Posture Assessment Through Posture Information Collection Discussion Scope
draft-waltermire-panic-scope-01

Abstract

This document defines an intended discussion scope for the non-working group posture assessment through network information collection (PANIC) non-WG discussion list.

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1. Introduction

Network operators need to know what is connected to their organization's networks so that they can properly manage those endpoints. Endpoint management requires access to endpoint posture information, including endpoint identity, the identity of software installed on the endpoint, and the configuration of the endpoint. This information can be collected from different classes of endpoints over different protocols and using different data models. PANIC will identify a standardized solution to collect posture information for network devices, and allow that information to be shared with authorized users and devices on the network supporting security automation.

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

3. Components

PANIC components

------------            
| Network  |----------
|  Device  |         |          
------------   ------------        
               | Posture  |    ________
               |  Server  |---/        \
------------   ------------   |  Data  |                
| Network  |         |        | Store  |
|  Device  |----------        \________/
------------

Figure 1

4. PANIC Solution Requirements

The solution will meet the following requirements:

Data Push Functionality:: Network devices will push information to a designated location. Data pushes will be event driven. PANIC will identify what data should be pushed from the network device, and what events will trigger a push.
Data Pull Functionality:: A Posture Server will pull information from a network device. Data pulls will be driven by requests to the server. PANIC will identify what data should be pulled from the network device, and how requests for the server to pull will be made.
Secure Transport of Data:: Data between the network device and the Posture Server will be protected in transit by a protocol that provides authorization and authentication. PANIC will identify the protocols that can be used for transport of posture information.
Secure Storage of Data:: Network device data reported to a posture server will be stored in a data repository. This data can be used to support numerous security functions on the network; therefore, this repository should be accessible by (and only by) authorized users and devices. PANIC will identify requirements for a centralized data repository.
Information Requirements for Network Device Management:: PANIC will identify a minimal set of information necessary to manage network devices and to support network security functions including configuration and vulnerability management. Additional information may also be used through extension mechanisms identified by PANIC.
Standardized Data Model:: Network device data will be expressed in a standardized data model that enables use and reuse of the data. PANIC will identify available data models for the expression of required information and the models used for a given exchange of posture.

Note: Use of [RFC2119] text is omitted at this point. More discussion is needed around these requirements.

5. IANA Considerations

This memo includes no request to IANA.

6. Security Considerations

The solution described by this document provides a mechanism to gather network device posture into a centralized datastore. Discussion is needed here about the need to protect such an information collection from unauthorized access or disclosure. Discussion is also needed here about privacy considerations around how the endpoint devices are identified when posture is gathered.

7. Normative References

[RFC2119]

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

Authors' Addresses

David Waltermire National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, Maryland 20877 USA EMail: david.waltermire@nist.gov

Jessica Fitzgerald-McKay Department of Defense 9800 Savage Road Ft. Meade, Maryland USA EMail: jmfitz2@nsa.gov