adam's idea for a "baseline registry". > > 1) It's easier to change a registry vs a draft > > 2) Organizations might want to customize their own registries with their own content - I will give two examples based on the thread above: > > > > As mentioned before some legacy systems only support Telnet, I remember a few years ago a business still had some Vax/Alpha systems running and they needed telnet. As a compensating control, we placed network restrictions around those systems, placed a bastion hosts in front of it with an SSL web terminal, that way secure communication took place between the rest of the environment and the hardened host and then telnet to the legacy systems, but at least the issue is contained in a small environment. > > > > For the passwords it depends as well for an org e.g. for app to app credentials vs. human to app Or even customer to eCommerce app. > > Take Google for example, for their staff to limit the impact on phishing they have issued U2F secure tokens to their staff (See Link). The password policy itself might be different as a result. > > Others like Apple have rolled password managers to all their staff (see link). This is addition to password complexity - and in a way make it easier to manage. > > For app to app communication you want this to be seamless with automated key rolling as well as "Break glass" functionality leveraging a secrets vault such as https://www.vaultproject.io/ is an option. > > For customer facing sites, password policy might not be enough, thus checking for password re-use, adding anomaly detection/brute-force mitigation, 2factor such as U2F tokens, as well as graceful recovery might be part of the policy. > > Having a baseline registry would help as the threat landscape changes for existing technology or the ability to replicate similar baselines to new technologies without the need for too much re-work. > > > > -Sherif > > > > On Tue, Jul 24, 2018 at 3:24 AM, Linqiushi (Jessica, CSPL) <linqiushi@huawei.com> wrote: > > Hi Ben, Adam and Jarrett, > > > > Thanks a lot for raising your concerns. > > > > Please see my comments inline. > > > > Best Regards, > > Jessica > > > > -----邮件原件----- > > 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk > > 发送时间: 2018年7月24日 2:01 > > 收件人: sacm@ietf.org > > 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03 > > > > > During Jessica's talk I noticed a couple things I wanted to mention, > > > but that didn't seem to merit getting up to the mic: > > > > > There's a container for 'telnet' admin access; my understanding is > > > that there are not any applications out there that could be called > > > "telnet" and are actually secure these days (but maybe I'm missing > > > some!); e.g., kerberized telnet mostly only uses single-DES and a > > > lousy cipher mode, with a vendor-specific option for triple-DES, which > > > is deprecated as of my document that's currently at the RFC Editor. > > > So we may want to have some text clarifying the situation and > > > disrecommending its use (or even remove it entirely, if that's feasible). > > > > The "telnet" admin access listed in the current draft is not meant to suggest the use of Telnet. In some legacy scenarios that the insecure channel like Telnet has to be used, some configuration such as changing the source port is recommended. We mentioned to disable the insecure channel, but didn't clarify it in details in the draft. > > You're right. The security baseline is intended to be a minimal set of security controls and should be up-to-date. We'll remove it and other similar security controls in the next version of draft. > > > > > Similarly, there's a pwd-sec-policy container that describes password > > > security policies. While it's definitely true that password policies > > > and mandatory change intervals are currently widely deployed, it's > > > less clear whether their usage should still be considered useful or a > > > best current practice -- I think I've seen some research go by that > > > suggests that not requiring character classes or frequency of change > > > can be just as secure (and, of course, if passwords can be avoided entirely that can also help). > > > > As password security policy is the currently widely deployed mechanisms and devices support it,maybe we can make it optional, such as a feature? > > Currently the devices support this kind of feature, then it can be checked whether this policy is enabled. > > > > >So, perhaps there is room for some qualifying text here as well. > > > > > -Ben > > > (with no hats) > > _______________________________________________ > > sacm mailing list > > sacm@ietf.org > > https://www.ietf.org/mailman/listinfo/sacm > > _______________________________________________ > > sacm mailing list > > sacm@ietf.org > > https://www.ietf.org/mailman/listinfo/sacm > > > >
- [sacm] minor comments on draft-lin-sacm-nid-mp-se… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Jarrett Lu
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Linqiushi (Jessica, CSPL)
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Benjamin Kaduk
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Adam Montville
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Sherif Mansour
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Sherif Mansour
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Benjamin Kaduk
- Re: [sacm] minor comments on draft-lin-sacm-nid-m… Adam Montville
- [sacm] 答复: minor comments on draft-lin-sacm-nid-m… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [sacm] 答复: minor comments on draft-lin-sacm-n… Henk Birkholz
- [sacm] Pro/Con WRT To Registry (WAS: Re: minor co… Adam Montville
- [sacm] Terminology: Baseline Data Model (WAS: Re:… Adam Montville