SACM Working Group X. Zhuang Internet Draft M. Qi J. Zhu Intended status: Informational China Mobile Expires:August 8, 2014 Feb. 8, 2014 Telecommunication Requirement draft-zhuang-sacm-telereq-00 Abstract This memo documents an additional use cases based on the endpoint security posture assessment-enterprise use cases. From all use cases, we can drive common functional capabilities and requirements to guide development the standards for security posture assessment of the telecommunication and enterprise equipment. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on August 8, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Zhuang Expires Auguet 8, 2014 [Page 1] Internet-Draft Telecommunication Requirement Feb 2014 Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction .....................................................2 2. Conventions used in this document ................................2 3. Problem Statement ................................................2 3.1 Backgroud of telecommunication device use cases .................2 3.2 problem statement ...............................................3 4. New use cases for telecommunication equipment ....................3 4.1. security policy baseline setting ...............................4 4.2. Security posture remediation ...................................4 5. Security Considerations ..........................................4 6. IANA Considerations ..............................................5 7. Conclusions ......................................................6 8. References .......................................................7 8.1. Normative References ...........................................7 8.2. Informative References .........................................7 1. Introduction SACM will create an automated tool for security assessment about network devices in enterprise scenario. In the other scenario, telecommunication operator has pleanty of network devices which need to be assessed authomatically. According to the telecommunication operator's operation experience, it proposes new security use cases to cover telecommunication devices. These use cases can also apply the enterprise's enquipment. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying RFC-2119 significance. 3. Problem Statement 3.1 Backgroud of telecommunication device use cases Zhuang Expires Auguet 8, 2014 [Page 2] Internet-Draft Telecommunication Requirement Feb 2014 Due to the large number of telecommunications equipment, it will bring a lot of work to manually check compliance of the equipment during the operation and maintenance phase, what's more, negligent operation and maintenance personnel may lead to wrong configuration, causing some bad consequences, such as device system paralysis, abnormal operation of the network and so on. Therefore, implementation of telecommunication equipments also needs an automated tool. 3.2 problem statment Although the use cases of SACM are only for enterprise in the endpoint, but the vast majority of them can be applied in the scenario of telecommunications network. There are following problems for the secure assessment of telecommunications network equipment: 1. Lack of security posture assessment baseline setting. That is, it is necessary to set an acceptable security policy or security posture assessment baseline before collecting, assessing security posture, also it is necessary to assess the integrity and feasibility. 2. Lack of process after that equipment security policy does not meet the security posture , and it needs remediation and triggering the new assessment. 4 New use cases for telecommunication equipment 4.1 security policy baseline setting This use case describes the process of setting security policy baseline of the telecommunication equipment. This use case can be initiated by a variety of triggers including: 1. The initial deployment of the telecommunication equipment in the operator's network. 2. A network event (e.g. network architecture evolution). The building blocks of this use case are: Security policy baseline input: when manufacturers are selling equipments, they will provide a baseline of security in order to help operators to understand the security status of the device, and also providing security operational guidance equipment to indicate how to configure the device security posture. The industry has some relevant standards. o General Security policy baseline setting: based on security policy Zhuang Expires Auguet 8, 2014 [Page 3] Internet-Draft Telecommunication Requirement Feb 2014 baseline input and their own business experience, operators set a common security policy baseline, including the administrator's password length, the effective time and so on. o Specific security policy baseline setting: Operators set security policy baseline for devices according to the specific features and deployment environment. 4.2 Security posture remediation This use case describes the process of remedying security posture when the posture evaluation result of has not complied with the operator's security policy. The building blocks of this use case are: Unmatched security posture identification: The purpose of unmatched security posture identification is to determine the target to be posture remedied. Security posture remediation: The maintenance stuff of the operator process the unmatched security posture. After remediation, the new assessment process can be triggered manually or automatically. 5. Security Considerations TBD Zhuang Expires Auguet 8, 2014 [Page 4] Internet-Draft Telecommunication Requirement Feb 2014 6. IANA Considerations There are no IANA considerations associated to this memo. Zhuang Expires Auguet 8, 2014 [Page 5] Internet-Draft Telecommunication Requirement Feb 2014 7. Conclusions TBD Zhuang Expires Auguet 8, 2014 [Page 6] Internet-Draft Telecommunication Requirement Feb 2014 8. References 8.1. Normative References 8.2. Informative References Zhuang Expires Auguet 8, 2014 [Page 7] Internet-Draft Telecommunication Requirement Feb 2014 Authors' Addresses Xiaojun Zhuang China Mobile Unit 2, 32 Xuanwumenxi Ave, Xicheng District, Beijing 100053, China Email: zhuangxiaojun@chinamobile.com Minpeng Qi China Mobile Unit 2, 32 Xuanwumenxi Ave, Xicheng District, Beijing 100053, China Email: qiminpeng@chinamobile.com Judy Zhu China Mobile Unit 2, 32 Xuanwumenxi Ave, Xicheng District, Beijing 100053, China Email: Zhuhongru@chinamobile.com Zhuang Expires Auguet 8, 2014 [Page 8]