Internet Engineering Task Force (IETF) N. Cam-Winget
Request for Comments: 8248 Cisco Systems
Category: Informational L. Lorenzin
ISSN: 2070-1721 Pulse Secure
September 2017
Internet Engineering Task Force (IETF) N. Cam-Winget
Request for Comments: 8248 Cisco Systems
Category: Informational L. Lorenzin
ISSN: 2070-1721 Pulse Secure
September 2017
Security Automation and Continuous Monitoring (SACM) Requirements
安全自动化和连续监控(SACM)要求
Abstract
摘要
This document defines the scope and set of requirements for the Security Automation and Continuous Monitoring (SACM) architecture, data model, and transfer protocols. The requirements and scope are based on the agreed-upon use cases described in RFC 7632.
本文件定义了安全自动化和连续监控(SACM)体系结构、数据模型和传输协议的范围和要求集。需求和范围基于RFC 7632中描述的商定用例。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8248.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8248.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements for SACM . . . . . . . . . . . . . . . . . . 4
2.2. Requirements for the Architecture . . . . . . . . . . . . 7
2.3. Requirements for the Information Model . . . . . . . . . 9
2.4. Requirements for the Data Model . . . . . . . . . . . . . 10
2.5. Requirements for Data Model Operations . . . . . . . . . 12
2.6. Requirements for SACM Transfer Protocols . . . . . . . . 14
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
4. Security Considerations . . . . . . . . . . . . . . . . . . . 15
4.1. Trust between Provider and Requestor . . . . . . . . . . 16
4.2. Privacy Considerations . . . . . . . . . . . . . . . . . 17
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Normative References . . . . . . . . . . . . . . . . . . 18
5.2. Informative References . . . . . . . . . . . . . . . . . 18
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements for SACM . . . . . . . . . . . . . . . . . . 4
2.2. Requirements for the Architecture . . . . . . . . . . . . 7
2.3. Requirements for the Information Model . . . . . . . . . 9
2.4. Requirements for the Data Model . . . . . . . . . . . . . 10
2.5. Requirements for Data Model Operations . . . . . . . . . 12
2.6. Requirements for SACM Transfer Protocols . . . . . . . . 14
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
4. Security Considerations . . . . . . . . . . . . . . . . . . . 15
4.1. Trust between Provider and Requestor . . . . . . . . . . 16
4.2. Privacy Considerations . . . . . . . . . . . . . . . . . 17
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Normative References . . . . . . . . . . . . . . . . . . 18
5.2. Informative References . . . . . . . . . . . . . . . . . 18
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
Today's environment of rapidly evolving security threats highlights the need to automate the sharing of security information (such as posture information) while protecting user information and the systems that store, process, and transmit this information. Security threats can be detected in a number of ways. The Security Automation and Continuous Monitoring (SACM) charter focuses on how to collect and share this information based on use cases that involve posture assessment of endpoints.
当今快速演变的安全威胁环境突出表明,需要自动共享安全信息(如姿态信息),同时保护用户信息以及存储、处理和传输这些信息的系统。可以通过多种方式检测安全威胁。安全自动化和持续监控(SACM)宪章关注如何根据涉及端点姿势评估的用例收集和共享这些信息。
Scalable and sustainable collection, expression, and evaluation of endpoint information is foundational to SACM's objectives. To secure and defend a network, one must reliably determine what devices are on the network, how those devices are configured from a hardware perspective, what software products are installed on those devices, and how those products are configured. We need to be able to determine, share, and use this information in a secure, timely, consistent, and automated manner to perform endpoint posture assessments.
端点信息的可扩展和可持续的收集、表达和评估是SACM目标的基础。为了保护网络安全,必须可靠地确定网络上有哪些设备,从硬件角度如何配置这些设备,在这些设备上安装了哪些软件产品,以及如何配置这些产品。我们需要能够以安全、及时、一致和自动化的方式确定、共享和使用这些信息,以执行终点姿势评估。
This document focuses on describing the requirements for facilitating the exchange of posture assessment information in the enterprise, in particular, for the use cases as exemplified in [RFC7632].
本文件重点描述了促进企业中姿势评估信息交换的要求,特别是[RFC7632]中举例说明的用例。
As proposals are evaluated for SACM standardization, the documents describing each proposal are expected to include a section that describes how the enumerated requirements are addressed.
在对SACM标准化的提案进行评估时,描述每个提案的文件应包括一节,描述如何满足列举的要求。
This document uses terminology defined in [TERMS].
本文件使用[术语]中定义的术语。
Use of each capitalized word within a sentence or phrase carries the following meaning during the SACM WG's protocol selection process:
在SACM工作组的协议选择过程中,在句子或短语中使用每个大写单词具有以下含义:
MUST - indicates an absolute requirement
必须-表示绝对要求
MUST NOT - indicates something absolutely prohibited
不得-表示绝对禁止的内容
SHOULD - indicates a strong recommendation of a desired result
应该-表示对预期结果的强烈建议
SHOULD NOT - indicates a strong recommendation against a result
不应该-表示强烈反对结果的建议
MAY - indicates a willingness to allow an optional outcome
可能-表示允许可选结果的意愿
When the words appear in lower case, their natural language meaning is used.
当单词以小写形式出现时,使用其自然语言含义。
This document defines requirements based on the SACM use cases described in [RFC7632]. This section describes the requirements used by SACM to assess and compare candidate data models, interfaces, and protocols. These requirements express characteristics or features that a candidate protocol, information model, or data model must be capable of offering to ensure security and interoperability.
本文件根据[RFC7632]中描述的SACM用例定义了需求。本节描述了SACM用于评估和比较候选数据模型、接口和协议的需求。这些需求表示候选协议、信息模型或数据模型必须能够提供的特征或特性,以确保安全性和互操作性。
Multiple data models, protocols, and transfers may be employed in a SACM environment. A SACM transfer protocol is one that runs on top of transport-layer protocols such as TCP/IP or internet-layer protocols such as HTTP, carries operations (requests/responses), and moves data.
在SACM环境中可以采用多种数据模型、协议和传输。SACM传输协议是运行在传输层协议(如TCP/IP)或互联网层协议(如HTTP)之上的传输协议,承载操作(请求/响应)并移动数据。
SACM will define an architecture and information model focused on addressing the needs for determining, sharing, and using posture information securely via posture information providers and posture information consumers. With the information model defining assets and attributes to facilitate the guidance, collection, and assessment of posture, tasks that should be considered include:
SACM将定义一个架构和信息模型,重点解决通过姿势信息提供者和姿势信息消费者安全确定、共享和使用姿势信息的需求。通过信息模型定义资产和属性,以便于指导、收集和评估姿势,应考虑的任务包括:
1. Asset Classification: Map the target endpoint and/or the assets on the target endpoints to asset classes. This enables
1. 资产分类:将目标端点和/或目标端点上的资产映射到资产类。这使得
identification of the attributes needed to exchange information pertaining to the target endpoint.
标识交换与目标端点有关的信息所需的属性。
2. Attribute Definition: Define the attributes desired to be collected from each target endpoint. For instance, organizations will want to know what software is installed and its critical security attributes such as patch level.
2. 属性定义:定义要从每个目标端点收集的属性。例如,组织将希望知道安装了什么软件及其关键安全属性,如补丁级别。
3. Policy Definition: This is where an organization can express its policy for acceptable or problematic values of an endpoint attribute. The expected values of an endpoint attribute are determined for later comparison against the actual endpoint attribute values during the evaluation process. Expected values may include both values that are good as well as values that represent problems, such as vulnerabilities. The organization can also specify the endpoint attributes that are to be present for a given target endpoint.
3. 策略定义:在这里,组织可以针对端点属性的可接受或有问题的值表达其策略。将确定端点属性的预期值,以便在评估过程中与实际端点属性值进行比较。预期值可能包括良好值和表示问题的值,如漏洞。组织还可以指定给定目标端点的端点属性。
4. Information Collection: Collect information (attribute values) from the target endpoint to populate the endpoint data.
4. 信息收集:从目标端点收集信息(属性值)以填充端点数据。
5. Endpoint Assessment: Evaluate the actual values of the endpoint attributes against those expressed in the policy. (An evaluation result may become additional endpoint data.)
5. 端点评估:根据策略中表示的端点属性值评估端点属性的实际值。(评估结果可能成为附加端点数据。)
6. Result Reporting: Report the results of the evaluation for use by other components. Examples of the use of a report would be additional evaluation, network enforcement, vulnerability detection, and license management.
6. 结果报告:报告评估结果,供其他组件使用。使用报告的示例包括附加评估、网络实施、漏洞检测和许可证管理。
Many deployment scenarios can be instantiated to address the above tasks and the use cases defined in [RFC7632]. To ensure interoperability, scalability, and flexibility in any of these deployments, the following requirements are defined for proposed SACM standards:
可以实例化许多部署场景,以解决上述任务和[RFC7632]中定义的用例。为确保这些部署中的互操作性、可扩展性和灵活性,为拟议的SACM标准定义了以下要求:
G-001 (Solution Extensibility): The information model, data models, protocols, and transfers defined by SACM MUST be designed to allow support for future extensions. SACM MUST allow for both standardized and proprietary extensions.
G-001(解决方案扩展性):SACM定义的信息模型、数据模型、协议和传输必须设计为支持未来的扩展。SACM必须允许标准化和专有扩展。
1. The information model and programmatic interfaces (see G-012 for one example) MUST support the ability to add new operations while maintaining backwards compatibility. SACM-defined transfer protocols MUST have extensibility to allow them to transfer operations that are defined in the future.
1. 信息模型和编程接口(例如,参见G-012)必须支持在保持向后兼容性的同时添加新操作的能力。SACM定义的传输协议必须具有可扩展性,以允许它们传输将来定义的操作。
2. The query language MUST allow for general inquiries as well as expression of specific attributes or relationships between attributes; the retrieval of specific information based on an event or on a continuous basis; and the ability to retrieve specific pieces of information, specific types or classes of information, or the entirety of available information.
2. 查询语言必须允许一般查询以及特定属性或属性之间关系的表达;基于事件或持续的基础上检索特定信息;以及检索特定信息片段、特定类型或类别的信息或全部可用信息的能力。
3. The information model MUST accommodate the interoperable addition of new data types and/or schemas.
3. 信息模型必须适应新数据类型和/或模式的互操作添加。
G-002 (Interoperability): The data models, protocols, and transports MUST be specified with enough details to ensure interoperability.
G-002(互操作性):必须详细说明数据模型、协议和传输,以确保互操作性。
G-003 (Scalability): SACM needs to support a broad set of deployment scenarios. The data models, protocols, and transports have to be scalable unless they are specifically defined to apply to a special-purpose scenario, such as constrained devices. A SACM transfer protocol standard SHOULD include a section on scalability considerations that addresses the number of endpoints and amount of information to which it can reasonably be expected to scale. Scalability must be addressed to support:
G-003(可伸缩性):SACM需要支持广泛的部署场景。数据模型、协议和传输必须是可伸缩的,除非它们被专门定义为应用于特殊用途场景,例如受约束的设备。SACM传输协议标准应包括一个关于可伸缩性考虑的部分,该部分解决了端点的数量和它可以合理地扩展到的信息量。必须解决可扩展性问题,以支持:
* Large messages: It is possible that the size of posture assessment information can vary from a single assessment that is small in size to a very large message or a very large set of assessments (up to multiple gigabytes in size).
* 大消息:姿势评估信息的大小可能会有所不同,从一个较小的评估到一个非常大的消息或一组非常大的评估(最大可达数GB)。
* Large number of messages per second: A deployment may involve many rapid or simultaneous events that require processing, generating many messages per second.
* 每秒大量消息:部署可能涉及许多需要处理的快速或同时发生的事件,每秒生成许多消息。
* Large number of providers and consumers: A deployment may consist of a very large number of endpoints requesting and/or producing posture assessment information.
* 大量提供者和使用者:部署可能包括大量端点,请求和/或生成姿势评估信息。
* Large number of target endpoints: A deployment may be managing information of a very large number of target endpoints.
* 大量目标端点:部署可能正在管理大量目标端点的信息。
G-004 (Versatility): The data model, protocols, and transports must be suitably specified to enable implementations to fit into different deployment models and scenarios, including considerations for implementations of data models and transports operating in constrained environments. Separate solutions may be necessary to meet the needs of specific deployment models and scenarios.
G-004(通用性):必须适当指定数据模型、协议和传输,以使实现适应不同的部署模型和场景,包括在受限环境中运行的数据模型和传输的实现注意事项。可能需要单独的解决方案来满足特定部署模型和场景的需要。
G-005 (Information Extensibility): Non-standard (implementation-specific) attributes MUST be supported. A method SHOULD be defined for preventing collisions from occurring in the naming of all
G-005(信息扩展性):必须支持非标准(特定于实现的)属性。应定义一种方法,以防止在命名所有对象时发生冲突
attributes independent of their source. For interoperability and scope boundary, the information model MUST define the mandatory set of attributes.
独立于其源的属性。对于互操作性和范围边界,信息模型必须定义必需的属性集。
G-006 (Data Protection): To protect the information being shared, SACM components MUST protect the integrity and confidentiality of data in transit (end to end) and data at rest (as information is stored in repositories). Mechanisms for this protection are unspecified but should include industry best practices. These mechanisms are required to be available (i.e., all data-handling components must support them) but are not required to be used in all cases.
G-006(数据保护):为了保护共享的信息,SACM组件必须保护传输数据(端到端)和静止数据(信息存储在存储库中)的完整性和机密性。这种保护机制尚未明确,但应包括行业最佳实践。这些机制需要可用(即,所有数据处理组件都必须支持它们),但并非所有情况下都需要使用。
G-007 (Data Partitioning): A method for partitioning data MUST be supported to accommodate considerations such as geographic, regulatory, operational requirements, overlay boundaries, and federation (where the data may be collected in multiple locations and either centralized or kept in the local region). Where replication of data is supported, it is required that methods exist to prevent update loops.
G-007(数据分区):必须支持对数据进行分区的方法,以适应地理、监管、运营要求、覆盖边界和联邦(其中数据可以在多个位置收集,或者集中或保存在本地区)等因素。在支持数据复制的情况下,需要存在防止更新循环的方法。
G-008 (Versioning and Backward Compatibility): Announcement and negotiation of versions, inclusive of existing capabilities (such as transfer protocols, data models, specific attributes within data models, standard attribute expression sets, etc.) MUST be supported. Negotiation for both versioning and capabilities is needed to accommodate future growth and ecosystems with mixed capabilities.
G-008(版本控制和向后兼容性):必须支持发布和协商版本,包括现有功能(如传输协议、数据模型、数据模型内的特定属性、标准属性表达式集等)。需要就版本控制和功能进行协商,以适应未来的增长和具有混合功能的生态系统。
G-009 (Information Discovery): There MUST be mechanisms for components to discover what information is available across the ecosystem (i.e., a method for cataloging data available in the ecosystem and advertising it to consumers), where to go to get a specific piece of that information (i.e., which provider has the information), and what schemas are in use for organizing the information. For example, a method can be provided by which a node can locate the advertised information so that consumers are not required to have a priori knowledge to find available information.
G-009(信息发现):组件必须有机制来发现整个生态系统中可用的信息(即,对生态系统中可用的数据进行编目并向消费者公布的方法),从何处获取特定的信息(即,哪个提供商拥有该信息),以及用于组织信息的模式。例如,可以提供一种方法,通过该方法,节点可以定位广告信息,使得消费者不需要先验知识来查找可用信息。
G-010 (Target Endpoint Discovery): SACM MUST define the means by which target endpoints may be discovered. The use case in Section 2.1.2 of [RFC7632] describes the need to discover endpoints and their composition.
G-010(目标端点发现):SACM必须定义发现目标端点的方法。[RFC7632]第2.1.2节中的用例描述了发现端点及其组成的需要。
G-011 (Push and Pull Access): Three methods of data access MUST be supported: a Pull model, a solicited Push model, and an unsolicited Push model. All of the methods of data access MUST support the ability for the initiator to filter the set of posture assessment information to be delivered. Additionally, the provider of the
G-011(推式和拉式访问):必须支持三种数据访问方法:拉式模型、请求式推式模型和非请求式推式模型。所有的数据访问方法都必须支持发起者过滤要传递的姿势评估信息集的能力。此外,服务的提供者
information MUST be able to filter the set of posture assessment information based on the permissions of the recipient. This requirement is driven by the use cases in Sections 2.1.3 and 2.1.4 of [RFC7632].
信息必须能够根据接收者的权限过滤姿势评估信息集。该要求由[RFC7632]第2.1.3节和第2.1.4节中的用例驱动。
G-012 (SACM Component Interface): The interfaces by which SACM components communicate to share endpoint posture information MUST be well defined. That is, the interface defines the data model, SACM transfer protocols, and network transfer protocols to enable SACM components to communicate.
G-012(SACM组件接口):必须明确定义SACM组件通信以共享端点姿态信息的接口。也就是说,接口定义了数据模型、SACM传输协议和网络传输协议,以使SACM组件能够通信。
G-013 (Endpoint Location and Network Topology): The SACM architecture and interfaces MUST allow for the target endpoint (network) location and network topology to be modeled and understood. Where appropriate, the data model and the interfaces SHOULD allow for discovery of the target endpoint location, network topology, or both.
G-013(端点位置和网络拓扑):SACM架构和接口必须允许对目标端点(网络)位置和网络拓扑进行建模和理解。在适当的情况下,数据模型和接口应允许发现目标端点位置、网络拓扑或两者。
G-014 (Target Endpoint Identity): The SACM architecture and interfaces MUST support the ability of components to provide attributes that can be used to compose an identity for a target endpoint. These identities MAY be composed of attributes from one or more SACM components.
G-014(目标端点标识):SACM体系结构和接口必须支持组件提供可用于构成目标端点标识的属性的能力。这些标识可能由一个或多个SACM组件的属性组成。
G-015 (Data Access Control): Methods of access control must be supported to accommodate considerations such as geographic, regulatory, operational, and federations. Entities accessing or publishing data MUST identify themselves and pass access policy.
G-015(数据访问控制):必须支持访问控制方法,以适应地理、监管、运营和联邦等方面的考虑。访问或发布数据的实体必须标识自己并通过访问策略。
Following are the requirements for the SACM architecture:
以下是SACM体系结构的要求:
ARCH-001 (Component Functions): At the simplest abstraction, the SACM architecture MUST represent the core components and interfaces needed to perform the production and consumption of posture assessment information.
ARCH-001(组件功能):在最简单的抽象中,SACM体系结构必须表示生成和使用姿势评估信息所需的核心组件和接口。
ARCH-002 (Scalability): The architectural components MUST account for a range of deployments, from very small sets of endpoints to very large deployments.
ARCH-002(可伸缩性):体系结构组件必须考虑一系列部署,从非常小的端点集到非常大的部署。
ARCH-003 (Flexibility): The architectural components MUST account for different deployment scenarios where the architectural components may be implemented, deployed, or used within a single application, service, or network, or may comprise a federated system.
ARCH-003(灵活性):体系结构组件必须考虑不同的部署场景,其中体系结构组件可以在单个应用程序、服务或网络中实现、部署或使用,也可以包含联邦系统。
ARCH-004 (Separation of Data and Management Functions): SACM MUST define both the configuration and management of the SACM data models and protocols used to transfer and share posture assessment information.
ARCH-004(数据和管理功能分离):SACM必须定义用于传输和共享姿势评估信息的SACM数据模型和协议的配置和管理。
ARCH-005 (Topology Flexibility): Both centralized and decentralized (peer-to-peer) information exchange MUST be supported. Centralized data exchange enables use of a common data format to bridge together data exchange between diverse systems and can leverage a virtual data store that centralizes and offloads all data access, storage, and maintenance to a dedicated resource. Decentralized data exchange enables simplicity of sharing data between relatively uniform systems and between small numbers of systems, especially within a single enterprise domain. The fact that a centralized or decentralized deployment is used SHOULD be invisible to a consumer. However, there may be cases where the producer chooses to include that information due to consumer preference.
ARCH-005(拓扑灵活性):必须支持集中式和分散式(对等)信息交换。集中式数据交换允许使用通用数据格式来连接不同系统之间的数据交换,并可以利用虚拟数据存储,将所有数据访问、存储和维护集中并卸载到专用资源。分散的数据交换使得在相对统一的系统之间和少量系统之间共享数据变得简单,特别是在单个企业域内。使用集中式或分散式部署的事实对于使用者来说应该是不可见的。然而,在某些情况下,由于消费者的偏好,生产商可能会选择包含该信息。
ARCH-006 (Capability Negotiation): Announcement and negotiation of functional capabilities (such as authentication protocols, authorization schemes, data models, transfer protocols, etc.) MUST be supported, enabling a SACM component to make inquiries about the capabilities of other components in the SACM ecosystem.
ARCH-006(能力协商):必须支持功能能力(如认证协议、授权方案、数据模型、传输协议等)的宣布和协商,使SACM组件能够查询SACM生态系统中其他组件的能力。
ARCH-007 (Role-Based Authorization): The SACM architecture MUST be capable of effecting role-based authorization. Distinction of endpoints capable of and authorized to provide or consume information is required to address appropriate access controls.
ARCH-007(基于角色的授权):SACM体系结构必须能够实现基于角色的授权。需要区分能够并有权提供或使用信息的端点,以解决适当的访问控制问题。
ARCH-008 (Context-Based Authorization): The SACM architecture MUST be capable of effecting context-based authorization. Different policies (e.g., business, regulatory, etc.) might specify what data may be exposed to, or shared by, consumers based on one or more attributes of the consumer. The policy might specify that consumers are required to share specific information either back to the system or to administrators.
ARCH-008(基于上下文的授权):SACM体系结构必须能够实现基于上下文的授权。不同的策略(例如,业务、监管等)可能会根据消费者的一个或多个属性指定哪些数据可能向消费者公开或由消费者共享。策略可能会指定要求使用者将特定信息共享回系统或管理员。
ARCH-009 (Time Synchronization): Actions or decisions based on time-sensitive data (such as user logon/logoff, endpoint connection/ disconnection, endpoint behavior events, etc.) are all predicated on a synchronized understanding of time. The SACM architecture MUST provide a mechanism for all components to synchronize time. A mechanism for detecting and reporting time discrepancies SHOULD be provided by the architecture and reflected in the information model.
ARCH-009(时间同步):基于时间敏感数据(如用户登录/注销、端点连接/断开、端点行为事件等)的操作或决策都基于对时间的同步理解。SACM体系结构必须为所有组件提供同步时间的机制。架构应提供检测和报告时间差异的机制,并反映在信息模型中。
The SACM information model represents the abstracted representation for posture assessment information to be communicated. SACM data models must adhere to and comply with the SACM information model. The requirements for the SACM information model include:
SACM信息模型表示要传达的姿势评估信息的抽象表示。SACM数据模型必须遵守SACM信息模型。SACM信息模型的要求包括:
IM-001 (Extensible Attribute Vocabulary): The information model MUST define a minimum set of attributes for communicating posture information, to ensure interoperability between data models. (Individual data models may define attributes beyond the mandatory-to-implement minimum set.) The attributes should be defined with a clear mechanism for extensibility to enable data models to adhere to SACM's required attributes as well as allow for their own extensions. The attribute vocabulary should be defined with a clear mechanism for extensibility to enable future versions of the information model to be interoperably expanded with new attributes.
IM-001(可扩展属性词汇表):信息模型必须定义用于传达姿势信息的最小属性集,以确保数据模型之间的互操作性。(单个数据模型可以定义超出强制实现最小集的属性。)应使用明确的可扩展性机制定义属性,以使数据模型能够遵守SACM所需的属性,并允许其自身的扩展。属性词汇表应定义为具有明确的可扩展性机制,以使信息模型的未来版本能够使用新属性进行互操作扩展。
IM-002 (Posture Data Publication): The information model MUST allow for the data to be provided by a SACM component either solicited or unsolicited. No aspect of the information model should be dependent upon or assume a Push or Pull model of publication.
IM-002(姿态数据发布):信息模型必须允许SACM组件提供请求或非请求的数据。信息模型的任何方面都不应依赖于或假定发布的推式或拉式模型。
IM-003 (Data Model Negotiation): SACM's information model MUST allow support for different data models, data model versions, and different versions of the operations on the data models and transfer protocols. The SACM information model MUST include the ability to discover and negotiate the use of a particular data model or any data model.
IM-003(数据模型协商):SACM的信息模型必须允许支持不同的数据模型、数据模型版本以及数据模型和传输协议上操作的不同版本。SACM信息模型必须包括发现和协商使用特定数据模型或任何数据模型的能力。
IM-004 (Data Model Identification): The information model MUST provide a means to uniquely identify each data model. The identifier MUST contain both an identifier of the data model and a version indicator for the data model. The identifiers SHOULD be decomposable so that a customer can query for any version of a specific data model and compare returned values for older or newer than a desired version.
IM-004(数据模型标识):信息模型必须提供唯一标识每个数据模型的方法。标识符必须同时包含数据模型的标识符和数据模型的版本指示器。标识符应该是可分解的,以便客户可以查询特定数据模型的任何版本,并比较返回的值是否比所需版本旧或新。
IM-005 (Data Lifetime Management): The information model MUST provide a means to allow data models to include data lifetime management. The information model must identify attributes that can allow data models to, at minimum, identify the data's origination time and expected time of next update or data longevity (how long the data should be assumed to still be valid).
IM-005(数据生命周期管理):信息模型必须提供允许数据模型包括数据生命周期管理的方法。信息模型必须确定一些属性,这些属性允许数据模型至少确定数据的起始时间和下一次更新的预期时间或数据寿命(假定数据仍然有效的时间)。
IM-006 (Singularity and Modularity): The SACM information model MUST be singular (i.e., there is only one information model, not multiple alternative information models from which to choose) and MAY be
IM-006(单一性和模块性):SACM信息模型必须是单一的(即,只有一个信息模型,没有多个可供选择的替代信息模型),并且可以
modular (a conjunction of several subcomponents) for ease of maintenance and extension. For example, endpoint identification could be an independent subcomponent of the information model, to simplify updating of endpoint identification attributes.
模块化(多个子组件的组合),便于维护和扩展。例如,端点标识可以是信息模型的独立子组件,以简化端点标识属性的更新。
The SACM information model represents an abstraction for "what" information can be communicated and "how" it is to be represented and shared. It is expected that as applications may produce posture assessment information, they may share it using a specific data model. Similarly, applications consuming or requesting posture assessment information may require that it be based on a specific data model. Thus, while there may exist different data models and schemas, they should adhere to the SACM information model and meet the requirements defined in this section.
SACM信息模型表示“什么”信息可以交流以及“如何”表示和共享的抽象。由于应用程序可能会生成姿势评估信息,因此可以使用特定的数据模型共享这些信息。类似地,使用或请求姿势评估信息的应用程序可能要求它基于特定的数据模型。因此,虽然可能存在不同的数据模型和模式,但它们应遵循SACM信息模型并满足本节中定义的要求。
The specific requirements for candidate data models include:
候选数据模型的具体要求包括:
DM-001 (Element Association): A SACM information model consists of a set of SACM information model elements. A SACM data model MUST be derived from the SACM information model. A SACM data model consists of a set of SACM data model elements. In this derivation, a SACM data model element MAY map to one or more SACM information model elements. In addition, a SACM data model MAY include additional data model elements that are not associated with any SACM information model elements.
DM-001(元素关联):SACM信息模型由一组SACM信息模型元素组成。SACM数据模型必须从SACM信息模型派生。SACM数据模型由一组SACM数据模型元素组成。在此推导中,SACM数据模型元素可以映射到一个或多个SACM信息模型元素。此外,SACM数据模型可包括与任何SACM信息模型元素不关联的附加数据模型元素。
DM-002 (Data Model Structure): The data model can be structured either as one single module or separated into modules and submodules that allow for references between them. The data model structure MAY reflect structure in the information model but does not need to. For example, the data model might use one module to define endpoints, and that module might reference other modules that describe the various assets associated with the endpoint. Constraints and interfaces might further be defined to resolve or tolerate ambiguity in the references (e.g., the same IP address used in two separate networks).
DM-002(数据模型结构):数据模型可以作为单个模块进行结构设计,也可以分为模块和子模块,以便在模块和子模块之间进行引用。数据模型结构可以反映信息模型中的结构,但不需要。例如,数据模型可能使用一个模块来定义端点,该模块可能引用描述与端点关联的各种资产的其他模块。可以进一步定义约束和接口,以解决或容忍引用中的歧义(例如,两个独立网络中使用的相同IP地址)。
DM-003 (Search Flexibility): The search interfaces and actions MUST include the ability to start a search anywhere within a data model structure and the ability to search based on patterns ("wildcard searches") as well as specific data elements.
DM-003(搜索灵活性):搜索接口和操作必须包括在数据模型结构中的任何位置启动搜索的能力,以及基于模式(“通配符搜索”)和特定数据元素进行搜索的能力。
DM-004 (Full vs. Partial Updates): The data model SHOULD include the ability to allow providers of data to provide the data as a whole or when updates occur. For example, a consumer can request a full update on initial engagement, then request to receive deltas
DM-004(完全更新与部分更新):数据模型应包括允许数据提供者提供整体数据或在更新发生时提供数据的能力。例如,消费者可以请求初始约定的完整更新,然后请求接收增量
(updates containing only the changes since the last update) on an ongoing basis as new data is generated.
(仅包含自上次更新以来的更改的更新)在生成新数据时持续更新。
DM-005 (Loose Coupling): The data model SHOULD allow for a loose coupling between the provider and the consumer, such that the consumer can request information without being required to request it from a specific provider, and a provider can publish information without having a specific consumer targeted to receive it.
DM-005(松耦合):数据模型应允许提供商和消费者之间的松耦合,这样消费者可以请求信息,而无需向特定提供商请求信息,提供商可以发布信息,而无需特定消费者接收信息。
DM-006 (Data Cardinality): The data model MUST describe their constraints (e.g., cardinality). As posture information and the tasks for collection, aggregation, or evaluation could comprise one or more attributes, interfaces and actions MUST allow and account for such cardinality and for conditional, optional, or mandatory attributes.
DM-006(数据基数):数据模型必须描述其约束(例如基数)。由于姿势信息和用于收集、聚合或评估的任务可能包含一个或多个属性,因此接口和操作必须允许并考虑此类基数以及条件、可选或强制性属性。
DM-007 (Data Model Negotiation): The interfaces and actions in the data model MUST include capability negotiation to enable discovery of supported and available data types and schemas.
DM-007(数据模型协商):数据模型中的接口和操作必须包括能力协商,以便能够发现支持的和可用的数据类型和模式。
DM-008 (Data Origin): The data model MUST include the ability for consumers to identify the data origin (provider that collected the data).
DM-008(数据来源):数据模型必须包括消费者识别数据来源(收集数据的提供者)的能力。
DM-009 (Origination Time): The data model SHOULD allow the provider to include the information's origination time.
DM-009(起始时间):数据模型应允许提供者包括信息的起始时间。
DM-010 (Data Generation): The data model MUST allow the provider to include attributes defining how the data was generated (e.g., self-reported, reported by aggregator, scan result, etc.).
DM-010(数据生成):数据模型必须允许提供者包含定义数据生成方式的属性(例如,自报告、聚合器报告、扫描结果等)。
DM-011 (Data Source): The data model MUST allow the provider to include attributes identifying the data source (target endpoint from which the data was collected), e.g., hostname, domain (DNS) name, or application name.
DM-011(数据源):数据模型必须允许提供程序包含标识数据源(从中收集数据的目标端点)的属性,例如主机名、域(DNS)名称或应用程序名称。
DM-012 (Data Updates): The data model SHOULD allow the provider to include attributes defining whether the information provided is a delta, partial, or full set of information.
DM-012(数据更新):数据模型应允许提供者包括定义所提供信息是增量、部分还是完整信息集的属性。
DM-013 (Multiple Collectors): The data model MUST support the collection of attributes by a variety of collectors, including internal collectors, external collectors with an authenticated relationship with the endpoint, and external collectors based on network and other observers.
DM-013(多个采集器):数据模型必须支持各种采集器的属性收集,包括内部采集器、与端点具有身份验证关系的外部采集器以及基于网络和其他观察者的外部采集器。
DM-014 (Attribute Extensibility): All of the use cases in Section 2 of [RFC7632] describe the need for an attribute dictionary. With
DM-014(属性扩展性):[RFC7632]第2节中的所有用例都描述了对属性字典的需求。具有
SACM's scope focused on posture assessment, the data model attribute collection and aggregation MUST have a well-understood set of attributes inclusive of their meaning or usage intent. The data model MUST include all attributes defined in the information model and MAY include additional attributes beyond those found in the information model. Additional attributes MUST be defined in accordance with the extensibility framework provided in the information model (see IM-001).
SACM的范围集中于姿势评估,数据模型属性收集和聚合必须具有一组充分理解的属性,包括其含义或使用意图。数据模型必须包括信息模型中定义的所有属性,并且可能包括信息模型中定义属性之外的其他属性。必须根据信息模型中提供的扩展性框架定义附加属性(见IM-001)。
DM-015 (Solicited vs. Unsolicited Updates): The data model MUST enable a provider to publish data either solicited (in response to a request from a consumer) or unsolicited (as new data is generated, without a request required). For example, an external collector can publish data in response to a request by a consumer for information about an endpoint, or it can publish data as it observes new information about an endpoint, without any specific consumer request triggering the publication; a compliance-server provider may publish endpoint posture information in response to a request from a consumer (solicited), or it may publish posture information driven by a change in the posture of the endpoint (unsolicited).
DM-015(请求更新与非请求更新):数据模型必须使提供商能够发布请求(响应消费者请求)或非请求(生成新数据时,无需请求)的数据。例如,外部收集器可以响应消费者对端点信息的请求而发布数据,也可以在观察到关于端点的新信息时发布数据,而无需任何特定消费者请求触发发布;合规性服务器提供商可以发布端点姿态信息以响应消费者的请求(请求),或者发布由端点姿态变化驱动的姿态信息(未请求)。
DM-016 (Transfer Agnostic): The data model MUST be transfer agnostic, to allow for the data operations to leverage the most appropriate SACM transfer protocol.
DM-016(传输不可知):数据模型必须是传输不可知的,以允许数据操作利用最合适的SACM传输协议。
Posture information data adhering to a data model must also provide interfaces that include operations for access and production of the data. Operations requirements are distinct from transfer requirements in that operations requirements are requirements on the application performing requests and responses, whereas transfer requirements are requirements on the transfer protocol carrying the requests and responses. The specific requirements for such operations include:
依附于数据模型的姿态信息数据还必须提供包括数据访问和生成操作的接口。操作需求不同于传输需求,因为操作需求是对执行请求和响应的应用程序的需求,而传输需求是对承载请求和响应的传输协议的需求。此类操作的具体要求包括:
OP-001 (Time Synchronization): Request and response operations MUST be timestamped, and published information SHOULD capture time of publication. Actions or decisions based on time-sensitive data (such as user logon/logoff, endpoint connection/disconnection, endpoint behavior events, etc.) are all predicated on a synchronized understanding of time. A method for detecting and reporting time discrepancies SHOULD be provided.
OP-001(时间同步):请求和响应操作必须有时间戳,发布的信息应捕获发布的时间。基于时间敏感数据(如用户登录/注销、端点连接/断开、端点行为事件等)的操作或决策都基于对时间的同步理解。应提供检测和报告时间差异的方法。
OP-002 (Collection Abstraction): Collection is the act of a SACM component gathering data from a target endpoint. The request for a data item MUST include enough information to properly identify the item to collect, but the request shall not be a command to directly
OP-002(收集抽象):收集是SACM组件从目标端点收集数据的行为。数据项请求必须包含足够的信息,以正确识别要收集的数据项,但该请求不应是直接发送的命令
execute nor be directly applied as arguments to a command. The purpose of this requirement is primarily to reduce the potential attack vectors but has the additional benefit of abstracting the request for collection from the collection method, thereby allowing more flexibility in how collection is implemented.
execute或execute不能作为参数直接应用于命令。此需求的目的主要是减少潜在的攻击向量,但还有一个额外的好处,即从收集方法中抽象收集请求,从而在如何实现收集方面具有更大的灵活性。
OP-003 (Collection Composition): A collection request MAY be composed of multiple collection requests (which yield collected values). The desire for multiple values MUST be expressed as part of the collection request, so that the aggregation can be resolved at the point of collection without having to interact with the requestor. This requirement should not be interpreted as preventing a collector from providing attributes that were not part of the original request.
OP-003(集合组合):一个集合请求可以由多个集合请求组成(产生集合值)。对多个值的需求必须表示为收集请求的一部分,以便可以在收集点解析聚合,而无需与请求者交互。此要求不应解释为阻止收集器提供不属于原始请求的属性。
OP-004 (Attribute-Based Query): A query operation is the act of requesting data from a provider. Query operations SHOULD be based on a set of attributes. Query operations MUST support both a query for specific attributes and a query for all attributes. The use case in Section 2.1.2 of [RFC7632] describes the need for the data model to support a query operation based on a set of attributes to facilitate collection of information such as posture assessment, inventory (of endpoints or endpoint components), and configuration checklist.
OP-004(基于属性的查询):查询操作是向提供者请求数据的行为。查询操作应基于一组属性。查询操作必须同时支持对特定属性的查询和对所有属性的查询。[RFC7632]第2.1.2节中的用例描述了数据模型需要支持基于一组属性的查询操作,以便于收集信息,如姿势评估、库存(端点或端点组件)和配置检查表。
OP-005 (Information-Based Query with Filtering): The query operation MUST support filtering. The use case in Section 2.1.3 of [RFC7632] describes the need for the data model to support the means for the information to be collected through a query mechanism. Furthermore, the query operation requires filtering capabilities to allow for only a subset of information to be retrieved. The query operation MAY be a synchronous request or asynchronous request.
OP-005(带过滤的基于信息的查询):查询操作必须支持过滤。[RFC7632]第2.1.3节中的用例描述了数据模型需要支持通过查询机制收集信息的方法。此外,查询操作需要过滤功能,以便仅检索信息的子集。查询操作可以是同步请求或异步请求。
OP-006 (Operation Scalability): The operation resulting from a query operation MUST be able to handle the return and receipt of large amounts of data. The use case in Section 2.1.4 of [RFC7632] describe the need for the data model to support scalability. For example, the query operation may result in a very large set of attributes as well as a large set of targets.
OP-006(操作可伸缩性):查询操作产生的操作必须能够处理大量数据的返回和接收。[RFC7632]第2.1.4节中的用例描述了数据模型支持可伸缩性的需求。例如,查询操作可能会产生一组非常大的属性以及一组很大的目标。
OP-007 (Data Abstraction): The data model MUST allow a SACM component to communicate what data was used to construct the target endpoint's identity, so that other SACM components can determine whether they are constructing an equivalent target endpoint (and its identity) and whether they have confidence in that identity. SACM components SHOULD have interfaces defined to transmit this data directly or to refer to where the information can be retrieved.
OP-007(数据抽象):数据模型必须允许SACM组件传达用于构建目标端点标识的数据,以便其他SACM组件可以确定它们是否正在构建等效的目标端点(及其标识),以及它们是否对该标识有信心。SACM组件应定义接口,以直接传输此数据或引用可检索信息的位置。
OP-008 (Provider Restriction): Request operations MUST include the ability to restrict the data to be provided by a specific provider or a provider with specific characteristics. Response operations MUST include the ability to identify the provider that supplied the response. For example, a SACM consumer should be able to request that all of the data come from a specific provider by identity (e.g., Provider A) or from a provider that is in a specific location (e.g., in the Boston office).
OP-008(提供者限制):请求操作必须包括限制特定提供者或具有特定特征的提供者提供的数据的能力。响应操作必须包括识别提供响应的提供程序的能力。例如,SACM消费者应能够通过身份请求所有数据来自特定提供商(例如,提供商a)或来自特定位置(例如,波士顿办事处)的提供商。
The term "SACM transfer protocol" is intended to be distinguished from underlying transport- and internet-layer protocols such as TCP/ IP or operating at an application-layer protocol such as HTTP. The SACM transfer protocol is focused on moving data and performing necessary access control operations; it is agnostic to the data model operations.
术语“SACM传输协议”旨在区别于底层传输层和互联网层协议(如TCP/IP)或在应用层协议(如HTTP)上运行的协议。SACM传输协议侧重于移动数据和执行必要的访问控制操作;它与数据模型操作无关。
The requirements for SACM transfer protocols include:
SACM传输协议的要求包括:
T-001 (Multiple Transfer Protocol Support): SACM transfer protocols will vary depending on the deployment model that relies on different transfer-layer requirements, different device capabilities, and system configurations dealing with connectivity. For example, where posture attributes may be collected directly from an endpoint using the Network Endpoint Assessment (NEA) model [RFC5209], different transports may be defined to collect them using Posture Transport Protocol for Extensible Authentication Protocol Tunnel Methods (PT-EAP) [RFC7171] or Posture Transport Protocol over TLS (PT-TLS) [RFC6876], depending on the deployment scenario.
T-001(多传输协议支持):SACM传输协议因部署模型而异,部署模型依赖于不同的传输层要求、不同的设备功能和处理连接的系统配置。例如,在可使用网络端点评估(NEA)模型[RFC5209]直接从端点收集姿势属性的情况下,可定义不同的传输,以使用可扩展认证协议隧道方法(PT-EAP)[RFC7171]的姿势传输协议或TLS上的姿势传输协议(PT-TLS)收集姿势属性[RFC6876],具体取决于部署场景。
T-002 (Data Integrity): SACM transfer protocols MUST be able to ensure data integrity for data in transit.
T-002(数据完整性):SACM传输协议必须能够确保传输中数据的完整性。
T-003 (Data Confidentiality): SACM transfer protocols MUST be able to support data confidentiality. SACM transfer protocols MUST ensure data protection for data in transit (e.g., by encryption) to provide confidentiality, integrity, and robustness against protocol-based attacks. Note that while the transfer MUST be able to support data confidentiality, implementations MAY provide a configuration option that enables and disables confidentiality in deployments. Protection for data at rest is not in scope for transfer protocols. Data protection MAY be used for both privacy and non-privacy scenarios.
T-003(数据机密性):SACM传输协议必须能够支持数据机密性。SACM传输协议必须确保对传输中的数据进行数据保护(例如,通过加密),以提供机密性、完整性和针对基于协议的攻击的鲁棒性。请注意,虽然传输必须能够支持数据机密性,但实现可能会提供一个配置选项,用于启用和禁用部署中的机密性。对静态数据的保护不在传输协议的范围内。数据保护可用于隐私和非隐私场景。
T-004 (Transfer Protection): SACM transfer protocols MUST be capable of supporting mutual authentication and replay protection.
T-004(传输保护):SACM传输协议必须能够支持相互认证和重播保护。
T-005 (Transfer Reliability): SACM transfer protocols MUST provide reliable delivery of data. This includes the ability to perform fragmentation and reassembly and to detect replays. The SACM transfer may take advantage of reliability features in the network transport; however, the network transport may be unreliable (e.g., UDP), in which case the SACM transfer running over the unreliable network transport is responsible for ensuring reliability (i.e., by provisions such as confirmations and retransmits).
T-005(传输可靠性):SACM传输协议必须提供可靠的数据传输。这包括执行碎片和重新组装以及检测重播的能力。SACM传输可利用网络传输中的可靠性特征;然而,网络传输可能不可靠(例如,UDP),在这种情况下,通过不可靠网络传输运行的SACM传输负责确保可靠性(即,通过诸如确认和重传之类的规定)。
T-006 (Transfer-Layer Requirements): Each SACM transfer protocol MUST clearly specify the transport-layer requirements it needs to operate correctly. Examples of items that may need to be specified include connectivity requirements, replay requirements, data link encryption requirements, and/or channel-binding requirements. These requirements are needed in order for deployments to be done correctly.
T-006(传输层要求):每个SACM传输协议必须明确规定正确运行所需的传输层要求。可能需要指定的项目示例包括连接要求、重播要求、数据链路加密要求和/或通道绑定要求。这些要求是正确完成部署所必需的。
T-007 (Transfer Protocol Adoption): SACM SHOULD, where reasonably possible, leverage and use existing IETF transfer protocols versus defining new ones.
T-007(传输协议采用):SACM应在合理可能的情况下,利用和使用现有的IETF传输协议,而不是定义新的传输协议。
This document does not require any IANA actions.
本文件不要求IANA采取任何行动。
This document defines the requirements for SACM. As such, it is expected that several data models, protocols, and transfer protocols may be defined or reused from already-existing standards.
本文件定义了SACM的要求。因此,可以从现有标准中定义或重用多个数据模型、协议和传输协议。
To address security and privacy considerations, the data model, protocols, and transports must consider authorization based on consumer function and privileges, to only allow authorized consumers and providers to access specific information being requested or published.
为了解决安全性和隐私考虑,数据模型、协议和传输必须考虑基于消费者功能和权限的授权,以便只允许授权的消费者和提供者访问被请求或发布的特定信息。
To enable federation across multiple entities (such as across organizational or geographic boundaries), authorization must also extend to infrastructure elements themselves, such as central controllers, brokers, and data repositories.
要实现跨多个实体(如跨组织或地理边界)的联合,授权还必须扩展到基础结构元素本身,如中央控制器、代理和数据存储库。
In addition, authorization needs to extend to specific information or resources available in the environment. In other words, authorization is based on the subject (the information requestor), the provider (the information responder), the object (the endpoint the information is being requested on), and the attribute (what piece
此外,授权需要扩展到环境中可用的特定信息或资源。换句话说,授权基于主体(信息请求者)、提供者(信息响应者)、对象(请求信息的端点)和属性(哪一部分)
of data is being requested). The method by which this authorization is applied is unspecified.
(正在请求数据)。未指定应用此授权的方法。
SACM's charter focuses on the workflow orchestration and the sharing of posture information for improving the efficacy of security applications such as compliance, configuration, assurance, and other threat and vulnerability reporting and remediation systems. While the goal is to facilitate the flow of information securely, it is important to note that participating endpoints may not be cooperative or trustworthy.
SACM的章程侧重于工作流协调和态势信息共享,以提高安全应用程序(如合规性、配置、保证和其他威胁和漏洞报告及补救系统)的效率。虽然目标是安全地促进信息流,但需要注意的是,参与的端点可能不合作或不可信。
The information given from the provider to a requestor may come with different levels of trustworthiness given the different potential deployment scenarios and compromise at the provider, the requesting consumer, or devices that are involved in the transfer between the provider and requestor. This section will describe the different considerations that may reduce the level of trustworthiness of the information provided.
鉴于提供者、请求消费者或涉及提供者和请求者之间传输的设备的不同潜在部署场景和危害,提供者向请求者提供的信息可能具有不同的可信度。本节将描述可能降低所提供信息可信度的不同注意事项。
In the information transfer flow, it is possible that some of the devices may serve as proxies or brokers and, as such, may be able to observe the communications flowing between an information provider and requestor. Without appropriate protections, it is possible for these proxies and brokers to inject and affect man-in-the-middle attacks.
在信息传输流中,一些设备可能用作代理或代理,并且因此可能能够观察信息提供者和请求者之间的通信流。如果没有适当的保护,这些代理和代理就有可能注入并影响中间人攻击。
In general, it is common to distrust the network service provider, unless the full hop-by-hop communications process flow is well understood. As such, the posture information provider should protect the posture information data it provides as well as the transfer it uses. Similarly, while there may be providers whose goal is to openly share its information, there may also be providers whose policy is to grant access to certain posture information based on its business or regulatory policy. In those situations, a provider may require full authentication and authorization of the requestor (or set of requestors) and share only the authorized information to the authenticated and authorized requestors.
通常,不信任网络服务提供商是很常见的,除非完全理解逐跳通信流程。因此,姿势信息提供者应保护其提供的姿势信息数据及其使用的传输。类似地,虽然可能有供应商的目标是公开共享其信息,但也可能有供应商的政策是根据其业务或监管政策授予对某些姿态信息的访问权。在这些情况下,提供者可能需要请求者(或一组请求者)的完全身份验证和授权,并且只向经过身份验证和授权的请求者共享授权信息。
Beyond distrusting the network service provider, a requestor must also take into account that the information received from the provider may have been communicated through an undetermined network communications system. That is, the posture information may have traversed through many devices before reaching the requestor. SACM specifications should provide the means for verifying data origin and data integrity and, at minimum, provide endpoint authentication and transfer integrity.
除了不信任网络服务提供商之外,请求者还必须考虑到从提供商处收到的信息可能是通过未确定的网络通信系统进行通信的。也就是说,姿势信息在到达请求者之前可能已经穿过许多设备。SACM规范应提供验证数据来源和数据完整性的方法,并至少提供端点身份验证和传输完整性。
A requestor may require data freshness indications, both knowledge of data origination as well as time of publication, so that it can make more informed decisions about the relevance of the data based on its currency and/or age.
请求者可能需要数据新鲜度指示,包括数据来源知识和发布时间,以便能够根据数据的货币和/或年龄对数据的相关性做出更明智的决定。
It is also important to note that endpoint assessment reports, especially as they may be provided by the target endpoint, may pose untrustworthy information. The considerations for this are described in Section 8 of [RFC5209].
还需要注意的是,终点评估报告,特别是目标终点可能提供的报告,可能会造成不可信的信息。[RFC5209]第8节描述了这方面的注意事项。
The trustworthiness of the posture information given by the provider to one or many requestors is dependent on several considerations. Some of these include the requestor requiring:
提供者提供给一个或多个请求者的姿势信息的可信度取决于几个因素。其中包括请求者要求:
o Full disclosure of the network topology path to the provider(s).
o 向提供商完全公开网络拓扑路径。
o Direct (peer-to-peer) communication with the provider.
o 与提供商直接(对等)通信。
o Authentication and authorization of the provider.
o 提供程序的身份验证和授权。
o Either or both confidentiality and integrity at the transfer layer.
o 传输层的机密性和完整性。
o Either or both confidentiality and integrity at the data layer.
o 数据层的机密性和完整性。
SACM information may contain sensitive information about the target endpoint as well as revealing identity information of the producer or consumer of such information. Similarly, as part of the SACM discovery mechanism, the capabilities and roles (e.g., SACM components enabled) advertised by the endpoint may be construed as private information.
SACM信息可能包含有关目标端点的敏感信息以及此类信息的生产者或消费者的身份信息。类似地,作为SACM发现机制的一部分,由端点通告的功能和角色(例如,启用的SACM组件)可以被解释为私有信息。
In addition to identity and SACM capabilities information disclosure, the use of timestamps (or other attributes that can be used as identifiers) could be further used to determine a target endpoint or user's behavioral patterns. Such attributes may also be deemed sensitive and may require further protection or obfuscation to meet privacy concerns. That is, there may be applications as well as business and regulatory practices that require that aspects of such information be hidden from any parties that do not need to know it.
除了身份和SACM能力信息公开之外,时间戳(或可用作标识符的其他属性)的使用还可进一步用于确定目标端点或用户的行为模式。此类属性也可能被视为敏感属性,可能需要进一步保护或混淆,以满足隐私问题。也就是说,可能有应用程序以及业务和监管实践要求对不需要知道这些信息的任何方隐藏这些信息的各个方面。
Data confidentiality can provide some level of privacy but may fall short where unnecessary data is still transmitted. In those cases, filtering requirements at the data model such as OP-005 must be applied to ensure that such data is not disclosed. [RFC6973]
数据保密性可以提供一定程度的隐私,但在仍传输不必要数据的情况下,可能会达不到这一要求。在这些情况下,必须应用数据模型(如OP-005)的过滤要求,以确保不披露此类数据。[RFC6973]
provides guidelines that SACM protocols, information models, and data models should follow.
提供SACM协议、信息模型和数据模型应遵循的准则。
[RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security Posture Assessment: Enterprise Use Cases", RFC 7632, DOI 10.17487/RFC7632, September 2015, <https://www.rfc-editor.org/info/rfc7632>.
[RFC7632]Waltermire,D.和D.Harrington,“端点安全态势评估:企业用例”,RFC 7632,DOI 10.17487/RFC7632,2015年9月<https://www.rfc-editor.org/info/rfc7632>.
[RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. Tardo, "Network Endpoint Assessment (NEA): Overview and Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, <https://www.rfc-editor.org/info/rfc5209>.
[RFC5209]Sangster,P.,Khosravi,H.,Mani,M.,Narayan,K.,和J.Tardo,“网络端点评估(NEA):概述和要求”,RFC 5209,DOI 10.17487/RFC5209,2008年6月<https://www.rfc-editor.org/info/rfc5209>.
[RFC6876] Sangster, P., Cam-Winget, N., and J. Salowey, "A Posture Transport Protocol over TLS (PT-TLS)", RFC 6876, DOI 10.17487/RFC6876, February 2013, <https://www.rfc-editor.org/info/rfc6876>.
[RFC6876]Sangster,P.,Cam Winget,N.,和J.Salowey,“TLS上的姿态传输协议(PT-TLS)”,RFC 6876,DOI 10.17487/RFC6876,2013年2月<https://www.rfc-editor.org/info/rfc6876>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, <https://www.rfc-editor.org/info/rfc6973>.
[RFC6973]Cooper,A.,Tschofenig,H.,Aboba,B.,Peterson,J.,Morris,J.,Hansen,M.,和R.Smith,“互联网协议的隐私考虑”,RFC 6973,DOI 10.17487/RFC6973,2013年7月<https://www.rfc-editor.org/info/rfc6973>.
[RFC7171] Cam-Winget, N. and P. Sangster, "PT-EAP: Posture Transport (PT) Protocol for Extensible Authentication Protocol (EAP) Tunnel Methods", RFC 7171, DOI 10.17487/RFC7171, May 2014, <https://www.rfc-editor.org/info/rfc7171>.
[RFC7171]Cam Winget,N.和P.Sangster,“PT-EAP:可扩展认证协议(EAP)隧道方法的姿态传输(PT)协议”,RFC 7171,DOI 10.17487/RFC7171,2014年5月<https://www.rfc-editor.org/info/rfc7171>.
[TERMS] Birkholz, H., Lu, J., Strassner, J., and N. Cam-Winget, "Security Automation and Continuous Monitoring (SACM) Terminology", Work in Progress, draft-ietf-sacm-terminology-13, July 2017.
[术语]Birkholz,H.,Lu,J.,Strassner,J.,和N.Cam Winget,“安全自动化和连续监控(SACM)术语”,正在进行的工作,草案-ietf-SACM-Terminology-132017年7月。
Acknowledgments
致谢
The authors would like to thank Barbara Fraser, Jim Bieda, and Adam Montville for reviewing and contributing to this document. In addition, we recognize valuable comments and suggestions made by Jim Schaad and Chris Inacio.
作者要感谢Barbara Fraser、Jim Bieda和Adam Montville对本文件的审阅和贡献。此外,我们感谢Jim Schaad和Chris Inacio提出的宝贵意见和建议。
Authors' Addresses
作者地址
Nancy Cam-Winget Cisco Systems 3550 Cisco Way San Jose, CA 95134 United States of America
美国加利福尼亚州圣何塞市思科路3550号南希·坎·威吉思科系统公司,邮编:95134
Email: ncamwing@cisco.com
Email: ncamwing@cisco.com
Lisa Lorenzin Pulse Secure 2700 Zanker Rd., Suite 200 San Jose, CA 95134 United States of America
美国加利福尼亚州圣何塞市赞克路2700号Lisa Lorenzin Pulse Secure 200室,邮编95134
Email: llorenzin-ietf@1000plus.com
Email: llorenzin-ietf@1000plus.com