1 / 15

INCH Requirements

INCH Requirements. IETF Interim meeting, Uppsala, Feb.2003. Review of RFC3067. Based on. CERT Processes. IDWG requirements. CSIRT. Incident Report Database. Other CSIRTs. Standard Format. Operational Model. CSIRT. Incident Report Database. Other CSIRTs. Alerts, Reports.

varsha
Download Presentation

INCH Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INCH Requirements IETF Interim meeting, Uppsala, Feb.2003

  2. Review of RFC3067 Based on CERT Processes IDWG requirements

  3. CSIRT Incident Report Database Other CSIRTs Standard Format Operational Model

  4. CSIRT Incident Report Database Other CSIRTs Alerts, Reports Statistics Operational Model-2

  5. Intent of the IR Data Model Enable controlled exchange and sharing Enable categorization and statistical analysis Ensure integrity, authenticity and privacy

  6. Requirements: General Format Communication Contents Process

  7. IR Format Requirements: MUST: Support Internationalization Localization Have a standard structure Well defined semantics for the components Support unambiguous and reducible time references Record time development Support Access control (who will have to access what ) for different components, users Have Globally unique identification (for IR ) Be Extensible

  8. IR Communication Requirements: Must have no effect on integrity, authenticity

  9. IR Content Requirements: Globally unique identifier(LDAP-type name) Objective wherever possible:Classification scheme (enumerated)Units of quantities Originator, Owner, Contacts, History, Reference to advisories Description of the incident

  10. IR Content Requirements: Multiple versions (in different languages) Indication of “original” vs “translated copies” Additional references/pointers Impact (Guidelines for uniform description) Actions taken Authenticity, Integrity verification info

  11. ISSUES (1) We need a name: IRF: Incident Report Format IREF: Incident Report Exchange Format FIR: Format for Incident Report FIRE: Format for Incident Report Exchange

  12. ISSUES (2) We need a some definitions: Incident: Reporter: Recorder Owner Contact Investigator

  13. ISSUES (3) We need a some definitions… Attack: Attacker: (person, organization, ..) Attack Source: (machine, network,…) Attack Target: (machine, network,… ) Victim: (person, organization, .. ) Contact: (person, organization) Investigator Impact Damage

  14. ISSUES (4) We need an operational model … A detailed one is in the draft A simpler one is in this powerpoint

  15. TO BE Done Explanation of rationale in some places Edit and revise

More Related