Posture Assessment Through Posture Information Collection Discussion Scope
draft-waltermire-panic-scope-01
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | David Waltermire , Jessica Fitzgerald-McKay | ||
| Last updated | 2017-04-11 | ||
| Stream | (None) | ||
| Formats | plain text xml htmlized pdfized bibtex | ||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-waltermire-panic-scope-01
Internet Engineering Task Force D. Waltermire
Internet-Draft NIST
Intended status: Informational J. Fitzgerald-McKay
Expires: October 12, 2017 Department of Defense
April 10, 2017
Posture Assessment Through Posture Information Collection Discussion
Scope
draft-waltermire-panic-scope-01
Abstract
This document defines an intended discussion scope for the non-
working group posture assessment through network information
collection (PANIC) non-WG discussion list.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 12, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Waltermire & Fitzgerald-Expires October 12, 2017 [Page 1]
Internet-Draft PANIC Scope April 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Components . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. PANIC Solution Requirements . . . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 4
7. Normative References . . . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
Network operators need to know what is connected to their
organization's networks so that they can properly manage those
endpoints. Endpoint management requires access to endpoint posture
information, including endpoint identity, the identity of software
installed on the endpoint, and the configuration of the endpoint.
This information can be collected from different classes of endpoints
over different protocols and using different data models. PANIC will
identify a standardized solution to collect posture information for
network devices, and allow that information to be shared with
authorized users and devices on the network supporting security
automation.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Components
The solution will consist of the following components:
Network Device: Endpoints such as routers, switches, firewalls.
Virtualized network functions are currently be considered in
scope.
Posture Server: Collects information from the network device.
Receives information via pushes, and requests information via
pulls.
Data Repository: Stores the information collected by the posture
server from the network device.
Waltermire & Fitzgerald-Expires October 12, 2017 [Page 2]
Internet-Draft PANIC Scope April 2017
PANIC components
------------
| Network |----------
| Device | |
------------ ------------
| Posture | ________
| Server |---/ \
------------ ------------ | Data |
| Network | | | Store |
| Device |---------- \________/
------------
Figure 1
4. PANIC Solution Requirements
The solution will meet the following requirements:
Data Push Functionality: Network devices will push information to a
designated location. Data pushes will be event driven. PANIC
will identify what data should be pushed from the network device,
and what events will trigger a push.
Data Pull Functionality: A Posture Server will pull information from
a network device. Data pulls will be driven by requests to the
server. PANIC will identify what data should be pulled from the
network device, and how requests for the server to pull will be
made.
Secure Transport of Data: Data between the network device and the
Posture Server will be protected in transit by a protocol that
provides authorization and authentication. PANIC will identify
the protocols that can be used for transport of posture
information.
Secure Storage of Data: Network device data reported to a posture
server will be stored in a data repository. This data can be used
to support numerous security functions on the network; therefore,
this repository should be accessible by (and only by) authorized
users and devices. PANIC will identify requirements for a
centralized data repository.
Information Requirements for Network Device Management: PANIC will
identify a minimal set of information necessary to manage network
devices and to support network security functions including
configuration and vulnerability management. Additional
Waltermire & Fitzgerald-Expires October 12, 2017 [Page 3]
Internet-Draft PANIC Scope April 2017
information may also be used through extension mechanisms
identified by PANIC.
Standardized Data Model: Network device data will be expressed in a
standardized data model that enables use and reuse of the data.
PANIC will identify available data models for the expression of
required information and the models used for a given exchange of
posture.
Note: Use of [RFC2119] text is omitted at this point. More
discussion is needed around these requirements.
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
The solution described by this document provides a mechanism to
gather network device posture into a centralized datastore.
Discussion is needed here about the need to protect such an
information collection from unauthorized access or disclosure.
Discussion is also needed here about privacy considerations around
how the endpoint devices are identified when posture is gathered.
7. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
Authors' Addresses
David Waltermire
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland 20877
USA
Email: david.waltermire@nist.gov
Waltermire & Fitzgerald-Expires October 12, 2017 [Page 4]
Internet-Draft PANIC Scope April 2017
Jessica Fitzgerald-McKay
Department of Defense
9800 Savage Road
Ft. Meade, Maryland
USA
Email: jmfitz2@nsa.gov
Waltermire & Fitzgerald-Expires October 12, 2017 [Page 5]