These notes do not attempt to duplicate the content of the slides. Instead, they summarize the material presented, and focus on comments and discussion. Agenda ====== Date: Tuesday, November 9, 2010 Time: 1520-1810 BOF info: http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#Security BOF email: scap_interest@ietf.org BOF email archive: http://www.ietf.org/mail-archive/web/scap_interest Welcome and Agenda Overview, Logistics NIST and SCAP Presenter: Tim Grance Time: 10 minutes SCAP Overview Presenters: David Waltermire and Kent Landfield Time: 40 minutes Relevant Documents: http://www.ietf.org/internet-drafts/draft-landfield-scap-naming-00.txt http://www.ietf.org/internet-drafts/draft-waltermire-scap-xccdf-00.txt Compare and Contrast MIBs and Yang Modules with SCAP capabilities Presenter: Juergen Schoenwaelder Time: 20 minutes NEA/SCAP Integration Presenter: Steve Hanna Time: 30 minutes CYBEX Usage of SCAP Specifications Presenter: Takeshi Takahashi Time: 15 minutes Relevant Documents: http://www.ietf.org/internet-drafts/draft-takahashi-cybex-intro-00.txt Customer Perspective - Boeing Presenter: Stephen Whitlock Time: 10 minutes Open Mic - 45 minutes NIST and SCAP Presenter: Tim Grance Willing to hand over change control SCAP Overview Presenters: David Waltermire and Kent Landfield Wants an open forum like the IETF Not really a protocol Instead: specifications Allows consistency between products Helps to chain products together for reporting: pipe beween products Validation process run by NIST's NVLabs Paul Hoffman: asked about validation Kent: NIST is in process of open testing capabilities Don't need to be certified to use any part of SCAP Igor Feinberg: Do all the vendors exchange data? Kent: yes Different tools will send results to each others equally Very vibrant community already out there If an authority produces its own guidance, NIST reproduces it Guidance: things that are actionable These can be used in evaluations for compliance Can be used by anyone Easy to tailor things that already exist Easy to enable and disable individual checks Organizations use government guidance to create their own Corporations can do their own policies Tim Grance: also have vendor produced guidance as well Lots of misinterpretation of policy prose Want to get the same results for the same content Can use for datamining in a consistent fashion Helps in doing spot audits SCAP has been developed in open communities CVE is oldest CPE is needed because people refer to products in different ways XCCDF: base for enumerationg any item Focuses on human aspect: prose information Sheila Frankel: This is XML, which might be executable David: building signatures into No authorization: left to the platform OVAL: collect and analyze system state OCIL: used to collect human interaction Can also use these to express results CVSS: scoring to assess relative impact Igor: which part is the protocol? There isn't one We are defining rulesets, not how they are moved around Mostly for reporting, not doing remediation draft-waltermire-scap-xccdf-00.txt No many have read it Can be used to create documentation Allows to create a chain of tools draft-landfield-scap-naming-00.txt Documents what exists in the communtity today Compare and Contrast MIBs and Yang Modules with SCAP capabilities Presenter: Jürgen Schönwälder Architectural considerations Repair instructions are there, but barely supported Paul Hoffman: has anyone expanded SCAP to do measurement of non-security devices? David: only focused on security for now OVAL could be expanded Mostly focused on end user devices, not network devices Two different definitions of "configuration management" Barry Leiba: we're missing some of the key people, namely OAM But we have netconf and netmod chairs Gregory Leibovitz: if after an assessment, there could be an action to be taken Steve Hanna: now mostly for endpoints, not network devices NEA/SCAP Integration Presenter: Steve Hanna Are we on a collision course, or complementary: the latter NEA hasn't done that much on data formats; mostly worked on pipes Some vendors have put SCAP messages in PA protocol Checklist is already on the devices Request is sent in vendor-specific format for now All done in the past four months Works fine over PB Customer Perspective - Boeing Presenter: Stephen Whitlock Have about 200K desktops and 40K servers and 50K suppliers Cannot dictate the IT infrastructures of their customers Starting an SCAP and NEA pilot CYBEX Usage of SCAP Specifications Presenter: Takeshi Takahashi draft-takahashi-cybex-intro-00.txt ITU-T Question 4, part 17 X.1500 Not as specific as SCAP CYBEX is more big-picture CYBEX is only about exchange: not the data or its use Is very interested in using other standards for format of information Lots of discussion Open Mic Steve: IETF takes protocols in with success, such as TLS Paul Hoffman: IPSP was an example of a failure that is related to SCAP We do better when we create protocols Mehmet Esrue: What do you want the IETF to do? Tim Polk: NIST is trying to understand the right synergy is Maybe just here to introduce the topic to use these in IETF protocols We might want to write the protocols to use these definitions How can things fit together Igor Feinberg: Wants to hear more about the need for protocols Kent: Need to have a secure protocol to move the data around Paul: Is NEA enough? Kent: No, need a more general protocol Does SCAP go to network-wide configation? Kent: Mostly end-point devices today. David: lots of enterprise tools that run on a large population of devices Steve: Would be good to have SCAP community to specify which protocols it thinks it need Also needs use cases Is the whole SCAP community willing to give over change control Vendors want wider deployment, so they want this in a standards group Kent: If new schemas come out, he's OK with changes Sean Turner: The vendors could put up a fight, but there needs to be compromise Stephen Farrel: Are there concrete suggestions of what the IETF might do? Tim Polk: Didn't come in such proposals because they don't know the answer Steve Hanna: Move SCAP results across NEA, might be a 10-page document Brian Weiss: Does all SCAP work over NEA Steve Hanna: Only some would make sense over NEA Gregory: ICSA firewall and IPS certification groups wanted to structure this type of info There were 15-20 different companies interested, but it lost steam Vendors has a question about what the competitive advantage Kent: There is already a vibrant community around SCAP Gary Kaminsky: Does NEA supplant SNMP and its MIB structure Says vendors have avoided changes that would cause churn Steve: NEA has some overlap with the capabilities, but goes way beyond Allow for real-time queries and many other bits even before a device has an IP address David: There is a history of taking major leaps when needed Slowness was wanting to learn from experience XCCDF might be a good starting point Brian: It would be good to decide if you want maintenance or new architecting Could just use Informational RFC to say what's there now Paul asked Steve for NEA's experience with IANA Only had a year of experience No vendor-specific docs have been done to get IANA points Do people see synergy between SCAP with the IETF? More positive than negative Mehmet: Has no idea what is being asked of us Kent: We owe these Tim: It is hard to have hums without any concrete proposals What do the SCAP folks need to do to get the community interested? Paul wants Internet Drafts Sean wants both email discussion and drafts