150 likes | 261 Views
INCH Requirements. IETF Interim meeting, Uppsala, Feb.2003. Review of RFC3067. Based on. CERT Processes. IDWG requirements. CSIRT. Incident Report Database. Other CSIRTs. Standard Format. Operational Model. CSIRT. Incident Report Database. Other CSIRTs. Alerts, Reports.
E N D
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003
Review of RFC3067 Based on CERT Processes IDWG requirements
CSIRT Incident Report Database Other CSIRTs Standard Format Operational Model
CSIRT Incident Report Database Other CSIRTs Alerts, Reports Statistics Operational Model-2
Intent of the IR Data Model Enable controlled exchange and sharing Enable categorization and statistical analysis Ensure integrity, authenticity and privacy
Requirements: General Format Communication Contents Process
IR Format Requirements: MUST: Support Internationalization Localization Have a standard structure Well defined semantics for the components Support unambiguous and reducible time references Record time development Support Access control (who will have to access what ) for different components, users Have Globally unique identification (for IR ) Be Extensible
IR Communication Requirements: Must have no effect on integrity, authenticity
IR Content Requirements: Globally unique identifier(LDAP-type name) Objective wherever possible:Classification scheme (enumerated)Units of quantities Originator, Owner, Contacts, History, Reference to advisories Description of the incident
IR Content Requirements: Multiple versions (in different languages) Indication of “original” vs “translated copies” Additional references/pointers Impact (Guidelines for uniform description) Actions taken Authenticity, Integrity verification info
ISSUES (1) We need a name: IRF: Incident Report Format IREF: Incident Report Exchange Format FIR: Format for Incident Report FIRE: Format for Incident Report Exchange
ISSUES (2) We need a some definitions: Incident: Reporter: Recorder Owner Contact Investigator
ISSUES (3) We need a some definitions… Attack: Attacker: (person, organization, ..) Attack Source: (machine, network,…) Attack Target: (machine, network,… ) Victim: (person, organization, .. ) Contact: (person, organization) Investigator Impact Damage
ISSUES (4) We need an operational model … A detailed one is in the draft A simpler one is in this powerpoint
TO BE Done Explanation of rationale in some places Edit and revise