draft-haynes-sacm-ecp-01.txt   draft-haynes-sacm-ecp-02.txt 
SACM D. Haynes SACM D. Haynes
Internet-Draft The MITRE Corporation Internet-Draft The MITRE Corporation
Intended status: Standards Track J. Fitzgerald-McKay Intended status: Standards Track J. Fitzgerald-McKay
Expires: March 11, 2017 Department of Defense Expires: September 10, 2017 Department of Defense
L. Lorenzin L. Lorenzin
Pulse Secure Pulse Secure
September 7, 2016 March 9, 2017
Endpoint Compliance Profile Endpoint Compliance Profile
draft-haynes-sacm-ecp-01 draft-haynes-sacm-ecp-02
Abstract Abstract
This document specifies the Endpoint Compliance Profile, a high-level This document specifies the Endpoint Compliance Profile, a high-level
specification that describes a specific combination and application specification that describes a specific combination and application
of NEA and TNC protocols and interfaces specifically designed to of NEA and TNC protocols and interfaces specifically designed to
support ongoing assessment of endpoint posture and the controlled support ongoing assessment of endpoint posture and the controlled
exposure of collected posture information to appropriate security exposure of collected posture information to appropriate security
applications. This document is a subset of the Trusted Computing applications. This document is a subset of the Trusted Computing
Group's Endpoint Compliance Profile Version 1.0 specification. Group's Endpoint Compliance Profile Version 1.0 specification.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 11, 2017. This Internet-Draft will expire on September 10, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 25 skipping to change at page 2, line 25
1.3. Secure Standardized Protocols . . . . . . . . . . . . . . 5 1.3. Secure Standardized Protocols . . . . . . . . . . . . . . 5
1.4. Keywords . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4. Keywords . . . . . . . . . . . . . . . . . . . . . . . . 6
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Endpoint Compliance Profile . . . . . . . . . . . . . . . . . 7 3. Endpoint Compliance Profile . . . . . . . . . . . . . . . . . 7
3.1. Posture Assessments . . . . . . . . . . . . . . . . . . . 7 3.1. Posture Assessments . . . . . . . . . . . . . . . . . . . 7
3.2. Data Storage . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Data Storage . . . . . . . . . . . . . . . . . . . . . . 7
3.3. Follow-up Actions . . . . . . . . . . . . . . . . . . . . 8 3.3. Follow-up Actions . . . . . . . . . . . . . . . . . . . . 8
4. Background . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Background . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Purpose of the Endpoint Compliance Profile . . . . . . . 8 4.1. Purpose of the Endpoint Compliance Profile . . . . . . . 8
4.2. Supported Use Cases . . . . . . . . . . . . . . . . . . . 8 4.2. Supported Use Cases . . . . . . . . . . . . . . . . . . . 8
4.2.1. Connected-and-Compliant . . . . . . . . . . . . . . . 8 4.2.1. Connected and Compliant . . . . . . . . . . . . . . . 8
4.2.2. Exposing Data to the Network . . . . . . . . . . . . 10 4.2.2. Exposing Data to the Network . . . . . . . . . . . . 10
4.2.2.1. Asset Management . . . . . . . . . . . . . . . . 12 4.2.2.1. Asset Management . . . . . . . . . . . . . . . . 12
4.2.2.2. Vulnerability Searches . . . . . . . . . . . . . 12 4.2.2.2. Vulnerability Searches . . . . . . . . . . . . . 12
4.2.2.3. Threat Detection and Analysis . . . . . . . . . . 12 4.2.2.3. Threat Detection and Analysis . . . . . . . . . . 12
4.2.3. Non-supported Use Cases . . . . . . . . . . . . . . . 12 4.2.3. Non-supported Use Cases . . . . . . . . . . . . . . . 12
4.2.4. Profile Requirements . . . . . . . . . . . . . . . . 13 4.2.4. Profile Requirements . . . . . . . . . . . . . . . . 13
4.2.5. Assumptions . . . . . . . . . . . . . . . . . . . . . 14 4.2.5. Assumptions . . . . . . . . . . . . . . . . . . . . . 14
5. Endpoint Compliance Requirements . . . . . . . . . . . . . . 16 5. Endpoint Compliance Requirements . . . . . . . . . . . . . . 16
5.1. Endpoint Pre-Provisioning . . . . . . . . . . . . . . . . 17 5.1. Endpoint Pre-Provisioning . . . . . . . . . . . . . . . . 17
5.1.1. SWID Tags . . . . . . . . . . . . . . . . . . . . . . 17 5.1.1. SWID Tags . . . . . . . . . . . . . . . . . . . . . . 17
5.1.2. Endpoint Identity and Machine Certificate . . . . . . 17 5.1.2. Endpoint Identity and Machine Certificate . . . . . . 17
5.2. Posture Validators and Posture Collectors . . . . . . . . 17 5.2. Posture Validators and Posture Collectors . . . . . . . . 17
5.2.1. SWID-Posture-Collectors-and-Posture-Validators . . . 18 5.2.1. SWID Posture Collectors and Posture Validators . . . 18
5.2.1.1. The-SWID-Posture-Collector . . . . . . . . . . . 18 5.2.1.1. The SWID Posture Collector . . . . . . . . . . . 18
5.2.1.2. The SWID Posture Validator . . . . . . . . . . . 18 5.2.1.2. The SWID Posture Validator . . . . . . . . . . . 18
5.3. NEA Client (NEAC) and NEA Server (NEAS) . . . . . . . . . 19 5.3. NEA Client (NEAC) and NEA Server (NEAS) . . . . . . . . . 19
5.3.1. NEAC . . . . . . . . . . . . . . . . . . . . . . . . 19 5.3.1. NEAC . . . . . . . . . . . . . . . . . . . . . . . . 19
5.3.2. NEAS . . . . . . . . . . . . . . . . . . . . . . . . 19 5.3.2. NEAS . . . . . . . . . . . . . . . . . . . . . . . . 19
5.4. Repository . . . . . . . . . . . . . . . . . . . . . . . 19 5.4. Repository . . . . . . . . . . . . . . . . . . . . . . . 19
6. Posture Transport Client (PTC) and Posture Transport Server 6. Posture Transport Client (PTC) and Posture Transport Server
(PTS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 (PTS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7. Administrative Interface and API . . . . . . . . . . . . . . 20 7. Administrative Interface and API . . . . . . . . . . . . . . 20
8. Endpoint Compliance Profile Examples . . . . . . . . . . . . 21 8. Endpoint Compliance Profile Examples . . . . . . . . . . . . 21
8.1. Continuous Posture Assessment of an Endpoint . . . . . . 21 8.1. Continuous Posture Assessment of an Endpoint . . . . . . 21
skipping to change at page 3, line 22 skipping to change at page 3, line 22
11.2.3. Server Attacks . . . . . . . . . . . . . . . . . . . 30 11.2.3. Server Attacks . . . . . . . . . . . . . . . . . . . 30
11.2.4. Repository Attacks . . . . . . . . . . . . . . . . . 31 11.2.4. Repository Attacks . . . . . . . . . . . . . . . . . 31
11.3. Countermeasures . . . . . . . . . . . . . . . . . . . . 31 11.3. Countermeasures . . . . . . . . . . . . . . . . . . . . 31
11.3.1. Countermeasures for Endpoint Attacks . . . . . . . . 31 11.3.1. Countermeasures for Endpoint Attacks . . . . . . . . 31
11.3.2. Countermeasures for Network Attacks . . . . . . . . 32 11.3.2. Countermeasures for Network Attacks . . . . . . . . 32
11.3.3. Countermeasures for Server Attacks . . . . . . . . . 32 11.3.3. Countermeasures for Server Attacks . . . . . . . . . 32
11.3.4. Countermeasures for Repository Attacks . . . . . . . 33 11.3.4. Countermeasures for Repository Attacks . . . . . . . 33
12. Privacy-Considerations . . . . . . . . . . . . . . . . . . . 34 12. Privacy-Considerations . . . . . . . . . . . . . . . . . . . 34
13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 34 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 34
13.1. -00 to -01 . . . . . . . . . . . . . . . . . . . . . . . 34 13.1. -00 to -01 . . . . . . . . . . . . . . . . . . . . . . . 34
13.2. -01 to -02 . . . . . . . . . . . . . . . . . . . . . . . 34
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
14.1. Informative References . . . . . . . . . . . . . . . . . 34 14.1. Informative References . . . . . . . . . . . . . . . . . 34
14.2. Normative References . . . . . . . . . . . . . . . . . . 35 14.2. Normative References . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction 1. Introduction
The IETF NEA WG has defined an open architecture for network The IETF NEA WG has defined an open architecture for network
security, including standard protocols for endpoint posture security, including standard protocols for endpoint posture
assessment. The Endpoint Compliance Profile (ECP) builds on the NEA assessment. The Endpoint Compliance Profile (ECP) builds on the NEA
skipping to change at page 6, line 14 skipping to change at page 6, line 14
Endpoint Server Endpoint Server
+---------------+ +---------------+ +---------------+ +---------------+
| | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | SWID | | | | SWID | | | | SWID | | | | SWID | |
| | Posture | | | | Posture | | | | Posture | | | | Posture | |
| | Collector | | | | Validator | | | | Collector | | | | Validator | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | | | | | | | | | |
| | PC-TNC | | | IF-IMV | Repository | | IF-IMC | | | IF-IMV | Repository
| | | | | | +--------+ | | | | | | +--------+
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | PB Client | | | | PB Server | |---->| | | | PB Client | | | | PB Server | |---->| |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | | | | | | | | | | | | | | |
| | | | | | +--------+ | | | | | | +--------+
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PT Client | |<------>| | PT Server | | | | PT Client | |<------>| | PT Server | |
| +-----------+ | PT-TLS | +-----------+ | | +-----------+ | PT-TLS | +-----------+ |
skipping to change at page 8, line 44 skipping to change at page 8, line 44
[SWID]. Future versions of the Endpoint Compliance Profile could [SWID]. Future versions of the Endpoint Compliance Profile could
describe how additional types of posture information can be collected describe how additional types of posture information can be collected
and communicated in a standardized way. and communicated in a standardized way.
4.2. Supported Use Cases 4.2. Supported Use Cases
The Endpoint Compliance Profile focuses on the posture assessment of The Endpoint Compliance Profile focuses on the posture assessment of
enterprise endpoints on enterprise networks. Use cases supported by enterprise endpoints on enterprise networks. Use cases supported by
the Endpoint Compliance Profile 1.0 are as follows: the Endpoint Compliance Profile 1.0 are as follows:
4.2.1. Connected-and-Compliant 4.2.1. Connected and Compliant
A network-connected endpoint sends posture information using standard A network-connected endpoint sends posture information using standard
schemas such as SWID over NEA protocols. schemas such as SWID over NEA protocols.
Endpoint Server Endpoint Server
+-------------------+ +---------------+ +-------------------+ +---------------+
| | | | | | | |
| +-------+ | | +-----------+ | | +-------+ | | +-----------+ |
| | SWIDs | | | | SWID | | | | SWIDs | | | | SWID | |
| +-------+ | | | Posture | | | +-------+ | | | Posture | |
| | | | | Validator | | | | | | | Validator | |
| | | | +-----------+ | | | | | +-----------+ |
| | +-----------+ | | | | | | +-----------+ | | | |
| +->| SWID | | | | | | +->| SWID | | | | |
| | Posture | | | | | | | Posture | | | | |
| | Collector | | | | | | | Collector | | | | |
| +-----------+ | | | | | +-----------+ | | | |
| | | | | | | | | | | |
| | PC-TNC | | | IF-IMV | Repository | | IF-IMC | | | IF-IMV | Repository
| | | | | | +--------+ | | | | | | +--------+
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | PB Client | | | | PB Server | |---->| | | | PB Client | | | | PB Server | |---->| |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | | | | | | | | | | | | | | |
| +----------+ | | | | | +--------+ | +----------+ | | | | | +--------+
| | Endpoint | | | | | | | | Endpoint | | | | | |
| | ID | | | | | | | | ID | | | | | |
| +----------+ | | | | | | +----------+ | | | | |
| | | | | | | | | | | | | |
skipping to change at page 11, line 23 skipping to change at page 11, line 23
| | SWIDs | | | | SWID | | | | SWIDs | | | | SWID | |
| +-------+ | | | Posture | | | +-------+ | | | Posture | |
| | | | | Validator | | | | | | | Validator | |
| | | | +-----------+ | | | | | +-----------+ |
| | +-----------+ | | | | | | +-----------+ | | | |
| +->| SWID | | | | | | +->| SWID | | | | |
| | Posture | | | | | | | Posture | | | | |
| | Collector | | | | | | | Collector | | | | |
| +-----------+ | | | | | +-----------+ | | | |
| | | | | | | | | | | |
| | PC-TNC | | | IF-IMV | Repository | | IF-IMC | | | IF-IMV | Repository
| | | | | | +--------+ | | | | | | +--------+
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | PB Client | | | | PB Server | |---->| | | | PB Client | | | | PB Server | |---->| |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | | | | | | | | | | | | | | |
| +----------+ | | | | | +--------+ | +----------+ | | | | | +--------+
| | Endpoint | | | | | | | | Endpoint | | | | | |
| | ID | | | | | | | | ID | | | | | |
| +----------+ | | | | | | +----------+ | | | | |
| | | | | | | | | | | | | |
skipping to change at page 17, line 50 skipping to change at page 17, line 50
[IEEE-802-1ar], if present on the endpoint. The enterprise SHOULD [IEEE-802-1ar], if present on the endpoint. The enterprise SHOULD
stand up a certificate root authority; install its root certificate stand up a certificate root authority; install its root certificate
on endpoints and on the server; and provision the endpoints and the on endpoints and on the server; and provision the endpoints and the
server with machine certificates. The endpoint MAY authenticate to server with machine certificates. The endpoint MAY authenticate to
the server using a combination of the machine account and password; the server using a combination of the machine account and password;
however, this is less secure and not recommended. however, this is less secure and not recommended.
5.2. Posture Validators and Posture Collectors 5.2. Posture Validators and Posture Collectors
Any PC used in an Endpoint Compliance Profile solution MUST be Any PC used in an Endpoint Compliance Profile solution MUST be
conformant with PC-TNC; an Internet-Draft, under development, that is conformant with [IF-IMC]; an Internet-Draft, under development, that
a subset of the TCG TNC Integrity Measurement Collector interface is a subset of the TCG TNC Integrity Measurement Collector interface
[IF-IMC] and will be submitted in the near future. Any Posture [IF-IMC] and will be submitted in the near future. Any Posture
Validator used in an Endpoint Compliance Profile solution MUST be Validator used in an Endpoint Compliance Profile solution MUST be
conformant with [IF-IMV]. conformant with [IF-IMV].
5.2.1. SWID-Posture-Collectors-and-Posture-Validators 5.2.1. SWID Posture Collectors and Posture Validators
5.2.1.1. The-SWID-Posture-Collector 5.2.1.1. The SWID Posture Collector
For the Endpoint Compliance Profile, the SWID Posture Collector MUST For the Endpoint Compliance Profile, the SWID Posture Collector MUST
be conformant with [SWID-Message-for-PA-TNC], which includes be conformant with [I-D.ietf-sacm-nea-swid-patnc], which includes
requirements for: requirements for:
1. Collecting SWID tags from the SWID directory 1. Collecting SWID tags from the SWID directory
2. Monitoring the SWID directory for changes 2. Monitoring the SWID directory for changes
3. Initiating a session with the server to report changes to the 3. Initiating a session with the server to report changes to the
directory directory
4. Maintaining a list of changes to the SWID directory when updates 4. Maintaining a list of changes to the SWID directory when updates
skipping to change at page 18, line 38 skipping to change at page 18, line 38
6. Responding to a query from the SWID Posture Validator as to 6. Responding to a query from the SWID Posture Validator as to
whether all updates have been sent whether all updates have been sent
The SWID Posture Collector is not responsible for detecting that the The SWID Posture Collector is not responsible for detecting that the
SWID directory was not updated when an application was either SWID directory was not updated when an application was either
installed or uninstalled. installed or uninstalled.
5.2.1.2. The SWID Posture Validator 5.2.1.2. The SWID Posture Validator
Conformance to [SWID-Message-for-PA-TNC] enables the SWID Posture Conformance to [I-D.ietf-sacm-nea-swid-patnc] enables the SWID
Validator to: Posture Validator to:
1. Send messages to the SWID Posture Collector (at the behest of the 1. Send messages to the SWID Posture Collector (at the behest of the
administrator at the server console) requesting updates for SWID administrator at the server console) requesting updates for SWID
tags located on endpoint tags located on endpoint
2. Ask the SWID Posture Collector whether all updates to the SWID 2. Ask the SWID Posture Collector whether all updates to the SWID
directory located at the server have been sent directory located at the server have been sent
3. Compare an endpoint's SWID posture information to policy, and 3. Compare an endpoint's SWID posture information to policy, and
make a recommendation to the NEAS about the endpoint make a recommendation to the NEAS about the endpoint
skipping to change at page 19, line 34 skipping to change at page 19, line 34
2. notify the SWID Posture Collector if no PT-TLS session with the 2. notify the SWID Posture Collector if no PT-TLS session with the
server can be created; server can be created;
3. notify the SWID Posture Collector when a PT-TLS session is 3. notify the SWID Posture Collector when a PT-TLS session is
established; and established; and
4. receive information from the PCs, forward this information to the 4. receive information from the PCs, forward this information to the
server via the PTC. server via the PTC.
The NEAC MUST also conform to PC-TNC to enable communications with The NEAC MUST also conform to [IF-IMC] to enable communications with
the SWID Posture Collector. the SWID Posture Collector.
5.3.2. NEAS 5.3.2. NEAS
The NEAS MUST conform to all requirements in the [RFC5793] and The NEAS MUST conform to all requirements in the [RFC5793] and
[IF-IMV] specifications. Conformance to [IF-IMV] enables the NEAS to [IF-IMV] specifications. Conformance to [IF-IMV] enables the NEAS to
obtain endpoint identity information from the PTS, and pass this obtain endpoint identity information from the PTS, and pass this
information to any IMVs on the server. information to any IMVs on the server.
5.4. Repository 5.4. Repository
skipping to change at page 21, line 33 skipping to change at page 21, line 33
Endpoint Server Endpoint Server
+---------------+ +---------------+ +---------------+ +---------------+
| | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | SWID | | | | SWID | | | | SWID | | | | SWID | |
| | Posture | | | | Posture | | | | Posture | | | | Posture | |
| | Collector | | | | Validator | | | | Collector | | | | Validator | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | | | | | | | | | |
| | PC-TNC | | | IF-IMV | | | IF-IMC | | | IF-IMV |
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PB Client | | | | PB Server | | | | PB Client | | | | PB Server | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PT Client | |<------>| | PT Server | | | | PT Client | |<------>| | PT Server | |
| +-----------+ | PT-TLS | +-----------+ | | +-----------+ | PT-TLS | +-----------+ |
skipping to change at page 22, line 24 skipping to change at page 22, line 24
Endpoint Server Endpoint Server
+---------------+ +---------------+ +---------------+ +---------------+
| | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | SWID | | | | SWID | | | | SWID | | | | SWID | |
| | Posture | | | | Posture | | | | Posture | | | | Posture | |
| | Collector | | | | Validator | | | | Collector | | | | Validator | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | SWID Message | | | | | | SWID Message | | |
| | PC-TNC | for PA-TNC | | IF-IMV | | | IF-IMC | for PA-TNC | | IF-IMV |
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PB Client | | | | PB Server | | | | PB Client | | | | PB Server | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | | | | | | | | | |
| | | PB-TNC {SWID | | | | | | PB-TNC {SWID | | |
| | | Message for | | | | | | Message for | | |
| | | PA-TNC | | | | | | PA-TNC} | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PT Client | |<-------------->| | PT Server | | | | PT Client | |<-------------->| | PT Server | |
| +-----------+ | PT-TLS {PB-TNC | +-----------+ | | +-----------+ | PT-TLS {PB-TNC | +-----------+ |
| | {SWID Message | | | | {SWID Message | |
+---------------+ for PA-TNC}} +---------------+ +---------------+ for PA-TNC}} +---------------+
Figure 5: Compliance Protocol Encapsulation Figure 5: Compliance Protocol Encapsulation
The SWID Posture Validator stores the new tag information in the The SWID Posture Validator stores the new tag information in the
repository. If the tag indicates that the endpoint is compliant to repository. If the tag indicates that the endpoint is compliant to
skipping to change at page 23, line 14 skipping to change at page 23, line 14
Endpoint Server Endpoint Server
+---------------+ +---------------+ +---------------+ +---------------+
| | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | SWID | | | | SWID |-|-+ | | SWID | | | | SWID |-|-+
| | Posture | | | | Posture | | | | | Posture | | | | Posture | | |
| | Collector | | | | Validator | | | | | Collector | | | | Validator | | |
| +-----------+ | | +-----------+ | | | +-----------+ | | +-----------+ | |
| | | | | | | Repository | | | | | | | Repository
| | PC-TNC | | | IF-IMV | | +--------+ | | IF-IMC | | | IF-IMV | | +--------+
| | | | | | | | | | | | | | | | | |
| +-----------+ | | +-----------+ | | | | | +-----------+ | | +-----------+ | | | |
| | PB Client | | | | PB Server | | +---->| | | | PB Client | | | | PB Server | | +---->| |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | | | | | +--------+ | | | | | | +--------+
| | | | | | | | | | | |
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PT Client | |<------>| | PT Server | | | | PT Client | |<------>| | PT Server | |
| +-----------+ | PT-TLS | +-----------+ | | +-----------+ | PT-TLS | +-----------+ |
skipping to change at page 24, line 17 skipping to change at page 24, line 17
+-->| +-->|
Endpoint Server | / \ Endpoint Server | / \
+---------------+ +---------------+ | +---------------+ +---------------+ |
| | | | | | | | | |
| +-----------+ | | +-----------+ | | | +-----------+ | | +-----------+ | |
| | SWID | | | | SWID |-|-+ | | SWID | | | | SWID |-|-+
| | Posture | | | | Posture | | | | Posture | | | | Posture | |
| | Collector | | | | Validator | | | | Collector | | | | Validator | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | | | | Repository | | | | | | Repository
| | PC-TNC | | | IF-IMV | +--------+ | | IF-IMC | | | IF-IMV | +--------+
| | | | | | | | | | | | | | | |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | PB Client | | | | PB Server | | | | | | PB Client | | | | PB Server | | | |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | | | | | +--------+ | | | | | | +--------+
| | | | | | | | | | | |
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PT Client | |<------>| | PT Server | | | | PT Client | |<------>| | PT Server | |
| +-----------+ | PT-TLS | +-----------+ | | +-----------+ | PT-TLS | +-----------+ |
skipping to change at page 25, line 17 skipping to change at page 25, line 17
+-->| +-->|
Endpoint Server | / \ Endpoint Server | / \
+---------------+ +---------------+ | +---------------+ +---------------+ |
| | | | | | | | | |
| +-----------+ | | +-----------+ | | | +-----------+ | | +-----------+ | |
| | SWID | | | | SWID |-|-+ | | SWID | | | | SWID |-|-+
| | Posture | | | | Posture | | | | Posture | | | | Posture | |
| | Collector | | | | Validator | | | | Collector | | | | Validator | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | | | | | Repository | | | | | | Repository
| | PC-TNC | | | IF-IMV | +--------+ | | IF-IMC | | | IF-IMV | +--------+
| | | | | | | | | | | | | | | |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | PB Client | | | | PB Server | |------>| | | | PB Client | | | | PB Server | |------>| |
| +-----------+ | | +-----------+ | | | | +-----------+ | | +-----------+ | | |
| | | | | | +--------+ | | | | | | +--------+
| | | | | | | | | | | |
| | | | | | | | | | | |
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | PT Client | |<------>| | PT Server | | | | PT Client | |<------>| | PT Server | |
| +-----------+ | PT-TLS | +-----------+ | | +-----------+ | PT-TLS | +-----------+ |
skipping to change at page 27, line 11 skipping to change at page 27, line 11
| Emily Doll | U.S. Government | | Emily Doll | U.S. Government |
| | | | | |
| Jessica Fitzgerald- | U.S. Government | | Jessica Fitzgerald- | U.S. Government |
| McKay | | | McKay | |
| | | | | |
| Mary Lessels | U.S. Government | | Mary Lessels | U.S. Government |
| | | | | |
| Chris Salter | U.S. Government | | Chris Salter | U.S. Government |
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
Table 1: Members of the TNC that Contributed to the Document Table 1: Members of the TNC Work Group that Contributed to the
Document
10. IANA Considerations 10. IANA Considerations
This document does not define any new IANA registries. However, this This document does not define any new IANA registries. However, this
document does reference other documents that do define IANA document does reference other documents that do define IANA
registries. As a result, the IANA Considerations section of the registries. As a result, the IANA Considerations section of the
referenced documents should be consulted. referenced documents should be consulted.
11. Security Considerations 11. Security Considerations
skipping to change at page 29, line 47 skipping to change at page 29, line 47
services. services.
11.2. Threat Model 11.2. Threat Model
This section lists the attacks that can be mounted on an Endpoint This section lists the attacks that can be mounted on an Endpoint
Compliance Profile environment. The following section (Section 11.3) Compliance Profile environment. The following section (Section 11.3)
describes countermeasures. describes countermeasures.
Because the Endpoint Compliance Profile describes a specific use case Because the Endpoint Compliance Profile describes a specific use case
for NEA components, many security considerations for these components for NEA components, many security considerations for these components
are addressed in more detail in the technical specifications: [SWID- are addressed in more detail in the technical specifications:
Message-for-PA-TNC], PC-TNC, [RFC5793], [Server-Discovery], [I-D.ietf-sacm-nea-swid-patnc], [IF-IMC], [RFC5793],
[RFC6876], [IF-IMV]. [Server-Discovery], [RFC6876], [IF-IMV].
11.2.1. Endpoint Attacks 11.2.1. Endpoint Attacks
While the Endpoint Compliance Profile provides substantial While the Endpoint Compliance Profile provides substantial
improvements in endpoint security as described in Section 11.1, a improvements in endpoint security as described in Section 11.1, a
certain percentage of endpoints will always get compromised. For certain percentage of endpoints will always get compromised. For
this reason, all parties must regard data coming from endpoints as this reason, all parties must regard data coming from endpoints as
potentially unreliable or even malicious. An analogy can be drawn potentially unreliable or even malicious. An analogy can be drawn
with human testimony in an investigation or trial. Human testimony with human testimony in an investigation or trial. Human testimony
is essential but must be regarded with suspicion. is essential but must be regarded with suspicion.
skipping to change at page 34, line 29 skipping to change at page 34, line 29
without providing the requested data. without providing the requested data.
13. Change Log 13. Change Log
13.1. -00 to -01 13.1. -00 to -01
There are no textual changes associated with this revision. This There are no textual changes associated with this revision. This
revision simply reflects a resubmission of the document so that it revision simply reflects a resubmission of the document so that it
remains in active status. remains in active status.
13.2. -01 to -02
Added references to the Software Inventory Message and Attributes
(SWIMA) for PA-TNC I-D.
Replaced references to PC-TNC with IF-IMC.
Removed erroneous hyphens from a couple of section titles.
Made a few minor editorial changes.
14. References 14. References
14.1. Informative References 14.1. Informative References
[DSD] http://www.dsd.gov.au/publications/csocprotect/ [DSD] http://www.dsd.gov.au/publications/csocprotect/
top_4_mitigations.htm, "Top 4 Mitigation Strategies to top_4_mitigations.htm, "Top 4 Mitigation Strategies to
Protect Your ICT System", November 2012. Protect Your ICT System", November 2012.
[IEEE-802-1ar] [IEEE-802-1ar]
Institute of Electrical and Electronics Engineers, "IEEE Institute of Electrical and Electronics Engineers, "IEEE
skipping to change at page 35, line 7 skipping to change at page 35, line 19
[SANS] http://www.sans.org/critical-security-controls/, "CIS [SANS] http://www.sans.org/critical-security-controls/, "CIS
Critical Security Controls". Critical Security Controls".
[TNC] Trusted Computing Group, "TCG Trusted Network Connect TNC [TNC] Trusted Computing Group, "TCG Trusted Network Connect TNC
Architecture for Interoperability, Version 1.5", February Architecture for Interoperability, Version 1.5", February
2012. 2012.
14.2. Normative References 14.2. Normative References
[I-D.ietf-sacm-nea-swid-patnc]
Schmidt, C., Haynes, D., Coffin, C., and J. Fitzgerald-
McKay, "Software Inventory Message and Attributes (SWIMA)
for PA-TNC", draft-ietf-sacm-nea-swid-patnc-00 (work in
progress), January 2017.
[I-D.ietf-sacm-terminology] [I-D.ietf-sacm-terminology]
Waltermire, D., Montville, A., Harrington, D., and N. Cam- Waltermire, D., Montville, A., Harrington, D., and N. Cam-
Winget, "Terminology for Security Assessment", draft-ietf- Winget, "Terminology for Security Assessment", draft-ietf-
sacm-terminology-05 (work in progress), August 2014. sacm-terminology-05 (work in progress), August 2014.
[IF-IMC] Trusted Computing Group, "TCG Trusted Network Connect TNC [IF-IMC] Trusted Computing Group, "TCG Trusted Network Connect TNC
IF-IMC, Version 1.3", February 2013. IF-IMC, Version 1.3", February 2013.
[IF-IMV] Trusted Computing Group, "TCG Trusted Network Connect TNC [IF-IMV] Trusted Computing Group, "TCG Trusted Network Connect TNC
IF-IMV, Version 1.4", December 2014. IF-IMV, Version 1.4", December 2014.
 End of changes. 28 change blocks. 
30 lines changed or deleted 49 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/