draft-haynes-sacm-ecp-00.txt   draft-haynes-sacm-ecp-01.txt 
SACM D. Haynes SACM D. Haynes
Internet-Draft The MITRE Corporation Internet-Draft The MITRE Corporation
Intended status: Standards Track J. Fitzgerald-McKay Intended status: Standards Track J. Fitzgerald-McKay
Expires: September 8, 2016 Department of Defense Expires: March 11, 2017 Department of Defense
L. Lorenzin L. Lorenzin
Pulse Secure Pulse Secure
March 7, 2016 September 7, 2016
Endpoint Compliance Profile Endpoint Compliance Profile
draft-haynes-sacm-ecp-00 draft-haynes-sacm-ecp-01
Abstract Abstract
This document specifies the Endpoint Compliance Profile, a high-level This document specifies the Endpoint Compliance Profile, a high-level
specification that describes a specific combination and application specification that describes a specific combination and application
of NEA and TNC protocols and interfaces specifically designed to of NEA and TNC protocols and interfaces specifically designed to
support ongoing assessment of endpoint posture and the controlled support ongoing assessment of endpoint posture and the controlled
exposure of collected posture information to appropriate security exposure of collected posture information to appropriate security
applications. This document is a subset of the Trusted Computing applications. This document is a subset of the Trusted Computing
Group's Endpoint Compliance Profile Version 1.0 specification. Group's Endpoint Compliance Profile Version 1.0 specification.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 8, 2016. This Internet-Draft will expire on March 11, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Preventative Posture Assessments . . . . . . . . . . . . 4 1.1. Preventative Posture Assessments . . . . . . . . . . . . 4
1.2. Standardized Schema . . . . . . . . . . . . . . . . . . . 4 1.2. Standardized Schema . . . . . . . . . . . . . . . . . . . 5
1.3. Secure Standardized Protocols . . . . . . . . . . . . . . 5 1.3. Secure Standardized Protocols . . . . . . . . . . . . . . 5
1.4. Keywords . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4. Keywords . . . . . . . . . . . . . . . . . . . . . . . . 6
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Endpoint Compliance Profile . . . . . . . . . . . . . . . . . 7 3. Endpoint Compliance Profile . . . . . . . . . . . . . . . . . 7
3.1. Posture Assessments . . . . . . . . . . . . . . . . . . . 7 3.1. Posture Assessments . . . . . . . . . . . . . . . . . . . 7
3.2. Data Storage . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Data Storage . . . . . . . . . . . . . . . . . . . . . . 7
3.3. Follow-up Actions . . . . . . . . . . . . . . . . . . . . 8 3.3. Follow-up Actions . . . . . . . . . . . . . . . . . . . . 8
4. Background . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Background . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Purpose of the Endpoint Compliance Profile . . . . . . . 8 4.1. Purpose of the Endpoint Compliance Profile . . . . . . . 8
4.2. Supported Use Cases . . . . . . . . . . . . . . . . . . . 8 4.2. Supported Use Cases . . . . . . . . . . . . . . . . . . . 8
skipping to change at page 3, line 20 skipping to change at page 3, line 20
11.2.1. Endpoint Attacks . . . . . . . . . . . . . . . . . . 30 11.2.1. Endpoint Attacks . . . . . . . . . . . . . . . . . . 30
11.2.2. Network Attacks . . . . . . . . . . . . . . . . . . 30 11.2.2. Network Attacks . . . . . . . . . . . . . . . . . . 30
11.2.3. Server Attacks . . . . . . . . . . . . . . . . . . . 30 11.2.3. Server Attacks . . . . . . . . . . . . . . . . . . . 30
11.2.4. Repository Attacks . . . . . . . . . . . . . . . . . 31 11.2.4. Repository Attacks . . . . . . . . . . . . . . . . . 31
11.3. Countermeasures . . . . . . . . . . . . . . . . . . . . 31 11.3. Countermeasures . . . . . . . . . . . . . . . . . . . . 31
11.3.1. Countermeasures for Endpoint Attacks . . . . . . . . 31 11.3.1. Countermeasures for Endpoint Attacks . . . . . . . . 31
11.3.2. Countermeasures for Network Attacks . . . . . . . . 32 11.3.2. Countermeasures for Network Attacks . . . . . . . . 32
11.3.3. Countermeasures for Server Attacks . . . . . . . . . 32 11.3.3. Countermeasures for Server Attacks . . . . . . . . . 32
11.3.4. Countermeasures for Repository Attacks . . . . . . . 33 11.3.4. Countermeasures for Repository Attacks . . . . . . . 33
12. Privacy-Considerations . . . . . . . . . . . . . . . . . . . 34 12. Privacy-Considerations . . . . . . . . . . . . . . . . . . . 34
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 34
13.1. Informative References . . . . . . . . . . . . . . . . . 34 13.1. -00 to -01 . . . . . . . . . . . . . . . . . . . . . . . 34
13.2. Normative References . . . . . . . . . . . . . . . . . . 34 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 14.1. Informative References . . . . . . . . . . . . . . . . . 34
14.2. Normative References . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction 1. Introduction
The IETF NEA WG has defined an open architecture for network The IETF NEA WG has defined an open architecture for network
security, including standard protocols for endpoint posture security, including standard protocols for endpoint posture
assessment. The Endpoint Compliance Profile (ECP) builds on the NEA assessment. The Endpoint Compliance Profile (ECP) builds on the NEA
protocols, along with complementary interfaces from the Trusted protocols, along with complementary interfaces from the Trusted
Network Communications (TNC) WG of the Trusted Computing Group [TNC], Network Communications (TNC) WG of the Trusted Computing Group [TNC],
to determine the posture of any type of endpoint on a network to determine the posture of any type of endpoint on a network
including user endpoints, servers, and infrastructure. The first including user endpoints, servers, and infrastructure. The first
skipping to change at page 34, line 21 skipping to change at page 34, line 21
A possible exception may be the concerns a user may have when A possible exception may be the concerns a user may have when
attempting to connect a personal endpoint (such as a phone or mobile attempting to connect a personal endpoint (such as a phone or mobile
endpoint) to an enterprise network. The user may not want to share endpoint) to an enterprise network. The user may not want to share
certain details, such as an endpoint identifier or SWID tags, with certain details, such as an endpoint identifier or SWID tags, with
the enterprise. The user can configure their NEAC to reject requests the enterprise. The user can configure their NEAC to reject requests
for this information; however, it is possible that the enterprise for this information; however, it is possible that the enterprise
policy will not allow the user's endpoint to connect to the network policy will not allow the user's endpoint to connect to the network
without providing the requested data. without providing the requested data.
13. References 13. Change Log
13.1. Informative References 13.1. -00 to -01
There are no textual changes associated with this revision. This
revision simply reflects a resubmission of the document so that it
remains in active status.
14. References
14.1. Informative References
[DSD] http://www.dsd.gov.au/publications/csocprotect/ [DSD] http://www.dsd.gov.au/publications/csocprotect/
top_4_mitigations.htm, "Top 4 Mitigation Strategies to top_4_mitigations.htm, "Top 4 Mitigation Strategies to
Protect Your ICT System", November 2012. Protect Your ICT System", November 2012.
[IEEE-802-1ar] [IEEE-802-1ar]
Institute of Electrical and Electronics Engineers, "IEEE Institute of Electrical and Electronics Engineers, "IEEE
802.1ar", December 2009. 802.1ar", December 2009.
[RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
skipping to change at page 34, line 45 skipping to change at page 35, line 5
Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008,
<http://www.rfc-editor.org/info/rfc5209>. <http://www.rfc-editor.org/info/rfc5209>.
[SANS] http://www.sans.org/critical-security-controls/, "CIS [SANS] http://www.sans.org/critical-security-controls/, "CIS
Critical Security Controls". Critical Security Controls".
[TNC] Trusted Computing Group, "TCG Trusted Network Connect TNC [TNC] Trusted Computing Group, "TCG Trusted Network Connect TNC
Architecture for Interoperability, Version 1.5", February Architecture for Interoperability, Version 1.5", February
2012. 2012.
13.2. Normative References 14.2. Normative References
[I-D.ietf-sacm-terminology] [I-D.ietf-sacm-terminology]
Waltermire, D., Montville, A., Harrington, D., and N. Cam- Waltermire, D., Montville, A., Harrington, D., and N. Cam-
Winget, "Terminology for Security Assessment", draft-ietf- Winget, "Terminology for Security Assessment", draft-ietf-
sacm-terminology-05 (work in progress), August 2014. sacm-terminology-05 (work in progress), August 2014.
[IF-IMC] Trusted Computing Group, "TCG Trusted Network Connect TNC [IF-IMC] Trusted Computing Group, "TCG Trusted Network Connect TNC
IF-IMC, Version 1.3", February 2013. IF-IMC, Version 1.3", February 2013.
[IF-IMV] Trusted Computing Group, "TCG Trusted Network Connect TNC [IF-IMV] Trusted Computing Group, "TCG Trusted Network Connect TNC
 End of changes. 9 change blocks. 
12 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/