RID IETF Draft Update

Similar documents
RID IETF Draft Update

Extended INCident Handling Working Group (INCH)

Secure Communications on VoIP Networks

NGN: Carriers and Vendors Must Take Security Seriously

Our brief history. Management and security. Traceback by traffic pattern. R&D on Traceback technology and the derivatives

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Privacy and Security in Smart Grids

The State of Standardization Efforts to support Data Exchange in the Security Domain

Overview. SSL Cryptography Overview CHAPTER 1

HP Instant Support Enterprise Edition (ISEE) Security overview

Security+ SY0-501 Study Guide Table of Contents

GARNET. Graphical Attack graph and Reachability Network Evaluation Tool* Leevar Williams, Richard Lippmann, Kyle Ingols. MIT Lincoln Laboratory

Network Security Policy

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Network Security and Cryptography. 2 September Marking Scheme

INFORMATION EXCHANGE GATEWAYS: REFERENCE ARCHITECTURE

ISO INTERNATIONAL STANDARD. Road vehicles Extended data link security. Véhicules routiers Sécurité étendue de liaison de données

October 4, 2000 Expires in six months. SMTP Service Extension for Secure SMTP over TLS. Status of this Memo

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

This presentation covers Gen Z s Security capabilities.

ASEAN e-authentication Workshop Balwinder Sahota

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Direct, DirectTrust, and FHIR: A Value Proposition

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Introduction and Statement of the Problem

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Forum XWall and Oracle Application Server 10g

National Identity Exchange Federation. Terminology Reference. Version 1.0

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

PIDX PIP Specification. P11: Send Field Ticket. Version 1.0

Networking interview questions

GOING WHERE NO WAFS HAVE GONE BEFORE

Network Security and Cryptography. December Sample Exam Marking Scheme

Visualizing Attack Graphs, Reachability, and Trust Relationships with NAVIGATOR*

Grid Security Incident Handling and Response Guide

Implementing Cisco Network Security (IINS) 3.0

Top-Down Network Design

Configuring BIG-IP ASM v12.1 Application Security Manager

Security Architecture

Connected Health Principles

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Firewall Policy. Prepared By Document Version Phone Number Kevin Kuhn Version /

Virtual Private Network

SFT User Manual C:D. Secure File Transfer with Connect:Direct. Document date: 15 November 2016 Classification: Open Version: 4.0

MILE Implementation Report. Chris Inacio, Carnegie Mellon University Daisuke Miyamoto, The University of Tokyo

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IT443 Network Security Administration Spring Gabriel Ghinita University of Massachusetts at Boston

Service Description Safecom Customer Connection Version 3.5

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

CERTIFICATE POLICY CIGNA PKI Certificates

Implementing Secure Socket Layer

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Security Assertions Markup Language (SAML)

Stratusphere. Security Overview

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Send and Receive Exchange Use Case Test Methods

Layered Architecture

Real-time DDoS Defense: A collaborative Approach at Internet Scale

CPSC 467: Cryptography and Computer Security

Service Managed Gateway TM. Configuring IPSec VPN

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

APPENDIX F THE TCP/IP PROTOCOL ARCHITECTURE

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Web Services, ebxml and XML Security

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

Lesson 13 Securing Web Services (WS-Security, SAML)

CSC Network Security

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Transport Level Security

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Vol. 1 Technical RFP No. QTA0015THA

SC27 WG4 Mission. Security controls and services

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

An Operational Perspective on BGP Security. Geoff Huston February 2005

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

eidas Interoperability Architecture Version November 2015

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Implementation Guide for Delivery Notification in Direct

Autokey Version 2 Specification

A Blockchain-based Architecture for Collaborative DDoS Mitigation with Smart Contracts

COSC 301 Network Management

Lecture 12 Page 1. Lecture 12 Page 3

Network Security. Thierry Sans

PIDX PIP Specification. P22: Send Invoice Response. Version 1.0

The Identity Web An Overview of XNS and the OASIS XRI TC

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Understanding Cisco Cybersecurity Fundamentals

Electronic Commerce Working Group report

Mobile ad hoc networks Various problems and some solutions

Network Control, Con t

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

INFORMATION ASSURANCE DIRECTORATE

Lecture 13 Page 1. Lecture 13 Page 3

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETCONF Design and Implementation of a Prototype

Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.

Transcription:

RID IETF Draft Update Kathleen M. Moriarty INCH Working Group 5 August 2004 This work was sponsored by the Air Force under Air Force Contract Number F19628-00-C-0002. "Opinions, interpretations, conclusions, and recommendations are those of the author and are not necessarily endorsed by the United States Government." RID-INCH-1

RID Updates Purpose RID and INCH Messaging Format for RID Define Extensions to IODEF Model New Extension for Policy Communication Mechanism for RID Documents Security Considerations RID-INCH-2

Real-time Inter-network Defense (RID) Trace Security Incidents to the Source Stop or Mitigate the Effects of an Attack or Security Incident Facilitate Communications between Network Providers Integrate with existing and future network components Systems to trace traffic across a network Intrusion Detection Systems NetFlow, Hash Based IP Traceback, IP Marking, etc. Network devices such as routers and firewalls Provide secure means to communicate RID messages Consortiums agree upon use and abuse guidelines Consortiums provide a key exchange method Trusted PKI, certificate repository, cross certifications RID-INCH-3

RID and INCH RID is used to communicate security incident handling information between CSIRTs or NPs RID carries much of the same data as an IODEF document RID requires a few additional data elements Communication and proper transport of messages is in the RID specification RID is now reformatted to use the IODEF specification Packet based format to IODEF document RID message types XML IODEF document with RID extensions SOAP Wrapper Message Type distinguished in SOAP wrapper and RIDPolicy RID-INCH-4

SOAP Wrapper Input SOAP Wrapper for Messages One way communication, but the conversation is specified by the application RID messages require responses in the form of authorization status and source found messages SOAP header carries information needed by RID systems during a relay request SOAP body does not need to be parsed Transport would be left for other specification SOAP would be a wrapper and another protocol would be used for transport Practical - SSH Other options HTTPS, BEEP, SNMP, etc. Are there any SOAP experts that can review the document? RID-INCH-5

RID Extensions to IODEF AdditionalData Class from IODEF used to define Extensions IPPacket Class Allows hex packets to be stored in the RID message in a format that will be expected by the recipient of a RID message Multiple packets may be sent in a single message NPPath Class Purpose is to identify the path of the trace and to avoid loops TraceStatus Class Method for providing approval status from upstream peer after a trace request is made RIDPolicy Method to determine via RID messages if trace should be continued between NPs Policy negotiations for RID messages Reliability of the trace type requested Some NPs may have multiple choices for traceback Method needed to decide which of several methods should be used by the percentage from the originator of request Level of trace required RID systems need to reference the IODEF expectation class to determine how fast of a trace mechanism should be used The start time and end time can be used to determine if a fast method of tracing or a slow and more detailed trace mechanism can be used RID-INCH-6

RID Policy RID Policy New extension to ensure that policy information is transferred between participating RID peers Policy information in RID to prevent policy related issues from relying on the transport mechanism for enforcement Message type is specified here and should also be in the SOAP wrapper RIDPolicy Information Extension to define the type of trace IODEF Method and Impact class information should be considered for the type of traffic requested for trace and the success of an attack Explicit statement for the type of trace requested in case it does not fit into the category of attack traffic and can be linked to a CVE or other identifier Message Type Message Destination and Node address Identifies where the traffic may have policy issues Client to NP NP to client Within a consortium Between peers Between consortiums Across national boundaries Purpose is to try to prevent abuse of the system Address security, confidentiality, and privacy concerns listed in the draft New extension created to address issues raised at IETF-59 RID-INCH-7

Communicating RID Messages SOAP Messaging Wrapper and XML Security Method to transport messages Policy negotiated in RID message and not wrapper Provide integrity, authentication, authorization XML digital signature, encryption, and public key infrastructure Encryption of RID for privacy and security reasons should be via XML encryption and not through the security provided by a wrapper or higher level protocol Added a section to outline all of the encryption and digital signature options that are also in various parts of the document for clarity Public Key Infrastructure Provided by consortiums linking network providers for RID messaging Message Types Trace Request Trace Authorization Source Found Relay Request RID Systems Must Track the Requests by Incident Number Packet Contents Completion Status RID-INCH-8

Security Considerations Consortiums Agreements between entities involved in RID peering Provide a secure key exchange repository/system (PKI) Peering agreements and policies between consortiums and across national boundaries or jurisdictions Policy enforced through RID messages by stating level and type of trace System use guidelines Privacy considerations Abuse policies Use policies may vary across national network or consortium boundaries Automated method to allow enforcement of use agreements RID server security policies Network based access controls Hardened systems Communication security considerations for the exchange of RID messages and the underlying protocols RID-INCH-9

Summary Updates from the previous version Extended the AdditionalData Class to accommodate the needs of RID messaging and RIDPolicy Extended information on system use and privacy considerations RID message types RID message destination and Node information PKI at the core of the security model, but provided by a consortium Summary of XML Digital Signature and Encryption applications Topology examples to address implementers questions XML Schema for RID extensions Near Future Updates will include More information on XML Security Separate document for SOAP wrapper and transport May include additional examples of other message types Any suggested revisions or clarifications http://www.ietf.org/internet-drafts/draft-ietf-inch-rid-00.txt Plan to generalize document for IODEF purposes, any input would be appreciated! RID-INCH-10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback