draft-ietf-mile-implementreport-01.txt   draft-ietf-mile-implementreport-02.txt 
MILE C. Inacio MILE C. Inacio
Internet-Draft CMU Internet-Draft CMU
Intended status: Informational D. Miyamoto Intended status: Informational D. Miyamoto
Expires: May 24, 2015 UTokyo Expires: November 2, 2015 UTokyo
November 20, 2014 May 1, 2015
MILE Implementation Report MILE Implementation Report
draft-ietf-mile-implementreport-01 draft-ietf-mile-implementreport-02
Abstract Abstract
This document is a collection of implementation reports from vendors, This document is a collection of implementation reports from vendors,
consortiums, and researchers who have implemented one or more of the consortiums, and researchers who have implemented one or more of the
standards published from the IETF INCident Handling (INCH) and standards published from the IETF INCident Handling (INCH) and
Management Incident Lightweight Exchange (MILE) working groups. Management Incident Lightweight Exchange (MILE) working groups.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 24, 2015. This Internet-Draft will expire on November 2, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Consortiums and Information Sharing and Analysis Centers 2. Consortiums and Information Sharing and Analysis Centers
(ISACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 (ISACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Anti-Phishing Working Group . . . . . . . . . . . . . . . 3 2.1. Anti-Phishing Working Group . . . . . . . . . . . . . . . 3
2.2. Advanced Cyber Defence Centre (ACDC) . . . . . . . . . . 3 2.2. Advanced Cyber Defence Centre (ACDC) . . . . . . . . . . 3
3. Open Source Implementations . . . . . . . . . . . . . . . . . 3 3. Open Source Implementations . . . . . . . . . . . . . . . . . 3
3.1. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . 3 3.1. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . 3
3.2. NICT IODEF-SCI implementation . . . . . . . . . . . . . . 4 3.2. NICT IODEF-SCI implementation . . . . . . . . . . . . . . 4
4. Vendor Implementations . . . . . . . . . . . . . . . . . . . 4 3.3. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . 4 4. Vendor Implementations . . . . . . . . . . . . . . . . . . . 5
4.1. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . 5
4.2. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . 5 4.2. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . 5
4.3. Surevine Proof of Concept . . . . . . . . . . . . . . . . 6 4.3. Surevine Proof of Concept . . . . . . . . . . . . . . . . 7
4.4. MANTIS Cyber-Intelligence Management Framework . . . . . 7 4.4. MANTIS Cyber-Intelligence Management Framework . . . . . 7
5. Vendors with Planned Support . . . . . . . . . . . . . . . . 7 5. Vendors with Planned Support . . . . . . . . . . . . . . . . 7
5.1. Threat Central, HP . . . . . . . . . . . . . . . . . . . 7 5.1. Threat Central, HP . . . . . . . . . . . . . . . . . . . 8
6. Other Implementations . . . . . . . . . . . . . . . . . . . . 7 6. Other Implementations . . . . . . . . . . . . . . . . . . . . 8
6.1. Collaborative Incident Management System . . . . . . . . 7 6.1. Collaborative Incident Management System . . . . . . . . 8
6.2. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Implementation Guide . . . . . . . . . . . . . . . . . . . . 9 7. Implementation Guide . . . . . . . . . . . . . . . . . . . . 9
7.1. Code Generators . . . . . . . . . . . . . . . . . . . . . 9 7.1. Code Generators . . . . . . . . . . . . . . . . . . . . . 9
7.2. Usability . . . . . . . . . . . . . . . . . . . . . . . . 10 7.2. iodeflib . . . . . . . . . . . . . . . . . . . . . . . . 10
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 7.3. iodefpm . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.4. Usability . . . . . . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
10. Security Considerations . . . . . . . . . . . . . . . . . . . 11 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12
11. Informative References . . . . . . . . . . . . . . . . . . . 11 11. Informative References . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document is a collection of implementation reports from vendors This document is a collection of implementation reports from vendors
and researchers who have implemented one or more of the standards and researchers who have implemented one or more of the standards
published from the INCH and MILE working groups. The standards published from the INCH and MILE working groups. The standards
include: include:
o Incident Object Description Exchange Format (IODEF) v1, RFC5070, o Incident Object Description Exchange Format (IODEF) v1, RFC5070,
skipping to change at page 2, line 50 skipping to change at page 3, line 4
o Incident Object Description Exchange Format (IODEF) v1, RFC5070, o Incident Object Description Exchange Format (IODEF) v1, RFC5070,
o Incident Object Description Exchange Format (IODEF) v2, o Incident Object Description Exchange Format (IODEF) v2,
RFC5070-bis, RFC5070-bis,
o Extensions to the IODEF-Document Class for Reporting Phishing, o Extensions to the IODEF-Document Class for Reporting Phishing,
RFC5901 RFC5901
o Sharing Transaction Fraud Data, RFC5941 o Sharing Transaction Fraud Data, RFC5941
o IODEF-extension for Structured Cybersecurity Information, RFCXXXX o IODEF-extension for Structured Cybersecurity Information, RFCXXXX
o Real-time Inter-network Defense (RID), RFC6545 o Real-time Inter-network Defense (RID), RFC6545
o Transport of Real-time Inter-network Defense (RID) Messages over o Transport of Real-time Inter-network Defense (RID) Messages over
HTTP/TLS, RFC6546. HTTP/TLS, RFC6546.
o Incident Object Description Exchange Format (IODEF) Extension for
Structured Cybersecurity Information, RFC7203
The implementation reports included in this document have been The implementation reports included in this document have been
provided by the team or product responsible for the implementations provided by the team or product responsible for the implementations
of the mentioned RFCs. Additional submissions are welcome and should of the mentioned RFCs. Additional submissions are welcome and should
be sent to the draft editor. A more complete list of be sent to the draft editor. A more complete list of
implementations, including open source efforts and vendor products, implementations, including open source efforts and vendor products,
can also be found at the following location: can also be found at the following location:
http://siis.realmv6.org/implementations/ http://siis.realmv6.org/implementations/
2. Consortiums and Information Sharing and Analysis Centers (ISACs) 2. Consortiums and Information Sharing and Analysis Centers (ISACs)
skipping to change at page 4, line 34 skipping to change at page 4, line 34
been released under an MIT license and development will continue been released under an MIT license and development will continue
here. here.
Note that users can enjoy this software with their own Note that users can enjoy this software with their own
responsibility. responsibility.
Available Online: Available Online:
https://github.com/TakeshiTakahashi/IODEF-SCI https://github.com/TakeshiTakahashi/IODEF-SCI
3.3. n6
n6 is a platform for processing security-related information,
developed by NASK, CERT Polska. Its API provides a common and
unified way of representing data across the different sources that
participate in knowledge management.
n6 exposes a REST-ful API over HTTPS with mandatory authentication
via TLS client certificates, to ensure confidential and trustworthy
communications. Moreover, it uses an event-based data model for
representation of all types of security information.
Each event is represented as a JSON object with a set of mandatory
and optional attributes. It also supports alternative output data
formats for keeping compatibility with existing systems - IODEF and
CSV - although they lack some of the attributes that may be present
in the native JSON format.
Available Online:
https://github.com/CERT-Polska/n6sdk
4. Vendor Implementations 4. Vendor Implementations
4.1. Deep Secure 4.1. Deep Secure
Deep-Secure Guards are built to protect a trusted domain from: Deep-Secure Guards are built to protect a trusted domain from:
o releasing sensitive data that does not meet the organisational o releasing sensitive data that does not meet the organisational
security policy security policy
o applications receiving badly constructed or malicious data which o applications receiving badly constructed or malicious data which
skipping to change at page 8, line 32 skipping to change at page 9, line 8
to exchange information between each other concerning actions taken to exchange information between each other concerning actions taken
in the handling of a particular incident, thus creating a sort of in the handling of a particular incident, thus creating a sort of
common action log, as well as requesting/tasking others to provide common action log, as well as requesting/tasking others to provide
information or perform specified action and correlating received information or perform specified action and correlating received
responses to the original request or tasking. As well, a specific responses to the original request or tasking. As well, a specific
"profile" was developed to identify a subset of the IODEF classes "profile" was developed to identify a subset of the IODEF classes
that would be used during the exercise, in an attempt to channel all that would be used during the exercise, in an attempt to channel all
users into a common usage pattern of the otherwise flexible IODEF users into a common usage pattern of the otherwise flexible IODEF
standard. standard.
6.2. n6
n6 is a platform for processing security-related information,
developed by NASK, CERT Polska. Its API provides a common and
unified way of representing data across the different sources that
participate in knowledge management.
n6 exposes a REST-ful API over HTTPS with mandatory authentication
via TLS client certificates, to ensure confidential and trustworthy
communications. Moreover, it uses an event-based data model for
representation of all types of security information.
Each event is represented as a JSON object with a set of mandatory
and optional attributes. It also supports alternative output data
formats for keeping compatibility with existing systems - IODEF and
CSV - although they lack some of the attributes that may be present
in the native JSON format.
7. Implementation Guide 7. Implementation Guide
The section aims at sharing the tips for development of IODEF-capable The section aims at sharing the tips for development of IODEF-capable
systems. systems.
7.1. Code Generators 7.1. Code Generators
For implementing IODEF-capable systems, it is feasible to employ code For implementing IODEF-capable systems, it is feasible to employ code
generators for XML Schema Document (XSD). The generators are used to generators for XML Schema Document (XSD). The generators are used to
save development costs since they automatically create useful save development costs since they automatically create useful
libraries for accessing XML attributes, composing messages, and/or libraries for accessing XML attributes, composing messages, and/or
validating XML objects. The IODEF XSD was defined in section 8 of validating XML objects. The XSD of IODEFv1 was defined in section 8
RFC 5070, and is availabe at http://www.iana.org/assignments/xml- of RFC 5070, and is availabe at http://www.iana.org/assignments/xml-
registry/schema/iodef-1.0.xsd. registry/schema/iodef-1.0.xsd.
However, there still remains some problem. Due to the complexity of However, there still remained some problems. Due to the complexity
IODEF XSD, some code generators could not generate from the XSD file. of IODEF XSD, some code generators could not generate from the XSD
The tested code generators were as follows. file. The tested code generators were as follows.
o XML::Pastor [XSD:Perl] (Perl) o XML::Pastor [XSD:Perl] (Perl)
o RXSD [XSD:Ruby] (Ruby) o RXSD [XSD:Ruby] (Ruby)
o PyXB [XSD:Python] (Python) o PyXB [XSD:Python] (Python)
o JAXB [XSD:Java] (Java) o JAXB [XSD:Java] (Java)
o CodeSynthesis XSD [XSD:Cxx] (C++) o CodeSynthesis XSD [XSD:Cxx] (C++)
skipping to change at page 10, line 20 skipping to change at page 10, line 23
5.1 of [RFC5070], it is a extension techniques to add new 5.1 of [RFC5070], it is a extension techniques to add new
enumerated values to an attribute, and has a prefix of "ext-", enumerated values to an attribute, and has a prefix of "ext-",
e.g., ext-value, ext-category, ext-type, and so on. e.g., ext-value, ext-category, ext-type, and so on.
According to the language specification, many programing language According to the language specification, many programing language
prohibit to contain '-' symbols in the name of class. The code prohibit to contain '-' symbols in the name of class. The code
generators must replace or remove '-' when building the librarlies. generators must replace or remove '-' when building the librarlies.
They should have the name space to restore '-' when outputting the They should have the name space to restore '-' when outputting the
XML along with IODEF XSD. XML along with IODEF XSD.
7.2. Usability 7.2. iodeflib
iodeflib is an open source implementation written in Python. This
provides a simple but powerful APIs to create, parse and edit IODEF
documents. It was designed in order to keep its interface as simple
as possible, whereas generated libraries tend to inherit the
complexity of IODEF XSD. As well as the interface, iodeflib involves
functions of hiding some unnecessarily nested structures of the IODEF
schema, and adding more convenient shortcuts.
This tool is available through the following link:
http://www.decalage.info/python/iodeflib
7.3. iodefpm
IODEF.pm is an open source implementation written in Perl. This also
provides a simple interface for creating and parsing IODEF documents,
in order to facilitate the translation of the a key-value based
format to the IODEF representation. The module contains a generic
XML DTD parser and includes a simplified node based representation of
the IODEF DTD. It can hence easily be upgraded or extended to
support new XML nodes or other DTDs.
This tool is available through the following link:
http://search.cpan.org/~saxjazman/
7.4. Usability
Here notes some tips to avoid problems. Here notes some tips to avoid problems.
o IODEF has category attribute for NodeRole class. Though various o IODEF has category attribute for NodeRole class. Though various
categories are described, they are not enough. For example, in categories are described, they are not enough. For example, in
the case of web mail servers, you should choose either "www" or the case of web mail servers, you should choose either "www" or
"mail". One suggestion is selecting "mail" as the category "mail". One suggestion is selecting "mail" as the category
attribute and adding "www" for another attirbute. attribute and adding "www" for another attirbute.
o The numbering of Incident ID needs to be considered. Otherwise, o The numbering of Incident ID needs to be considered. Otherwise,
 End of changes. 17 change blocks. 
42 lines changed or deleted 79 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/