draft-ietf-mile-implementreport-02.txt   draft-ietf-mile-implementreport-03.txt 
MILE C. Inacio MILE C. Inacio
Internet-Draft CMU Internet-Draft CMU
Intended status: Informational D. Miyamoto Intended status: Informational D. Miyamoto
Expires: November 2, 2015 UTokyo Expires: November 18, 2015 UTokyo
May 1, 2015 May 17, 2015
MILE Implementation Report MILE Implementation Report
draft-ietf-mile-implementreport-02 draft-ietf-mile-implementreport-03
Abstract Abstract
This document is a collection of implementation reports from vendors, This document is a collection of implementation reports from vendors,
consortiums, and researchers who have implemented one or more of the consortiums, and researchers who have implemented one or more of the
standards published from the IETF INCident Handling (INCH) and standards published from the IETF INCident Handling (INCH) and
Management Incident Lightweight Exchange (MILE) working groups. Management Incident Lightweight Exchange (MILE) working groups.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 2, 2015. This Internet-Draft will expire on November 18, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
2.2. Advanced Cyber Defence Centre (ACDC) . . . . . . . . . . 3 2.2. Advanced Cyber Defence Centre (ACDC) . . . . . . . . . . 3
3. Open Source Implementations . . . . . . . . . . . . . . . . . 3 3. Open Source Implementations . . . . . . . . . . . . . . . . . 3
3.1. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . 3 3.1. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . 3
3.2. NICT IODEF-SCI implementation . . . . . . . . . . . . . . 4 3.2. NICT IODEF-SCI implementation . . . . . . . . . . . . . . 4
3.3. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Vendor Implementations . . . . . . . . . . . . . . . . . . . 5 4. Vendor Implementations . . . . . . . . . . . . . . . . . . . 5
4.1. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . 5
4.2. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . 5 4.2. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . 5
4.3. Surevine Proof of Concept . . . . . . . . . . . . . . . . 7 4.3. Surevine Proof of Concept . . . . . . . . . . . . . . . . 7
4.4. MANTIS Cyber-Intelligence Management Framework . . . . . 7 4.4. MANTIS Cyber-Intelligence Management Framework . . . . . 7
5. Vendors with Planned Support . . . . . . . . . . . . . . . . 7 5. Vendors with Planned Support . . . . . . . . . . . . . . . . 8
5.1. Threat Central, HP . . . . . . . . . . . . . . . . . . . 8 5.1. Threat Central, HP . . . . . . . . . . . . . . . . . . . 8
6. Other Implementations . . . . . . . . . . . . . . . . . . . . 8 6. Other Implementations . . . . . . . . . . . . . . . . . . . . 8
6.1. Collaborative Incident Management System . . . . . . . . 8 6.1. Collaborative Incident Management System . . . . . . . . 8
7. Implementation Guide . . . . . . . . . . . . . . . . . . . . 9 6.2. Automated Incident Reporting - AirCERT . . . . . . . . . 9
7.1. Code Generators . . . . . . . . . . . . . . . . . . . . . 9 6.3. US Department of Energy CyberFed . . . . . . . . . . . . 9
7.2. iodeflib . . . . . . . . . . . . . . . . . . . . . . . . 10 6.4. TrendMicro Sharing System . . . . . . . . . . . . . . . . 10
7.3. iodefpm . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. Implementation Guide . . . . . . . . . . . . . . . . . . . . 10
7.4. Usability . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Code Generators . . . . . . . . . . . . . . . . . . . . . 10
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 7.2. iodeflib . . . . . . . . . . . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 7.3. iodefpm . . . . . . . . . . . . . . . . . . . . . . . . . 11
10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7.4. Usability . . . . . . . . . . . . . . . . . . . . . . . . 12
11. Informative References . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
10. Security Considerations . . . . . . . . . . . . . . . . . . . 13
11. Informative References . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document is a collection of implementation reports from vendors This document is a collection of implementation reports from vendors
and researchers who have implemented one or more of the standards and researchers who have implemented one or more of the standards
published from the INCH and MILE working groups. The standards published from the INCH and MILE working groups. The standards
include: include:
o Incident Object Description Exchange Format (IODEF) v1, RFC5070, o Incident Object Description Exchange Format (IODEF) v1, RFC5070,
skipping to change at page 9, line 8 skipping to change at page 9, line 10
to exchange information between each other concerning actions taken to exchange information between each other concerning actions taken
in the handling of a particular incident, thus creating a sort of in the handling of a particular incident, thus creating a sort of
common action log, as well as requesting/tasking others to provide common action log, as well as requesting/tasking others to provide
information or perform specified action and correlating received information or perform specified action and correlating received
responses to the original request or tasking. As well, a specific responses to the original request or tasking. As well, a specific
"profile" was developed to identify a subset of the IODEF classes "profile" was developed to identify a subset of the IODEF classes
that would be used during the exercise, in an attempt to channel all that would be used during the exercise, in an attempt to channel all
users into a common usage pattern of the otherwise flexible IODEF users into a common usage pattern of the otherwise flexible IODEF
standard. standard.
6.2. Automated Incident Reporting - AirCERT
AirCERT was implemented by CERT/CC of Carnegie Mellon's Software
Engineering Institute CERT divison. AirCERT was designed to be an
Internet-scalable distributed system for sharing security event data.
The AirCERT system was designed to be an automated collector of flow
and IDS alerts. AirCERT would collect that information into a
relational database and be able to share reporting using IODEF and
IDMEF. AirCERT additionally used SNML to exchange information about
the network. AirCERT was implemented in a combination of C and perl
modules and included periodic graphing capabilities leveraging
RRDTool.
AirCERT was intended for large scale distributed deployment and
eventually the ability to sanitize data to be shared across
administrative domains. The architecture was desgined to allow
collection of data at a per site basis and to allow each site to
create data sharing based on its own particular trust relationships.
6.3. US Department of Energy CyberFed
The CyberFed system was implemented and deployed by Argonne National
Laboratory to automate the detection and response of attack activity
against Department of Energy (DoE) computer networks. CyberFed
automates the collection of network alerting activity from various
perimeter network defenses and logs those events into its database.
CyberFed then automatically converts that information into blocking
information transmitted to all participants. The original
implementation used IODef messages wrapped in an XML extension to
manage a large array of indicators. The CyberFed system was not
designed to describe a particular incident as much as to describe a
set of current network blocking indicators that can be generated and
deployed machine-to-machine.
CyberFed is primarily implemented in Perl. Included as part of the
CyberFed system are scripts which interact with a large number of
firewalls, IDS/IPS devices, DNS systems, and proxies which operate to
implement both the automated collection of events as well as the
automated deployment of blacking.
Currently CyberFed supports multiple exchange formats including IODef
and STIX. OpenIOC is also a potential exchange format that DoE is
considering.
6.4. TrendMicro Sharing System
More information to come.
7. Implementation Guide 7. Implementation Guide
The section aims at sharing the tips for development of IODEF-capable The section aims at sharing the tips for development of IODEF-capable
systems. systems.
7.1. Code Generators 7.1. Code Generators
For implementing IODEF-capable systems, it is feasible to employ code For implementing IODEF-capable systems, it is feasible to employ code
generators for XML Schema Document (XSD). The generators are used to generators for XML Schema Document (XSD). The generators are used to
save development costs since they automatically create useful save development costs since they automatically create useful
libraries for accessing XML attributes, composing messages, and/or libraries for accessing XML attributes, composing messages, and/or
validating XML objects. The XSD of IODEFv1 was defined in section 8 validating XML objects. The IODEF XSD was defined in section 8 of
of RFC 5070, and is availabe at http://www.iana.org/assignments/xml- RFC 5070, and is availabe at http://www.iana.org/assignments/xml-
registry/schema/iodef-1.0.xsd. registry/schema/iodef-1.0.xsd.
However, there still remained some problems. Due to the complexity However, there still remains some problem. Due to the complexity of
of IODEF XSD, some code generators could not generate from the XSD IODEF XSD, some code generators could not generate from the XSD file.
file. The tested code generators were as follows. The tested code generators were as follows.
o XML::Pastor [XSD:Perl] (Perl) o XML::Pastor [XSD:Perl] (Perl)
o RXSD [XSD:Ruby] (Ruby) o RXSD [XSD:Ruby] (Ruby)
o PyXB [XSD:Python] (Python) o PyXB [XSD:Python] (Python)
o JAXB [XSD:Java] (Java) o JAXB [XSD:Java] (Java)
o CodeSynthesis XSD [XSD:Cxx] (C++) o CodeSynthesis XSD [XSD:Cxx] (C++)
skipping to change at page 12, line 32 skipping to change at page 13, line 32
"Sharing Transaction Fraud Data", RFC 5941, August 2010. "Sharing Transaction Fraud Data", RFC 5941, August 2010.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
6545, April 2012. 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012. 2012.
[XSD:CS] Microsoft, "XML Schema Definition Tool (Xsd.exe)", [XSD:CS] Microsoft, "XML Schema Definition Tool (Xsd.exe)",
<http://www.codesynthesis.com/>. <http://www.microsoft.com/>.
[XSD:Cxx] CodeSynthesis, "XSD - XML Data Binding for C++", [XSD:Cxx] CodeSynthesis, "XSD - XML Data Binding for C++",
<http://www.codesynthesis.com/>. <http://www.codesynthesis.com/>.
[XSD:Java] [XSD:Java]
Project Kenai, "JAXB Reference Implementation", Project Kenai, "JAXB Reference Implementation",
<https://jaxb.java.net/>. <https://jaxb.java.net/>.
[XSD:Perl] [XSD:Perl]
Ulsoy, A., "XML::Pastor", Ulsoy, A., "XML::Pastor",
 End of changes. 9 change blocks. 
21 lines changed or deleted 72 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/