430 likes | 636 Views
Synergy of the SCAP Program and IETF Activities BOF. November 9, 2010 IETF 79 Beijing, China. Chairs: Kent Landfield kent_landfield@mcafee.com Steve Hanna shanna@juniper.com List: scap_interest@ietf.org. Note Well.
E N D
Synergy of the SCAP Program and IETF Activities BOF November 9, 2010 IETF 79 Beijing, China Chairs: Kent Landfield kent_landfield@mcafee.com Steve Hanna shanna@juniper.com List: scap_interest@ietf.org
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to: • The IETF plenary session • The IESG, or any member thereof on behalf of the IESG • Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list functioning under IETF auspices • Any IETF working group or portion thereof • The IAB or any member thereof on behalf of the IAB • The RFC Editor or the Internet-Drafts function All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879). Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice. Please consult RFC 5378 and RFC 3979 for details. A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements. A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public. Synergy of the SCAP Program and IETF Activities BOF
BOF Agenda • Welcome and Agenda Overview, Logistics • NIST and SCAP • Tim Grance (10 minutes) • SCAP Overview • David Waltermire and Kent Landfield (40 minutes) • Compare and Contrast MIBs and Yang Modules with SCAP capabilities • Juergen Schoenwaelder (20 minutes) • NEA/SCAP Integration • Steve Hanna (30 minutes) • CYBEX Usage of SCAP Specifications • Takeshi Takahashi (15 minutes) • Customer Perspective –Boeing • Stephen Whitlock (10 minutes) • Open Mic - 45 minutes Synergy of the SCAP Program and IETF Activities BOF
BOF Participation • Date: Tuesday, November 9, 2010 • Time: 1520-1810 • BOF info: http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#Security • BOF email archive: http://www.ietf.org/mail-archive/web/scap_interest • Jabber discussion access: scap@jabber.ietf.org • Listen to audio at: http:/videolab.uoregon.edu/events/ietf/ietf795.m3u Synergy of the SCAP Program and IETF Activities BOF
Tim Grance, US National Institute of Standards and Technology NIST and SCAP Synergy of the SCAP Program and IETF Activities BOF
NIST & Security Automation • Committed to supporting the role of open voluntary international industry consensus standards bodies • See this SCAP BOF exploration as an important step in that direction • Need to build consensus with the private and public sectors • Understand that change in specifications by the standards body, with wide stakeholder consultation is necessary and appropriate Synergy of the SCAP Program and IETF Activities BOF
Kent Landfield, McAfee David Waltermire, US National Institute of Standards and Technology SCAP Overview Synergy of the SCAP Program and IETF Activities BOF
Why are we here? • Meet and greet between SCAP and the IETF • SCAP has achieved a great deal but is looking for the maturity of the IETF standardization process to take the next step forward • Trying to determine if it makes sense to move development of some SCAP specifications into the IETF Synergy of the SCAP Program and IETF Activities BOF
What is SCAP ? Secure Content Automation Protocol (SCAP) is a suite of selected open specifications that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues. SCAP defines how these specifications are combined. Synergy of the SCAP Program and IETF Activities BOF
What is SCAP NOT! • Not a single Protocol • Not serving a single use case • Does not exist only to support the US government • Not a compliance only set of standards • Not an English-only set of specifications and uses Synergy of the SCAP Program and IETF Activities BOF
SCAP Value Synergy of the SCAP Program and IETF Activities BOF
SCAP Community Information • Community References: http://measurablesecurity.mitre.org/index.html • SCAP Homepage: http://scap.nist.gov • SCAP Validated Tools: http://nvd.nist.gov/scapproducts.cfm • National Checklist Program: http://checklists.nist.gov • National Vulnerability Database: http://nvd.nist.gov Synergy of the SCAP Program and IETF Activities BOF
What are we trying to accomplish? • Provide a standardized means for developing security content • Provide standardized and actionable results • Provide a means for real interoperability between security products • Provide visibility into the security posture of an enterprise • Reduce the cost of managing networked environments Synergy of the SCAP Program and IETF Activities BOF
What is SCAP? (1 of 3) The Security Content Automation Protocol • Created to bring together existing specifications and to provide a standardized approach to maintaining the security of enterprise systems • SCAP ... • provides a means to identify, express and measure security data in standardized ways. • is a suite of individually maintained, open specifications • defines how these specification are used in concert • includes standardized reference data -- SCAP Content Synergy of the SCAP Program and IETF Activities BOF
What is SCAP? (2 of 3) Languages Means of providing instructions Metrics Risk scoring framework Enumerations Convention for identifying and naming • Community developed • Machine readable XML • Reporting • Representing security checklists • Detecting machine state • Community developed • Transparent • Metrics • Base • Temporal • Environmental • Community developed • Product names • Vulnerabilities • Configuration items Synergy of the SCAP Program and IETF Activities BOF
What is SCAP? (3 of 3) Naming Expressing Assessing Scoring Synergy of the SCAP Program and IETF Activities BOF
What are SCAP’s Use Cases? (1 of 2) SCAP Use Cases: Configuration Management– determine whether system configuration settings comply with organizational policies Vulnerability Management – detect and prioritize known vulnerabilities (software flaws) on a system Patch Compliance – determine whether appropriate patches have been applied on a system System Inventory – identify products installed on the system (e.g., hardware, operating system, and applications) Malware Detection – detect presence of malware on a system, allowing zero day signature building for consumption by SCAP validated products Synergy of the SCAP Program and IETF Activities BOF
What are SCAP’s Use Cases? (2 of 2) Vulnerability Management CVE CVSS Misconfiguration & Patch Compliance Malware Detection OVAL Software Inventory Configuration Management Asset Management SCAP CCE CPE XCCDF Compliance Management Synergy of the SCAP Program and IETF Activities BOF
Internet Draft: draft-waltermire-scap-xccdf-00 eXtensible Checklist Content Description Format (XCCDF) Synergy of the SCAP Program and IETF Activities BOF
What is XCCDF? • The Extensible Configuration Checklist Description Format • IETF I-D: draft-waltermire-scap-xccdf-00 • An XML-based specification • Expresses security checklists supporting multiple use cases • Expresses the results of an assessment Synergy of the SCAP Program and IETF Activities BOF
XCCDF Functional Use Cases XCCDF Document HTML Other tools XML Compliance tools Synergy of the SCAP Program and IETF Activities BOF
XCCDF and Checking Engines • XCCDF does not specify platform-specific rule checking logic. • The Rule/check element contains information for driving a platform-specific checking engine. Targetsystem XCCDF Benchmark Tailoring values, Tests to perform XCCDF Benchmark Evaluation Tool Platform-specificchecking engine Test results Synergy of the SCAP Program and IETF Activities BOF
XCCDF and Check System Interaction Support guidance tailoring and customization Guidance Structure and Customization Collect, structure, and organize guidance Score and track general compliance Define tests to check compliance Check Engine Assessment Define state evaluation logic Characterize state details Synergy of the SCAP Program and IETF Activities BOF
XCCDF Data Model XCCDF defines the following key object types: Benchmark The complete document An individual recommendation Rule Group A set of related recommendations and values; can be nested Value Support tailoring, guidance for multiple roles, rule reuse Profile Synergy of the SCAP Program and IETF Activities BOF
XCCDF Summary • Enables authoritative definition of security policy/guidance that can be shared across a community • Reduces interpretation errors caused by converting prose guidance into an automatable form • Enables interoperability between tools • Standardized content • Consistent result reporting Synergy of the SCAP Program and IETF Activities BOF
Internet Draft: draft-landfield-scap-naming-00 Naming Conventions for Vulnerabilities and Configurations Synergy of the SCAP Program and IETF Activities BOF
Common Vulnerabilities and Exposures (CVE) • Dictionary of standardized descriptions for vulnerabilities and exposures • Over 40,000 entries • Publicly accessible for review or download from the Internet ID: CVE-2007-1751 Description: Microsoft Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code by causing Internet Explorer to access an uninitialized or deleted object, related to prototype variables and table cells, aka "Uninitialized Memory Corruption Vulnerability." Reference: BUGTRAQ : 20070612 ZDI-07-038 - Microsoft Internet Explorer - Prototype Dereference Code Execution Vulnerability Reference: MS : MS07-033 Synergy of the SCAP Program and IETF Activities BOF
Common Configuration Enumeration (CCE) • Assigns standardized identifiers to configuration issues/items, allowing comparability and correlation • Over 10,000 entries ID: CCE-3121-1 Description: The "restrict guest access to application log" policy should be set correctly. Technical Mechanisms: (1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy Parameter: enabled/disabled Synergy of the SCAP Program and IETF Activities BOF
Naming Convention Summary When dealing with information from multiple sources, use of naming conventions can: • improve data correlation • enable interoperability • foster automation Synergy of the SCAP Program and IETF Activities BOF
JuergenSchoenwaelder Compare and Contrast MIBs and Yang Modules with SCAP capabilities Synergy of the SCAP Program and IETF Activities BOF
Steve Hanna NEA and SCAP Integration Synergy of the SCAP Program and IETF Activities BOF
NEA Reference Modelfrom RFC 5209 NEA Client NEA Server Posture Attribute (PA) protocol Posture Collectors Posture Validators Posture Broker (PB) protocol Posture Broker Client Posture Broker Server Posture Transport Client Posture Transport Server Posture Transport (PT) protocols Synergy of the SCAP Program and IETF Activities BOF
Nesting of NEA Messages PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...) Synergy of the SCAP Program and IETF Activities BOF
SCAP Compliance Checkswith NEA NEA Client NEA Server Posture Attribute (PA) protocol SCAP Posture Collector SCAP Posture Validator with SCAP-related messages Posture Broker (PB) protocol Posture Broker Client Posture Broker Server Posture Transport Client Posture Transport Server Posture Transport (PT) protocols Synergy of the SCAP Program and IETF Activities BOF
Takeshi Takahashi CYBEX Usage of SCAP Specifications Synergy of the SCAP Program and IETF Activities BOF
Stephen Whitlock, Boeing Customer perspective Synergy of the SCAP Program and IETF Activities BOF
Open Mic Discussion Synergy of the SCAP Program and IETF Activities BOF
Juergen’s Questions • What is the focus of SCAP? • A single device or a a collection of devices or the network? • What can the IETF learn from previous related efforts? • What has been successful and why? • What failed and why? • To what extent is SCAP different from just more configuration and reporting? • Does SCAP integrate into the idea of network-wide configuration? Synergy of the SCAP Program and IETF Activities BOF
Questions for Discussion • Interest in community to move forward ? • Who here would like to work on the topic? • Who would be interested in editing drafts / reviewing them? • Who thinks IETF should have a working group in this area? • Industry Demand for Security Automation • Feasible approach ? • Side effects / overlaps ? • Commitment potential ? Synergy of the SCAP Program and IETF Activities BOF