IETF Logo Mail Archive

Re: [sacm] Components for Vulnerability Assessment

Adam Montville <adam.w.montville@gmail.com> Tue, 18 April 2017 15:27 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 379AE126C0F for <sacm@ietfa.amsl.com>; Tue, 18 Apr 2017 08:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYBYbhwszsyT for <sacm@ietfa.amsl.com>; Tue, 18 Apr 2017 08:27:46 -0700 (PDT)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4240129436 for <sacm@ietf.org>; Tue, 18 Apr 2017 08:27:45 -0700 (PDT)
Received: by mail-oi0-x233.google.com with SMTP id x184so93640848oia.1 for <sacm@ietf.org>; Tue, 18 Apr 2017 08:27:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=l35OjMSJJb4YerT35UKsHlOarv2/VQzmbbfinbXqOWQ=; b=thMlHA6dnHaEgLZriG5aVbWEuCyXyd8frF37Sagww/fV5DtYavyOiASBrSf9UV7EdA 5g1xvNrMRZ0P/lR5NCwvOdejn8IWvvnsRS3YhoiFPsuPm5cQTFEqwPQQis4Hr6ZFEYxr GJK98bOi1/FDFV3IrpKSRRnKaMgc5T+bcyUr5TIiacuGdEwg215Ai/m83+1GSRFpqgqy bq6nEoJKNorloRhaqKhxrEqzLOGA3/s9PX6KdjOtVah/75xeYtABDtoIKLLurtLXu5Kn OWRYtZ88Gwjw0PpxTGlKDuVjcXE3GeXitMe7J6fTricgIJLqo7Rv8Gicdm2z9i2Rti4N kD2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=l35OjMSJJb4YerT35UKsHlOarv2/VQzmbbfinbXqOWQ=; b=mkP6hTS2i3HTPAsqPQUcQVPACB7x28f+dsR2itxLa67BD812LpEnu6Dasmk6AYWFPD EJftdWxwuRaUqFrf7NsAAtlAow6KY5yq74j5TevhQ3496XFP64qXNU/IJlW8kk/Xo9ay f0d2uPGF3tKQabrRLRQ7esZbNEjhGF8KPze5iEwLJzE0U/Y7+nQGYTPTFNTL0gNHAcsG PUmYQ5txT37cunv0l3MplfmgjjejVI4Nfv2yRovnvT2VwcY/vQykuIZ9LsL6MlM6Dr0C NTtEzjS+opDI9j94i0oa36vv/CwNMfaM4ZLzo4orW3JBqJDOhw9wGKl/L1R25ejMf5BH ajKA==
X-Gm-Message-State: AN3rC/4JPqtzlkZbnIjqF4/DIrzVmYXO+r51z/0sRe40RRmBWIZimDTM zQsajYZm5tX3LE1vQBEIDayYVDvjNsll
X-Received: by 10.36.86.142 with SMTP id o136mr14479728itb.69.1492529264868; Tue, 18 Apr 2017 08:27:44 -0700 (PDT)
MIME-Version: 1.0
References: <CACknUNUNhCCV8LRDpjEm1SvgwpLq+NEEDbc3LOPYzMyRbmfy9w@mail.gmail.com> <DM5PR09MB1354969FE7F3B67DC662A84AA5190@DM5PR09MB1354.namprd09.prod.outlook.com> <10eb6709-c198-5fdc-1306-cb19c2f6da89@sit.fraunhofer.de> <DM5PR09MB1354C4B0912DA300919F4D13A5190@DM5PR09MB1354.namprd09.prod.outlook.com>
In-Reply-To: <DM5PR09MB1354C4B0912DA300919F4D13A5190@DM5PR09MB1354.namprd09.prod.outlook.com>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Tue, 18 Apr 2017 15:27:34 +0000
Message-ID: <CACknUNXA0NzV3x8rr0XNb+rXhe5KY-jyarj-MizLzDdp_xEx3g@mail.gmail.com>
To: "Haynes, Dan" <dhaynes@mitre.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="001a1141942aa64244054d728c63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/sSrRFjexzphB-3aMqlu-1i1-WzI>
Subject: Re: [sacm] Components for Vulnerability Assessment
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 15:27:48 -0000

On Tue, Apr 18, 2017 at 9:55 AM Haynes, Dan <dhaynes@mitre.org> wrote:

> Hi Henk,
>
> The reasoning behind my comment was that in the IETF 98 notes (
> https://www.ietf.org/proceedings/98/minutes/minutes-98-sacm-00) it says:
>
> ---
> Per Slide 7:
> Q: (Adam Montville): Is the vulnerability assessor talk to the repository
> or talking directly to the collector?
> A: (Jessica Fitzgerald-McKay): I could see an implementer combining the
> collector and end-point repository into one.  If we're treating them as
> functional components I'm not sure we need to be that specific.
> A: (Dave Waltermire): We want this architecture to be de-composable.  If
> we treat the end-point repository as a proxy, we might be making things too
> complicated. It might be simpler to treat the end-point repository as a
> data store.
> A: (Adam Montville): Agreed.
>
> Q: (Dave Waltermire) Are there any concerns with separating the end-point
> repository and the collector being the component responsible for collection?
> A: <no response>
>
> Comment: (Adam Montville): The "results repository" will now go into the
> "end-point repository.
> ---
>
> Given that, I thought there was some consensus around making that change.
>

Hm...  FWIW, I don't feel I would have said that as a personal opinion, but
maybe that there was some agreement in the room.  Of course, the list is
what counts.

Without a chair hat on, I happen to agree with Henk. What we are calling
components are "compose-able function groups" in some sense, and that they
should be treated separately, but are likely to be implemented in some
composed manner.



>
> Thanks,
>
> Danny
>
> > -----Original Message-----
> > From: Henk Birkholz [mailto:henk.birkholz@sit.fraunhofer.de]
> > Sent: Tuesday, April 18, 2017 10:49 AM
> > To: Haynes, Dan <dhaynes@mitre.org>; Adam Montville
> > <adam.w.montville@gmail.com>; sacm@ietf.org
> > Subject: Re: [sacm] Components for Vulnerability Assessment
> >
> > Hello Danny,
> >
> > the "Assessment Results Repository" and "Endpoint Repository" are two
> > different components with different functions. The "Endpoint Repository"
> > of course is the provider for the consumer that is the "Assessment
> Results
> > Repository".
> >
> > Most certainly, both components can be running on the same endpoint or be
> > composed in a single service that merges both components. I suppose that
> is
> > what you meant?
> >
> > For the sake of show-casing how the architecture is working. I would
> > recommend to start with each SACM component instantiated as a separate
> > software component. Despite the fact that it looks simpler to just add
> the
> > "Assessment Result" to the ""Endpoint Characterization Records"
> > retained in an "Endpoint Repository".
> >
> > Ultimately, people will want to use existing software and Asset/Inventory
> > Management Software is a big candidate to provide the functions of an
> > "Endpoint Repository". In consequence, I would keep these components
> > instantiated separately in the first iteration.
> >
> > What does the group think?
> >
> > Viele Grüße,
> >
> > Henk
> >
> > On 04/18/2017 04:21 PM, Haynes, Dan wrote:
> > > Hi Adam,
> > >
> > >
> > >
> > > I think this is a good list for me, but, should the assessment results
> > > repository be merged into the endpoint repository?
> > >
> > > Thanks,
> > >
> > > Danny
> > >
> > >
> > >
> > > *From:*sacm [mailto:sacm-bounces@ietf.org] *On Behalf Of *Adam
> > > Montville
> > > *Sent:* Tuesday, April 18, 2017 9:04 AM
> > > *To:* sacm@ietf.org
> > > *Subject:* [sacm] Components for Vulnerability Assessment
> > >
> > >
> > >
> > > Hi All:
> > >
> > >
> > >
> > > We've got a list of components we think we care about for our
> > > vulnerability assessment scenario (focusing on the narrowest "ideal
> > > case" through the scenario for the time being.
> > >
> > >
> > >
> > > These are:
> > >
> > >
> > >
> > > * Vulnerability Detection Data Repository
> > >
> > > * Vulnerability Assessor
> > >
> > > * Endpoint Repository
> > >
> > > * Collector
> > >
> > > * Target Endpoint
> > >
> > > * Assessment Results Repository
> > >
> > >
> > >
> > > For reference, see our wiki [1] and/or the slides from IETF 98 [2]
> > > and/or the minutes from IETF 98 [3]
> > >
> > >
> > >
> > > Question to the WG: Is this an appropriate initial list of components?
> > >
> > >
> > >
> > > Please opine within the next few days (say by end of your day on
> > > Thursday, wherever you may be), so that we can generate some momentum
> > > on this effort.
> > >
> > >
> > >
> > > Kind regards,
> > >
> > >
> > >
> > > Adam
> > >
> > >
> > >
> > > [1]
> > > https://trac.ietf.org/trac/sacm/wiki/SacmVulnerabilityAssessmentScenar
> > > io
> > >
> > > [2]
> > > https://www.ietf.org/proceedings/98/slides/slides-98-sacm-vulnerabilit
> > > y-scenario-discussion-00.pdf
> > >
> > > [3] https://www.ietf.org/proceedings/98/minutes/minutes-98-sacm-00.txt
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > sacm mailing list
> > > sacm@ietf.org
> > > https://www.ietf.org/mailman/listinfo/sacm
> > >
>

v2.23.0 | Report a Bug | By Email