SACM L. Lorenzin, Ed.
Internet Draft C. Kahn
Intended status: Informational Juniper Networks
Expires: January 2015 S. Venema
The Boeing Company
S. Pope
Cisco Systems
H. Birkholz
Fraunhofer SIT
July 3, 2014
SACM Information Model Based On TNC
draft-lorenzin-sacm-tnc-information-model-00.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on January 3, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Lorenzin, et al. Expires January 3, 2015 [Page 1]
Internet-Draft SACM Information Model Based On TNC July 2014
Abstract
This document defines an information model for aggregated
configuration and operational data, so that the data can be evaluated
to determine an organization's security posture.
Table of Contents
1. Introduction...................................................3
2. Security Automation with TNC IF-MAP............................4
2.1. What is Trusted Network Connect?..........................4
2.2. What is TNC IF-MAP?.......................................4
2.3. What is the TNC Information Model?........................5
3. SACM Information Model Derived from TNC........................5
3.1. Graph Model Based on IF-MAP...............................6
3.1.1. Background: Graph Models.............................6
3.1.2. Graph Model Overview.................................7
3.1.3. Identifiers..........................................7
3.1.4. Links................................................8
3.1.5. Metadata.............................................8
3.1.6. Provenance...........................................8
3.1.7. Extensibility........................................9
3.2. Elements of the SACM Information Model....................9
3.2.1. Components..........................................10
3.2.2. Objects.............................................10
3.3. Operations...............................................10
3.3.1. Generalized Workflow................................11
4. SACM Usage Scenario Example...................................11
4.1. Elements of the Posture Deviation Detection Scenario.....11
4.1.1. Components..........................................11
4.1.2. Objects.............................................12
4.1.2.1. Endpoint.......................................14
4.1.2.1.1. Endpoint Credential.......................14
4.1.2.1.2. Software Asset............................15
4.1.2.1.3. Non-Software Asset........................16
4.1.2.2. Internal Collection Task.......................16
4.1.2.3. User...........................................16
4.1.2.3.1. User Credential...........................16
4.1.2.4. Network Session................................16
4.1.2.4.1. Address...................................16
4.1.2.4.2. Authorizations............................17
4.1.2.5. Location.......................................17
4.1.2.6. External Collection Task.......................18
4.1.2.7. Posture Attribute or Event.....................18
4.1.2.7.1. Posture Attribute.........................19
4.1.2.7.2. Event.....................................19
Lorenzin, et al. Expires January 3, 2015 [Page 2]
Internet-Draft SACM Information Model Based On TNC July 2014
4.1.2.7.3. Difference between Attribute and Event....19
4.1.2.8. Evaluation Task................................19
4.1.2.9. Evaluation Result..............................20
4.1.2.10. Reporting Task................................20
4.1.2.11. Report........................................20
4.1.2.12. Policies......................................21
4.1.2.12.1. Internal Collection Policy...............21
4.1.2.12.2. External Collection Policy...............21
4.1.2.12.3. Evaluation Policy........................21
4.1.2.12.4. Retention Policy.........................21
4.1.2.12.5. Reporting Policy.........................21
4.1.2.13. Provenance of Information.....................22
4.2. Graph Model for Detection of Posture Deviation...........22
4.2.1. Identifiers.........................................22
4.2.2. Metadata............................................22
4.2.3. Relationships between Identifiers and Metadata......23
4.3. Workflow.................................................23
5. Security Considerations.......................................24
6. IANA Considerations...........................................24
7. Conclusion....................................................24
8. References....................................................24
8.1. Informative References...................................24
9. Acknowledgments...............................................27
Appendix A. Examples of TNC IF-MAP in Security Deployments.......28
1. Introduction
This document describes the Trusted Network Connect (TNC) Information
Model and proposes a SACM Information Model that builds on the TNC
standardized information model to serve the security automation use-
cases outlined by the IETF SACM workgroup.
The proposed SACM information model offers a loose coupling between
providers and consumers of security information. A provider can
relay what it observes or infers, without knowing which consumers
will use the information, or how they will use it. A consumer need
not know exactly which provider generated a piece of information, or
by what method.
At the same time, a consumer *can* know these things, if necessary.
As things evolve, a provider can relay supplemental information.
Some consumers will understand and benefit from the supplemental
information; other consumers will not understand and will disregard
it.
Lorenzin, et al. Expires January 3, 2015 [Page 3]
Internet-Draft SACM Information Model Based On TNC July 2014
The structure of each unit of information is extensible. The
arrangement of information units into a graph is also extensible; new
arrangements can be defined for new use cases.
2. Security Automation with TNC IF-MAP
2.1. What is Trusted Network Connect?
Trusted Network Connect (TNC) is a vendor-neutral open architecture
[1] and a set of open standards for network security developed by the
Trusted Computing Group (TCG). TNC standards integrate security
components across end user systems, servers, and network
infrastructure devices into an intelligent, responsive, coordinated
defense. TNC standards have been widely adopted by vendors and
customers; the TNC endpoint assessment protocols [2][3][4][5] were
used as the base for the IETF NEA RFCs [6][7][8][9].
Traditional information security architectures have separate silos
for endpoint security, network security, server security, physical
security, etc. The TNC architecture enables the integration and
categorization of security telemetry sources via the information
model contained in its Interface for Metadata Access Points (IF-MAP)
[10]. IF-MAP provides a query-able repository of security telemetry
that may be used for storage or retrieval of such data by multiple
types of security systems and endpoints on a vendor-neutral basis.
The information model underlying the IF-MAP repository covers,
directly or indirectly, all of the security information types
required to serve SACM use-cases.
2.2. What is TNC IF-MAP?
IF-MAP provides a standard client-server protocol for MAP clients to
exchange security-relevant information via database server known as
the Metadata Access Point or MAP. The data (known as "metadata")
stored in the MAP is XML data. Each piece of metadata is tagged with
a metadata type that indicates the meaning of the metadata and
identifies an XML schema for it. Due to the XML language, the set of
metadata types is easily extensible.
The MAP is a graph database, not a relational database. Metadata can
be associated with an identifier (e.g. the email address
"user@example.com") or with a link between two identifiers (e.g. the
link between MAC address 00:11:22:33:44:55 and IPv4 address
192.0.2.1) where the link defines an association (for example: a
relation or state) between the identifiers. These links between
pairs of identifiers create an ad hoc graph of relationships between
identifiers. The emergent structure of this graph reflects a
Lorenzin, et al. Expires January 3, 2015 [Page 4]
Internet-Draft SACM Information Model Based On TNC July 2014
continuously evolving knowledge base of security-related metadata
that is shared between various providers and consumers.
2.3. What is the TNC Information Model?
The TNC Information Model underlying IF-MAP relies on the graph
database architecture to enable a (potentially distributed) MAP
service to act as a shared clearinghouse for information that
infrastructure devices can act upon. The IF-MAP operations and
metadata schema specifications (TNC IF-MAP Binding for SOAP [10], TNC
IF-MAP Metadata for Network Security [11], and TNC IF-MAP Metadata
for ICS Security [12]) define an extensible set of identifiers and
data types.
Each IF-MAP client may interact with the IF-MAP graph data store
through three fundamental types of operation requests:
o Publish, which may create, modify, or delete metadata associated
with one or more identifiers and/or links in the graph
o Search, which retrieves a selected sub-graph according to a set of
search criteria
o Subscribe, which allows a client to manage a set of search
commands which asynchronously return selected sub-graphs when
changes to that sub-graph are made by other IF-MAP clients
The reader is invited to review the existing IF-MAP specification
[10] for more details on the above graph data store operation
requests and their associated arguments.
The current IF-MAP specification provides a SOAP [13] binding for the
above operations, as well as associated SOAP operations for managing
sessions, error handling, etc.
3. SACM Information Model Derived from TNC
The SACM Information Model based on TNC describes how security data
is structured, related, and accessed. Control of operations to
supply and/or access the data is architecturally distinct from the
structuring of the data in the information model. Authorization may
be applied by the Control Plane (as defined in the SACM Architecture
[16]) to requests for information from a consumer or requests for
publication from a provider, and may also be applied by a provider to
a direct request from a consumer.
Lorenzin, et al. Expires January 3, 2015 [Page 5]
Internet-Draft SACM Information Model Based On TNC July 2014
This architecture addresses data structure independently of the
access/transport of that data. This separation enables scalability,
customizability, and extensibility. Access to provide or consume
data is particularly suited to publish/subscribe/query data transport
and data access control models.
The primary function of this "SACM Information Model based on TNC"
proposal is to provide a framework that:
o Facilitates the definition of extensible data types that support
SACM's use cases
o Provides a structure for the defined data types to be exchanged
via a variety of data transport models
o Describes components used in data exchange, and the objects
exchanged
o Provides a graph database model that captures and organizes
evolving data and data relationships for multiple data publishers
o Provides access to the published data via publish, query, and
subscribe operations
o Leverages the knowledge and experience gained from incorporating
TNC IF-MAP into many disparate products that have to integrate and
share an information model in a scalable, extensible manner
3.1. Graph Model Based on IF-MAP
3.1.1. Background: Graph Models
Knowledge is often represented with graph-based formalisms. A common
formalism defines a graph as follows:
o A set of *vertices*
o A set of *edges*, each connecting two vertices (technically, an
edge is an ordered pair of vertices)
o A set of zero or more *properties* attached to each vertices and
edges; each property consists of a type and a optionally a value;
the type and the value are typically just strings
Lorenzin, et al. Expires January 3, 2015 [Page 6]
Internet-Draft SACM Information Model Based On TNC July 2014
+------------------+ +-----------------+
| Id: 1 | parent-of |Id: 2 |
| Given name: Sue | --------------> |Given name: Ann |
| Family name: Wong| |Family name: Wong|
+------------------+ +-----------------+
A VERTEX AN EDGE A VERTEX
Figure 1 - Knowledge represented by a graph
A pair of vertices connected by an edge is commonly referred to as a
triple that comprises subject, predicate and object. For example,
subject = Sue Wong, predicate = is-parent-of, object = Ann Wong. A
common language that uses this representation is the Resource
Description Framework (RDF) [14].
3.1.2. Graph Model Overview
The proposed model is a labeled graph: each vertex has a label.
A table of synonyms follows.
Graph Theory | Graph Databases | IF-MAP and This Internet Draft
---------------+-----------------+--------------------------------
Vertex or Node | Node | -
Label | - | Identifier
Edge | Edge | Link
- | Property | Metadata Item
In this I-D, identifiers and metadata have hierarchical structure.
The graphical aspect makes this model well suited to non-hierarchical
relationships, such as connectivity in a computer network.
Hierarchical properties allow this model to accommodate structures
such as YANG [15] data models.
3.1.3. Identifiers
Each identifier is an XML element. For extensibility, schemas use
xsd:anyAttribute and such.
Alternately, this model could be changed to use another hierarchical
notation, such as JSON.
Identifiers are unique: two different vertices cannot have equivalent
identifiers.
Lorenzin, et al. Expires January 3, 2015 [Page 7]
Internet-Draft SACM Information Model Based On TNC July 2014
An identifier has a type. There is a finite, but extensible, set of
identifier types. If the identifier is XML, the type is based on the
XML schema.
In IF-MAP, standard identifier types include IP address, MAC address,
identity, and overlay network. Additional identifier types will need
to be standardized for SACM use cases.
Any number of metadata items can be attached to an identifier.
Some identifiers, especially those relating to identity, address, and
location, require the ability to specify an administrative domain
(such as AD domain, L2 broadcast domain / L3 routing domain, or
geographic domain) in order to differentiate between instances with
the same name occurring in different realms.
3.1.4. Links
A link can be thought of as an ordered pair of identifiers.
Any number of metadata items can be attached to a link.
3.1.5. Metadata
A metadata item is the basic unit of information, and is attached to
an identifier or to a link.
A given metadata item is an XML document; it is generally quite
small. For extensibility, schemas use xsd:anyAttribute and such.
Alternately, this model could be changed to use another hierarchical
notation, such as JSON.
A metadata item has a type. There is a finite, but extensible, set
of metadata types. If the metadata item is XML, the type is based on
the XML schema. An example metadata type is
http://www.trustedcomputinggroup.org/2010/IFMAP-METADATA/2#device-
characteristic.
TNC IF-MAP Metadata for Network Security [11] and TNC IF-MAP Metadata
for ICS Security [12] define many pertinent metadata types. More
will need to be standardized for SACM use cases.
3.1.6. Provenance
Provenance helps to protect the SACM ecosystem against a misled or
malicious provider.
Lorenzin, et al. Expires January 3, 2015 [Page 8]
Internet-Draft SACM Information Model Based On TNC July 2014
The provenance of a metadata item includes:
o The time when the item was produced
o The component that produced the item, including its software and
version
o The policies that governed the producing component, with versions
o The method used to produce the information (e.g., vulnerability
scan)
How provenance should be expressed is an open question. For
reference, in IF-MAP provenance of a metadata item is expressed
within the metadata item [11]. For example, there is a top-level XML
attribute called "timestamp".
It is critical that provenance be secure from tampering. How to
achieve that security is out of scope of this document.
3.1.7. Extensibility
Anyone can define an identifier type or a metadata type, by creating
an XML schema (or other specification). There is no need for a
central authority. Some deployments may exercise administrative
control over the permitted identifier types and metadata types;
others may leave components free rein.
A community of components can agree on and use new identifier and
metadata types, if the administrators allow it. This allows rapid
innovation. Intermediate software that conveys graph changes from
one component to another does not need changes. Components that do
not understand the new types do not need changes. Accordingly, a
consumer normally ignores metadata types and identifier types it does
not understand.
As a proof point for this agility, the original use cases for TNC IF-
MAP Binding for SOAP [10] were addressed in TNC IF-MAP Metadata for
Network Security [11]. Some years later an additional, major set of
use cases, TNC IF-MAP Metadata for ICS [12], were specified and
implemented.
3.2. Elements of the SACM Information Model
Two categories of elements appear in the SACM Information Model:
components (actors) and objects (what is acted upon).
Lorenzin, et al. Expires January 3, 2015 [Page 9]
Internet-Draft SACM Information Model Based On TNC July 2014
3.2.1. Components
The proposed SACM Information Model contains three components, as
defined in the SACM Architecture [16]: Posture Attribute Information
Provider, Posture Attribute Information Consumer, and Control Plane.
3.2.2. Objects
The proposed SACM Information Model contains several elements that
are objects of the architecture, including:
o Collection tasks, which may be internal (performed within the
endpoint itself) or external (performed outside of the endpoint,
such as by a hypervisor or remote sensor)
o Posture, in the form of posture attributes and evaluation results
o Additional information about the endpoint, such as a
representation of a software asset, endpoint identity, user
identity, address, location, and authorization constraining the
endpoint
o History, a compilation of previously collected information
3.3. Operations
Operations that may be carried out the proposed SACM Information
Model are:
o Publish data: Security information is made available in the
information model when a component publishes data to it.
o Subscribe to data: A component seeking to consume an on-going
stream of security information "subscribes" to such data from the
information model.
o Query: This operation enables a component to request a specific
set of security data regarding a specific asset (such as a
specific user endpoint).
The subscribe capability will allow SACM components to monitor for
selected security-related changes in the graph data store without
incurring the performance penalties associated with polling for such
changes.
Lorenzin, et al. Expires January 3, 2015 [Page 10]
Internet-Draft SACM Information Model Based On TNC July 2014
3.3.1. Generalized Workflow
The proposed SACM Information Model would be most commonly used with
a suitable transport protocol for collecting and distributing
security data across appropriate network platforms and endpoints.
The information model is transport agnostic and can be used with its
native transport provided by IF-MAP or by other data transport
protocols such as the recently proposed XMPP-Grid.
1. A Posture Assessment Information Consumer (Consumer) establishes
connectivity and authorization with the transport fabric.
2. A Posture Assessment Information Provider (Provider) with a source
of security data requests connection to the transport fabric.
3. Transport fabric authenticates and establishes authorized
privileges (e.g. privilege to publish and/or subscribe to security
data) for the requesting components.
4. Components may either publish security data, subscribe to security
data, query for security data, or any combination of these
operations.
Any component sharing information - either as Provider or Consumer -
may do so on a one-to-one, one-to-many and/or many-to-many meshed
basis.
4. SACM Usage Scenario Example
The following section illustrates the proposed SACM Information Model
as applied to SACM Usage Scenario 2.2.3, Detection of Posture
Deviations [17]. The following subsections describe the elements
(components and objects), graph model, and operations (sample
workflow) required to support the Detection of Posture Deviations
scenario.
4.1. Elements of the Posture Deviation Detection Scenario
4.1.1. Components
In this example, the components are instantiated as follows:
o The Posture Attribute Information Provider is an endpoint security
service which monitors the compliance state of the endpoint and
reports any deviations for the expected posture.
Lorenzin, et al. Expires January 3, 2015 [Page 11]
Internet-Draft SACM Information Model Based On TNC July 2014
o The Posture Attribute Information Consumer is an analytics engine
which absorbs information from around the network and generates a
"heat map" of which areas in the network are seeing unusually high
rates of posture deviations.
o The Control Plane is a security automation broker which receives
subscription requests from the analytics engine and authorizes
access to appropriate information from the endpoint security
service.
4.1.2. Objects
The Detection of Posture Deviations scenario involves multiple
objects interacting to accomplish the goals of the scenario. The
following figure illustrates those objects along with their major
communication paths.
................ ................ .................
: ENDPOINT : : NETWORK : : USER : +--------+
: : : SESSION : : : +--------+|
: +----------+: : +-------+ : : +----------+ : |Location|+
: +----------+|: : +-------+| : : +----------+| : +--------+
: |Credential|+: : |Address|+ : : |Credential|+ :
: +----------+ : : +-------+ : : +----------+ :
: : : : :...............:
: +--------+ : : +----------+ :
: +--------+| : : | AuthZ's | :
: |Software|| : : +----------+ :
: |Asset |+ : :..............:
: +--------+ : V
: : V
: +---------+ : +----------------+
: +---------+| : +----------------+|
: |Internal || : |External Collec-||
: |Collec- || : |tion Task (P) |+
: |tion || : +----------------+
: |Task (P) |+ : V
: +---------+ : V
:......V.......: V
V V
V V<<<<<<<<
V V +---------+
V V +---------+|
V +----------+ +--------+ +--------+ |Posture ||
V +----------+| +--------+| +--------+| |Assess- ||
Lorenzin, et al. Expires January 3, 2015 [Page 12]
Internet-Draft SACM Information Model Based On TNC July 2014
V |Posture ||>>| Eval ||>>| Eval ||>>|ment ||
V |Attribute || |Task (P)|+ |Result |+ |Infor- ||
>>>|/Event |+ +--------+ +--------+ |mation ||
+----------+ V |Requestor|+
V ___V__ +---------+
V / \ ^
V |\.____./| ^
>>>>>>>>>>>>>>>>>>>>>>>>|History |>>>>>>
|(P) |
\.____./
>>> A main information flow
(P) Policy is applied
Figure 2 - Objects and Information Flow
Figure 3 is a more detailed version of Figure 2. Many of the objects
in this figure could be represented as identifiers, and many of the
relationships could be represented as links.
+--------+_______________
____________|Location|*__________ |
| *+--------+* | |
| +----------+ | |
| _______|Credential|_______ | |
| | *+----------+* | | |
|* |* |* |* |
+--------+ +----------+ +---------+_______+----+ |
|Software|____| Endpoint |____| Network |* 0..1|User| |
|Asset |* 1| |1 *| Session | +----+ |
+--------+ | | | | |*
| | | |_________+-------+
| | | | 1..*|Address|
+----------+ +---------+ +-------+
|1 |1 |* 1|____+-------------+
V| | V| *|Authorization|
|* | |* +-------------+
+----------+ | +----------+
____|Internal | | |External |____ +----------+____
|> *|Collection| | |Collection|* <| |Evaluation|* <|
| |Task | | |Task | | |Task (P) | |
|1 +----------+ | +----------+ 1| +----------+ 1|
------------ |0..1 | 0..1| ------------ |1 ------------
|Internal | | | | |External | | |Evaluation|
|Collection| | | | |Collection| | |Policy |
Lorenzin, et al. Expires January 3, 2015 [Page 13]
Internet-Draft SACM Information Model Based On TNC July 2014
|Policy | V| | V| |Policy | V| ------------
------------ | | | ------------ |
| |* *| |*
| ===========_________________============
|______|Posture |1..* > *|Evaluation|
*|Attribute|______ ______|Result |
|/Event |* < | | > *============
=========== *| |* |*
*| ----------- |
| |Retention| |V
V| |Policy | |
| ----------- |*
|______________________+-------------+
_____*|Reporting |
| > *|Task |
|1 +-------------+
--------------- ^|1
|Reporting | |
|Policy | V|*
--------------- =========
|Report |
=========
----------------------------------------------------------
1 Multiplicity symbols > Direction of causation. For
0..1 found in UML 2 [18] < example, a collection policy
* class diagrams V affects a collection task.
1..* ^
*
----------------------------------------------------------
Figure 3 - Objects and Multiplicity
The following subsections elaborate upon the objects found in the two
figures.
4.1.2.1. Endpoint
See the definition in the SACM Terminology for Security Assessment
[19].
4.1.2.1.1. Endpoint Credential
An endpoint credential provides both identification and
authentication of the endpoint. For example, a credential may be an
X.509 certificate [20] and corresponding private key.
Lorenzin, et al. Expires January 3, 2015 [Page 14]
Internet-Draft SACM Information Model Based On TNC July 2014
Not all kinds of credentials are guaranteed to be unique.
4.1.2.1.2. Software Asset
An endpoint generally contains software assets.
"Asset" is defined in RFC4949 [21] as "a system resource that is (a)
required to be protected by an information system's security policy,
(b) intended to be protected by a countermeasure, or (c) required for
a system's mission."
A software asset is an asset in the form of software.
We extend the definition to include any software that may affect an
endpoint's posture. An examination of software assets needs to
consider both (a) software to be protected and (b) software that may
do harm. An inventory system may not know (a) from (b). It is
useful to define Software Asset as the union of (a) and (b).
General examples of Software Assets:
o An application
o A patch
o The operating system kernel
o A boot loader
o Firmware that controls a disk drive
o A piece of JavaScript found in a web page the user visits
Examples of harmful Software Assets:
o An entertainment app that contains malware
o A web page that contains malicious JavaScript
o A business application that shipped with a virus
A software asset may have a unique identifier, such as a SWID tag
(ISO/IEC 19770).
The configuration of a piece of software is regarded as part of the
Software Asset.
Lorenzin, et al. Expires January 3, 2015 [Page 15]
Internet-Draft SACM Information Model Based On TNC July 2014
4.1.2.1.3. Non-Software Asset
Hardware components in a system may also be considered as resources
that must be protected according to security policies. For example,
a USB port on a system may be disabled to prevent information flow
into our out of a particular system; this provides an additional
layer of protection that can complement software based protections.
Other such assets may include access to or modification of storage
media, hardware key stores, microphones and cameras. Like software
assets, we can consider these non-software assets both from the
perspective of (a) an asset that needs protection and (b) an asset
that can be compromised in some way to do harm.
4.1.2.2. Internal Collection Task
An endpoint may also contain one or more internal collection tasks.
An internal collection task is a collection task, as defined in the
SACM Terminology for Security Assessment [19], which collects posture
attributes, values, or events from inside the endpoint. In other
words, the posture attributes and events are self reported. They may
be subject to the lying endpoint problem.
Example: a NEA posture collector. [22]
4.1.2.3. User
4.1.2.3.1. User Credential
An endpoint is often - but not always - associated with one or more
users.
A user's credential provides both identification and authentication
of the user.
4.1.2.4. Network Session
An endpoint connected to a particular network has a network session,
and may have multiple network sessions connecting it to multiple
networks.
4.1.2.4.1. Address
A network session generally has one or more addresses. For example,
it may have a MAC address and an IP address.
Lorenzin, et al. Expires January 3, 2015 [Page 16]
Internet-Draft SACM Information Model Based On TNC July 2014
These addresses are not necessarily globally unique. Therefore, an
address may be qualified with a scope. For example:
o A MAC address may be qualified with its layer-2 broadcast domain.
o An IP address may be qualified with its IP routing domain.
Other kinds of addresses may find application.
4.1.2.4.2. Authorizations
Authorizations determine what the endpoint can do with its network
session. Examples include:
o A RADIUS VLAN assignment [23]
o A router or firewall access control list (ACL)
o An IF-MAP access-request constellation [11], which may determine
how a firewall treats the endpoint
4.1.2.5. Location
This is a logical or physical location. Location can be pertinent to
security posture. For example, some endpoints may need to stay in
protected areas to protect them.
Examples of location:
o The switch or access point to which the endpoint has authenticated
o The switch port where the endpoint is plugged in
o The location of the endpoint's IP address in the network topology
o The geographic location of the endpoint (typically self-reported)
o A user location, as reported by a physical access control system
More than one of these may pertain to an endpoint. Endpoint has a
many-to-many relationship with Location.
A collection task or other system may express location information as
posture attributes.
Lorenzin, et al. Expires January 3, 2015 [Page 17]
Internet-Draft SACM Information Model Based On TNC July 2014
4.1.2.6. External Collection Task
An external collection task is a collection task, as defined in the
SACM Terminology for Security Assessment [19], which observes
endpoints from outside.
Examples:
o A RADIUS server whereby an endpoint has logged onto the network
o A network profiling system, which discovers and classifies network
nodes
o A Network Intrusion Detection System (NIDS) sensor
o A vulnerability scanner
o A hypervisor that peeks into the endpoint, the endpoint being a
virtual machine
o A management system that configures and installs software on the
endpoint
4.1.2.7. Posture Attribute or Event
A Posture Attribute or Event is provided by an internal or external
collection task.
Although Figure 2 depicts a Posture Attribute or an Event as related
to a single Endpoint, the truth is more complex. It would be
convenient if every endpoint had a single unforgeable, visible
identifier, and every Posture Attribute could refer to that
identifier. In fact, a Posture Attribute refers to the endpoint by
some identifying attributes. Different Posture Attributes might
mention different identifying attributes.
For example, one Endpoint can sign on at different times with
different credentials; Posture Attributes may mention the credentials
in use at the time.
In short, an endpoint has many guises. There is a need to see
through the guises, to decide whether two Posture Attributes or
Events refer to the same endpoint. Perhaps Attribute Evaluation
tasks can address this need.
Lorenzin, et al. Expires January 3, 2015 [Page 18]
Internet-Draft SACM Information Model Based On TNC July 2014
4.1.2.7.1. Posture Attribute
See the definition in the SACM Terminology for Security Assessment
[19].
Examples:
o A NEA posture attribute (PA) [22]
o A YANG model [15]
o An IF-MAP device-characteristics metadata item [11]
4.1.2.7.2. Event
An event is also an output of an internal or external collection
task. Examples:
o A structured syslog message [24]
o IF-MAP event metadata [11]
o A NetFlow message [25]
4.1.2.7.3. Difference between Attribute and Event
"Attribute" and "event" are often used fairly interchangeably. A
clear distinction makes the words more useful.
An *attribute* tends to stay true until something causes a change.
In contrast, an *event* occurs at a moment in time.
For a nontechnical example, "closed" is an attribute of a door. A
closed door tends to stay closed until something opens it (a breeze,
a person, or a dog).
The door's opening or closing is an event.
Similarly, "Host firewall is enabled?" may be modeled as an endpoint
attribute. Enabling or disabling the host firewall may be modeled as
an event. An endpoint's crashing also may be modeled as an event.
4.1.2.8. Evaluation Task
See the definition in the SACM Terminology for Security Assessment
[19].
Lorenzin, et al. Expires January 3, 2015 [Page 19]
Internet-Draft SACM Information Model Based On TNC July 2014
Example: a NEA posture validator [22]
4.1.2.9. Evaluation Result
See the definition in the SACM Terminology for Security Assessment
[19].
Example: a NEA access recommendation [7]
As Figure 2 shows, an Evaluation Result derives from one or more
Posture Attributes and Events.
An Evaluation Task may be able to evaluate better if history is
available. This is a use case for retaining Posture Attributes and
Events for a time.
An Evaluation Result may be retained longer than the Posture
Attributes and Events from which it derives. (Figure 2 does not show
this.) In the limiting case, Posture Attributes and Events are not
retained. As soon as a Posture Attribute or an Event arrives, an
Evaluation Task produces an Evaluation Result.
4.1.2.10. Reporting Task
A reporting task makes reports based on:
o Posture Attributes,
o Events,
o Evaluation Results, and/or
o Other Reports (a weekly report may be created from daily reports)
It may summarize data continually, as the data arrives. It also may
summarize data in response to an ad hoc query.
4.1.2.11. Report
A Report summarizes:
o Posture Attributes,
o Events, and/or
o Evaluation Results
Lorenzin, et al. Expires January 3, 2015 [Page 20]
Internet-Draft SACM Information Model Based On TNC July 2014
A Report may routine or ad hoc.
Some reports may be machine readable. Machine readable summaries may
be consumable by automatic response systems (not part of SACM).
4.1.2.12. Policies
Policies are generally configurable by human administrators.
4.1.2.12.1. Internal Collection Policy
An internal collection task may need a policy to govern what it
collects and when.
4.1.2.12.2. External Collection Policy
An external collection task may need a policy to govern what it
collects and when.
4.1.2.12.3. Evaluation Policy
An Evaluation Task typically needs an Evaluation Policy to govern
what it considers to be a good or bad security posture.
4.1.2.12.4. Retention Policy
A SACM deployment may retain posture attributes, events, or
evaluation results for some time. Retention supports ad hoc
reporting and other use cases.
If information is retained, retention policies control what is
retained and for how long.
If two or more retention policies apply to a piece of information,
the policy calling for the longest retention should take precedence.
Retained information may be stored in a Configuration Management
Database (CMDB), for example.
4.1.2.12.5. Reporting Policy
A Reporting Task typically needs a Reporting Policy to govern the
reports it generates.
Lorenzin, et al. Expires January 3, 2015 [Page 21]
Internet-Draft SACM Information Model Based On TNC July 2014
4.1.2.13. Provenance of Information
Each Posture Attribute, Event, Evaluation Result, and Report needs to
be labeled with its provenance (see section 3.1.6).
4.2. Graph Model for Detection of Posture Deviation
The following subsections contain examples of identifiers and
metadata which would enable detection of posture deviation. These
lists are by no means exhaustive - many other types of metadata would
be enumerated in a data model that fully addressed this usage
scenario.
4.2.1. Identifiers
To represent the objects listed above, the set of identifiers might
include (but is not limited to):
o Identity - a device itself, or a user operating a device,
categorized by type of credential (e.g. username or X.509
certificate [20])
o Software asset
o Network session
o Address - categorized by type of address (e.g. MAC address, IP
address, Host Identity Protocol (HIP) Host Identity Tag (HIT)
[26], etc.)
o Task - categorized by type of task (e.g. internal collection task,
external collection task, evaluation task, or reporting task)
o Result - categorized by type of result (e.g. evaluation result or
report)
o Policy
4.2.2. Metadata
To characterize the objects listed above, the set of metadata types
might include (but is not limited to):
o Authorization metadata attached to an identity identifier, or to a
link between a network session identifier and an identity
identifier, or to a link between a network session identifier and
an address identifier.
Lorenzin, et al. Expires January 3, 2015 [Page 22]
Internet-Draft SACM Information Model Based On TNC July 2014
o Location metadata attached to a link between a network session
identifier and an address identifier.
o Event metadata attached to an address identifier or an identity
identifier of an endpoint, which would be made available to
interested parties at the time of publication, but not stored
long-term. For example, an internal collection task associated
with an endpoint security service might publish policy violation
event metadata attached to the identity identifier of an endpoint
when a user disables required security software to notify
consumers of the change in endpoint state.
o Posture attribute metadata attached to an identity identifier of
an endpoint. For example, an internal collection task associated
with an endpoint security service might publish posture attribute
metadata attached to the identity identifier of an endpoint when
required security software is not running to notify consumers of
the current state of the endpoint.
4.2.3. Relationships between Identifiers and Metadata
Interaction between multiple sets of identifiers and metadata lead to
some fairly common patterns, or "constellations", of metadata. For
example, an authenticated-session metadata constellation might
include a central network session with authorizations and location
attached, and links to a user identity, an endpoint identity, a MAC
address, an IP address, and the identity of the policy server that
authorized the session, for the duration of the network session.
These constellations may be independent of each other, or one
constellation may be connected to another. For example, an
authenticated-session metadata constellation may be created when a
user connects an endpoint to the network; separately, an endpoint-
posture metadata constellation may be created when an endpoint
security system and other collection tasks gather and publish posture
information related to an endpoint. These two constellations are not
necessarily connected to each other, but may be joined if the
component publishing the authenticated-session metadata constellation
is able to link the network session identifier to the identity
identifier of the endpoint.
4.3. Workflow
The workflow for exchange of information supporting detection of
posture deviation, using a standard publish/subscribe/query transport
model such as available with IF-MAP [10] or XMPP-Grid [27], is as
follows:
Lorenzin, et al. Expires January 3, 2015 [Page 23]
Internet-Draft SACM Information Model Based On TNC July 2014
5. The analytics engine (Posture Assessment Information Consumer)
establishes connectivity and authorization with the transport
fabric, and subscribes to updates on posture deviations.
6. The endpoint security service (Posture Assessment Information
Provider) requests connection to the transport fabric.
7. Transport fabric authenticates and establishes authorized
privileges (e.g. privilege to publish and/or subscribe to security
data) for the requesting components.
8. The endpoint security service evaluates the endpoint, detects
posture deviation, and publishes information on the posture
deviation.
9. The transport fabric notifies the analytics engine, based on its
subscription of the new posture deviation information.
Other components, such as access control policy servers or
remediation systems, may also consume the posture deviation
information provided by the endpoint security service.
5. Security Considerations
The TNC IF-MAP Binding for SOAP [10] and TNC IF-MAP Metadata for
Network Security [11] document security considerations for sharing
information via security automation. Most, and possibly all, of
these considerations also apply to information shared via this
proposed information model.
6. IANA Considerations
This memo includes no requests to IANA.
7. Conclusion
The proposed SACM Information Model is designed to ensure
adaptability for changing networking environments, as well as
interoperability with a variety of transport protocols.
8. References
8.1. Informative References
[1] Trusted Computing Group, "TNC Architecture", Specification
Version 1.5, May 2012.
Lorenzin, et al. Expires January 3, 2015 [Page 24]
Internet-Draft SACM Information Model Based On TNC July 2014
[2] Trusted Computing Group, "TNC IF-M: TLV Binding", Specification
Version 1.0, May 2014.
[3] Trusted Computing Group, "TNC IF-TNCCS: TLV Binding",
Specification Version 2.0, May 2014.
[4] Trusted Computing Group, "TNC IF-T: Protocol Bindings for
Tunneled EAP Methods", Specification Version 2.0, May 2014.
[5] Trusted Computing Group, "TNC IF-T: Binding to TLS",
Specification Version 2.0, February 2013.
[6] Sangster, P. and K. Narayan, "PA-TNC: A Posture Attribute
Protocol (PA) Compatible with TNC", RFC 5792, March 2010.
[7] Sahita, R., Hanna, S., Hurst, R., and K. Narayanan, "PB-TNC: A
Posture Broker (PB) Protocol Compatible with Trusted Network
Connect (TNC)", RFC 5793, March 2010.
[8] Cam-Winget, N. and P. Sangster, "PT-EAP: Posture Transport (PT)
Protocol For Extensible Authentication Protocol (EAP) Tunnel
Methods", RFC 7171, April 2014.
[9] Sangster, P., Cam-Winget, N., and J. Salowey, "PT-TLS: A TCP-
based Posture Transport (PT) Protocol", RFC 6876, February
2013.
[10] Trusted Computing Group, "TNC IF-MAP Binding for SOAP",
Specification Version 2.2, March 2014.
[11] Trusted Computing Group, "TNC IF-MAP Metadata for Network
Security", Specification Version 1.1, May 2012.
[12] Trusted Computing Group, "TNC IF-MAP Metadata for ICS
Security", Specification Version 1.0, May 2014.
[13] W3C, "SOAP Version 1.2" Part 1: Messaging Framework (Second
Edition), April 2007.
[14] W3C, "RDF W3C, "RDF 1.1 Concepts and Abstract Syntax", version
1.1, February 2014.
[15] Bjorklund, M. (Editor), "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010.
Lorenzin, et al. Expires January 3, 2015 [Page 25]
Internet-Draft SACM Information Model Based On TNC July 2014
[16] Cam-Winget, N., Ford, B., Lorenzin, L., McDonald, I., and A.
Woland, "Secure Automation and Continuous Monitoring (SACM)
Architecture", draft-camwinget-sacm-architecture-00 (work in
progress), June 2014.
[17] Waltermire, D., and D. Harrington, "Endpoint Security Posture
Assessment - Enterprise Use Cases", draft-ietf-sacm-use-cases-
07 (work in progress), April 2014.
[18] Object Management Group, "Unified Modeling Language TM (UML
(R))", Version 2.4.1, August 2011.
[19] Waltermire, D., Montville, A., Harrington, D., and N. Cam-
Winget, "Terminology for Security Assessment", draft-ietf-sacm-
terminology-04 (work in progress), May 2014.
[20] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley,
R., and W. Polk, "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile", RFC
5280, May 2008.
[21] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
August 2007.
[22] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
Tardo, "Network Endpoint Assessment (NEA): Overview and
Requirements", RFC 5209, June 2008.
[23] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
"IEEE 802.1X Remote Authentication Dial In User Service
(RADIUS) Usage Guidelines", RFC 3580, September 2003.
[24] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.
[25] Claise, B., "Cisco Systems NetFlow Services Export Version 9",
RFC 3954, October 2004.
[26] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson,
"Host Identity Protocol", RFC 5201, April 2008.
[27] Salowey, J. (Ed.), Lorenzin, L., Kahn, C., Pope, S., Appala,
S., and N. Cam-Winget, "XMPP Protocol Extensions for Use in
SACM Information Transport", draft-salowey-sacm-xmpp-grid-00
(work in progress), July 2014.
Lorenzin, et al. Expires January 3, 2015 [Page 26]
Internet-Draft SACM Information Model Based On TNC July 2014
9. Acknowledgments
The authors would like to acknowledge the contributions, authoring,
and/or editing of the following people: Syam Appala, Nancy Cam-
Winget, Jessica Fitzgerald-McKay, Steve Hanna, and Aaron Woland.
This document was prepared using 2-Word-v2.0.template.dot.
Lorenzin, et al. Expires January 3, 2015 [Page 27]
Internet-Draft SACM Information Model Based On TNC July 2014
Appendix A. Examples of TNC IF-MAP in Security Deployments
IF-MAP has been continually enhanced by the Trusted Computing Group,
culminating in the most recent version, IF-MAP 2.2, published in
March 2014. Vendors have been shipping IF-MAP enabled products since
2008 to provide an ecosystem that supports standardized, dynamic
security data interexchange among a wide variety of networking and
security components. IF-MAP has focused on providing a standardized
information model that can be utilized for data interoperability
between vendors.
IF-MAP has been deployed most commonly for:
o Seamless remote and local access control, providing single sign-on
for either initial access to a network, or remote access to a
network, coordinated with access control enforcement deeper in the
network
o Integration of physical and logical access control, so user
location obtained from a badge access system can be used as input
into a network access policy decision
o Usage of IF-MAP as a point of coordination for industrial control
system security, for policy enforcement and certificate lifecycle
management
o Leveraging IP address mappings to MAC addresses from DHCP servers
to enable network-based enforcement for MAC authenticated devices
o Integration of detailed behavioral information from threat sensors
-- such as IPS, endpoint profiling / behavior monitoring, and
network leak detection systems -- into network access control
policy decisions
Additional use cases explored include:
o A content management database (CMDB) receives notification of a
new device on the network -- perhaps via notification that a DHCP
server has assigned an IP address to a new MAC address -- and
scans the new endpoint, then updates its data store.
o A security administrator modifies an existing security policy, or
adds a new policy, and various policy servers / sensors are
notified, triggering a re-evaluation of the network's endpoints.
Lorenzin, et al. Expires January 3, 2015 [Page 28]
Internet-Draft SACM Information Model Based On TNC July 2014
o An application server publishes a request for bandwidth for a
particular user based on the service the user is accessing;
network infrastructure components change QoS settings for those
traffic flows based on that request.
o An analysis system determines that there's an attack underway; in
addition to triggering a response, it notifies security
administrators of the attack taking place, populating a dashboard
with information to create a "heat map" of the attack.
Lorenzin, et al. Expires January 3, 2015 [Page 29]
Internet-Draft SACM Information Model Based On TNC July 2014
Authors' Addresses
Cliff Kahn
Juniper Networks, Inc.
10 Technology Park Drive
Westford, MA 01886
USA
Email: cliffordk@juniper.net
Lisa Lorenzin
Juniper Networks, Inc.
3614 Laurel Creek Way
Durham, NC 27712
USA
Email: llorenzin@juniper.net
Steven Venema
The Boeing Company
PO Box 3707, MC 4C-77
Seattle, WA 98124-2207
Email: steven.c.venema@boeing.com
Scott Pope
Cisco Systems
5400 Meadows Road
Suite 300
Lake Oswego, OR 97035
USA
Email: scottp@cisco.com
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
64295 Darmstadt
Germany
Email: henk.birkholz@sit.fraunhofer.de
Lorenzin, et al. Expires January 3, 2015 [Page 30]