November 9, 2010 IETF 79 Beijing, China Synergy of the SCAP Program and IETF Activities BOF Chairs:...

November 9, 2010

IETF 79

Beijing, China

Synergy of the SCAP Program and IETF Activities BOF

Chairs: Kent Landfield [email protected] Hanna [email protected]

List: [email protected]

mailto:[email protected]




2

Note Well

Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to:

The IETF plenary session The IESG, or any member thereof on behalf of the IESG Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list

functioning under IETF auspices Any IETF working group or portion thereof The IAB or any member thereof on behalf of the IAB The RFC Editor or the Internet-Drafts function

All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879).

Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice.

Please consult RFC 5378 and RFC 3979 for details.

A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements.

A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public.

November 9, 2010

http://www.ietf.org/rfc/rfc5378.txt






3

BOF Agenda Welcome and Agenda Overview, Logistics NIST and SCAP

– Tim Grance (10 minutes) SCAP Overview

– David Waltermire and Kent Landfield (40 minutes) Compare and Contrast MIBs and Yang Modules with SCAP

capabilities– Juergen Schoenwaelder (20 minutes)

NEA/SCAP Integration– Steve Hanna (30 minutes)

CYBEX Usage of SCAP Specifications– Takeshi Takahashi (15 minutes)

Customer Perspective – Boeing– Stephen Whitlock (10 minutes)

Open Mic - 45 minutes

November 9, 2010


4

BOF Participation

Date: Tuesday, November 9, 2010Time: 1520-1810BOF info:

http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#SecurityBOF email archive: http://www.ietf.org/mail-archive/web/

scap_interestJabber discussion access:

[email protected] to audio at:

http:/videolab.uoregon.edu/events/ietf/ietf795.m3u

November 9, 2010

http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#Security

http://www.ietf.org/mail-archive/web/scap_interest






5

NIST AND SCAP

November 9, 2010

Tim Grance, US National Institute of Standards and Technology


6

NIST & Security Automation

Committed to supporting the role of open voluntary international industry consensus standards bodies

See this SCAP BOF exploration as an important step in that direction

Need to build consensus with the private and public sectors

Understand that change in specifications by the standards body, with wide stakeholder consultation is necessary and appropriate

November 9, 2010


7

SCAP OVERVIEW

November 9, 2010

Kent Landfield, McAfee

David Waltermire, US National Institute of Standards and Technology


8

Why are we here?

Meet and greet between SCAP and the IETF

SCAP has achieved a great deal but is looking for the maturity of the IETF standardization process to take the next step forward

Trying to determine if it makes sense to move development of some SCAP specifications into the IETF

November 9, 2010


9

What is SCAP ?

Secure Content Automation Protocol (SCAP) is a suite of selected open specifications that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues. SCAP defines how these specifications are combined.

November 9, 2010

http://oval.mitre.org/images/cve_certificate.jpg


10

What is SCAP NOT!

Not a single Protocol

Not serving a single use case

Does not exist only to support the US government

Not a compliance only set of standards

Not an English-only set of specifications and uses

November 9, 2010

http://oval.mitre.org/images/cve_certificate.jpg


11

Feature Benefit

Standardizes how computers communicate vulnerability information – the specifications

•Enables interoperability for products and services of various manufacture

Standardizes what vulnerability information computers communicate – the content

•Enables repeatability across products and services of various manufacture•Reduces content-based variance in operational decisions and actions

Based on open community developed specifications

•Harnesses the collective brain power of the masses for creation and evolution•Adapts to a wide array of use cases

Applicable to many different Risk Management Frameworks – Assess, Monitor, Implement

•Reduces time, effort, and expense of risk and security management processes

Detailed traceability to multiple security mandates and guidelines

• Automates portions of compliance demonstration and reporting• Reduces chance of misinterpretation between Inspector General/auditors and operations teams

Enables the assessment and reporting of security controls

• Automates compliance demonstration and reporting

SCAP Value

November 9, 2010

12

Current SCAP Vendors


13

SCAP Community Information

Community References: http://measurablesecurity.mitre.org/index.html

SCAP Homepage: http://scap.nist.gov

SCAP Validated Tools: http://nvd.nist.gov/scapproducts.cfm

National Checklist Program: http://checklists.nist.gov

National Vulnerability Database: http://nvd.nist.gov

November 9, 2010

http://measurablesecurity.mitre.org/index.html



http://scap.nist.gov/

http://nvd.nist.gov/scapproducts.cfm

http://checklists.nist.gov/

http://nvd.nist.gov/


14

What are we trying to accomplish?

Provide a standardized means for developing security content

Provide standardized and actionable resultsProvide a means for real interoperability between

security productsProvide visibility into the security posture of an

enterpriseReduce the cost of managing networked

environments

November 9, 2010


15

What is SCAP? (1 of 3)

The Security Content Automation Protocol

Created to bring together existing specifications and to provide a standardized approach to maintaining the security of enterprise systems

SCAP ...– provides a means to identify, express and measure

security data in standardized ways.– is a suite of individually maintained, open specifications– defines how these specification are used in concert– includes standardized reference data -- SCAP Content

November 9, 2010


16


• Community developed• Machine readable XML• Reporting• Representing security

checklists• Detecting machine

state

– Community developed– Product names– Vulnerabilities– Configuration items

LanguagesMeans of providing

instructions

EnumerationsConvention for identifying and

naming

MetricsRisk scoringframework

Community developed Transparent Metrics

Base Temporal Environmental

November 9, 2010


17


CVE Common Vulnerability Enumeration

Standard nomenclature and dictionary of security related software flaws

CCE Common Configuration Enumeration

Standard nomenclature and dictionary of software misconfigurations

CPE Common Platform Enumeration

Standard nomenclature and dictionary for product naming

XCCDFeXtensible Checklist Configuration Description Format

Standard XML for specifying checklists and for reporting results of checklist evaluation

OVAL Open Vulnerability and Assessment Language Standard XML for test procedures

OCIL Open Checklist Interactive Language Standard XML for human interaction

CVSS Common Vulnerability Scoring System

Standard for measuring the impact of vulnerabilities

Naming

Expressing

Assessing

Scoring

November 9, 2010


18

What are SCAP’s Use Cases? (1 of 2)

SCAP Use Cases:Configuration Management – determine whether system

configuration settings comply with organizational policies

Vulnerability Management – detect and prioritize known vulnerabilities (software flaws) on a system

Patch Compliance – determine whether appropriate patches have been applied on a system

System Inventory – identify products installed on the system (e.g., hardware, operating system, and applications)

Malware Detection – detect presence of malware on a system, allowing zero day signature building for consumption by SCAP validated products

November 9, 2010


19

AssetManagement

Vulnerability Management

ConfigurationManagement

CVECVSS

CPE CCESCAP

OVAL

Compliance Management

XCCDF

Misconfiguration &Patch Compliance

What are SCAP’s Use Cases? (2 of 2)

Malware Detection

Software Inventory

November 9, 2010


20

eXtensible Checklist Content Description Format (XCCDF)

Internet Draft: draft-waltermire-scap-xccdf-00

November 9, 2010

https://datatracker.ietf.org/doc/draft-waltermire-scap-xccdf/


21

What is XCCDF?

The Extensible Configuration Checklist Description Format

IETF I-D: draft-waltermire-scap-xccdf-00

An XML-based specification– Expresses security checklists supporting multiple use

cases– Expresses the results of an assessment

November 9, 2010



22

XCCDF

Document

HTML

XML Other tools

Compliance tools

XCCDF Functional Use Cases

November 9, 2010


23

XCCDF and Checking Engines

XCCDF does not specify platform-specific rule checking logic.

The Rule/check element contains information for driving a platform-specific checking engine.

XCCDF Benchmark Evaluation Tool

XCCDFBenchmark

Platform-specificchecking engine

Targetsystem

Tailoring values,Tests to perform

Test results

November 9, 2010


24

XCCDF and Check System Interaction

Collect, structure, and organize guidance

Score and track general compliance

Define tests to check compliance

Define state evaluation logic

Characterize state details

Support guidance tailoring and customization

Gu

ida

nce

Str

uctu

re a

nd C

ust

om

iza

tion

Ch

eck

En

gin

eA

sse

ssm

en

t

November 9, 2010


25

XCCDF Data Model

XCCDF defines the following key object types:

Profile

Rule

ValueA set of related recommendations and values; can be nested

The complete documentBenchmark

Group

An individual recommendation

Support tailoring, guidance for multiple roles, rule reuse

November 9, 2010


26

XCCDF Summary

Enables authoritative definition of security policy/guidance that can be shared across a community

Reduces interpretation errors caused by converting prose guidance into an automatable form

Enables interoperability between tools– Standardized content– Consistent result reporting

November 9, 2010


27

NAMING CONVENTIONS FOR VULNERABILITIES AND CONFIGURATIONS

Internet Draft: draft-landfield-scap-naming-00

November 9, 2010


https://datatracker.ietf.org/doc/draft-landfield-scap-naming/


28

Common Vulnerabilities and Exposures (CVE)

Dictionary of standardized descriptions for vulnerabilities and exposures– Over 40,000 entries

Publicly accessible for review or download from the Internet

ID: CVE-2007-1751

Description: Microsoft Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code by causing Internet Explorer to access an uninitialized or deleted object, related to prototype variables and table cells, aka "Uninitialized Memory Corruption Vulnerability."

Reference: BUGTRAQ : 20070612 ZDI-07-038 - Microsoft Internet Explorer - Prototype Dereference Code Execution Vulnerability

Reference: MS : MS07-033

November 9, 2010


29

Common Configuration Enumeration (CCE)

Assigns standardized identifiers to configuration issues/items, allowing comparability and correlation Over 10,000 entries

ID: CCE-3121-1

Description:The "restrict guest access to application log" policy should be set correctly.

Technical Mechanisms: (1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess

(2) defined by Group Policy

Parameter: enabled/disabled

November 9, 2010


Naming Convention Summary

When dealing with information from multiple sources, use of naming conventions can:

– improve data correlation– enable interoperability– foster automation

30 November 9, 2010

COMPARE AND CONTRAST MIBS AND YANG MODULES WITH SCAP CAPABILITIES

Juergen Schoenwaelder

November 9, 2010Synergy of the SCAP Program and

IETF Activities BOF31

NEA AND SCAP INTEGRATIONSteve Hanna



NEA Reference Modelfrom RFC 5209

Posture Collectors

Posture Validators

PostureTransportServer

Posture Attribute (PA) protocol

Posture Broker (PB) protocol

NEA Client NEA Server

Posture Transport (PT) protocolsPostureTransportClient

PostureBrokerClient

PostureBrokerServer


IETF Activities BOF

Nesting of NEA Messages

PT

PB-TNC Header

PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA)

PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS)

PA-TNC Message

PA-TNC Attribute (Type=Product Info, Product ID=Windows XP)

PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)


IETF Activities BOF

SCAP Compliance Checkswith NEA

SCAPPosture Collector

SCAPPosture Validator

PostureTransportServer

Posture Attribute (PA) protocol

Posture Broker (PB) protocol

NEA Client NEA Server

Posture Transport (PT) protocolsPostureTransportClient

PostureBrokerClient

PostureBrokerServer


IETF Activities BOF

with SCAP-related messages

CYBEX USAGE OF SCAP SPECIFICATIONS

Takeshi Takahashi



CUSTOMER PERSPECTIVE



Stephen Whitlock, Boeing

OPEN MIC DISCUSSION




39

Juergen’s Questions

What is the focus of SCAP?– A single device or a a collection of devices or the

network?

What can the IETF learn from previous related efforts?– What has been successful and why?– What failed and why?

To what extent is SCAP different from just more configuration and reporting?

Does SCAP integrate into the idea of network-wide configuration?

November 9, 2010


40

Questions for Discussion

Interest in community to move forward ?– Who here would like to work on the topic?– Who would be interested in editing drafts / reviewing

them?– Who thinks IETF should have a working group in this

area?

Industry Demand for Security AutomationFeasible approach ?Side effects / overlaps ?Commitment potential ?

November 9, 2010

November 9, 2010 IETF 79 Beijing, China Synergy of the SCAP Program and IETF Activities BOF Chairs:...

Documents

Transcript of November 9, 2010 IETF 79 Beijing, China Synergy of the SCAP Program and IETF Activities BOF Chairs:...