Hi Linda, One more thing regarding how a policy/rule is to be enforced. We see two distinct requirements:
1. Static security posture --> The security admin determines what security policies need to be enforced in their network based on their business needs (access policies such as who can access what) and/or regulatory compliance (HIPPA, FISA). These policies usually stay in the network unless manually removed. In my experience, majority of security policies fall under this category. 2. Dynamic security posture --> Some of the policies may be created but not always enforced. A security admin may want to increase or decrease its security posture based on an event. The event could be a time-based or threat based. For example, a policy is enforced only during weekend or a policy is enforced only when a DDoS event is detected. I don’t have any name for first one but the second one is ECA (Event Condition Action). We wanted to take both of them for interfaces to be meaningful in real security world. I hope this clarifies our thinking. We can add a section in our draft to put similar text there if you think that would be helpful. Thanks & Regards, Rakesh From: I2nsf <i2nsf-boun...@ietf.org> on behalf of Rakesh Kumar <rkku...@juniper.net> Date: Tuesday, November 1, 2016 at 11:56 AM To: Linda Dunbar <linda.dun...@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org> Cc: Adrian Farrel <afar...@juniper.net> Subject: Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Hi Linda, Thanks a lot for the review. One of the biggest challenges in the security world today is that, it is too complex with each vendor having their own set of features and functionality exposed in a very proprietary manner. We have to simplify this with I2NSF client-facing interface so that a security admin can express their business needs without having to worry about the complexity. It is very important that security requirements be expressed by security admin with simple rules. But it is easier said than done, this is one of the most complex problem as how to make rules simple but at the same time able to capture wide variety of use-cases in different environment. The work done so far in this draft is just the beginning and we should brain storm and see how to make it more complete. I will look at the link you have sent and see how to leverage from there. Even if we develop very generic rules, we still need to define some basic constructs which would be used to build a policy. We have taken a step in that direction, but this is just a start and work will continue with ideas from folks in this WG. Regards, Rakesh From: Linda Dunbar <linda.dun...@huawei.com> Date: Tuesday, November 1, 2016 at 10:55 AM To: Rakesh Kumar <rkku...@juniper.net>, "i2nsf@ietf.org" <i2nsf@ietf.org> Cc: Adrian Farrel <afar...@juniper.net> Subject: RE: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Rakesh, By the way, the I2NSF framework has specified to use ECA (Event Condition Action) to describe “Rules”. https://datatracker.ietf.org/doc/draft-xibassnez-i2nsf-capability/ has the detailed description on how “Rules” information model. Is there any issue to utilize those information model? Thanks, Linda From: I2nsf [mailto:i2nsf-boun...@ietf.org] On Behalf Of Linda Dunbar Sent: 2016年11月1日 12:10 To: Rakesh Kumar <rkku...@juniper.net>; i2nsf@ietf.org Cc: Adrian Farrel <afar...@juniper.net> Subject: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Rakesh, Thank you very much for contributing the draft. Just curious, the current IM for Rules doesn't have much details: [cid:image001.jpg@01D234E9.B3807410] Will you add more in future revision? Linda Dunbar -----Original Message----- From: I2nsf [mailto:i2nsf-boun...@ietf.org] On Behalf Of Rakesh Kumar Sent: 2016年10月31日 12:14 To: i2nsf@ietf.org<mailto:i2nsf@ietf.org> Cc: Adrian Farrel <afar...@juniper.net<mailto:afar...@juniper.net>>; Linda Dunbar <linda.dun...@huawei.com<mailto:linda.dun...@huawei.com>> Subject: [I2nsf] FW: New Version Notification for draft-kumar-i2nsf-client-facing-interface-im-00.txt We posted a new draft that captures an information model for the client-facing interfaces based on “draft-ietf-i2nsf-client-facing-interface-req”. This is an initial version, we plan to update this as we evolve based on new requirements and information. Thanks & Regards, Rakesh and other co-authors. On 10/31/16, 10:08 AM, "internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>" <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> wrote: A new version of I-D, draft-kumar-i2nsf-client-facing-interface-im-00.txt has been successfully submitted by Rakesh Kumar and posted to the IETF repository. Name: draft-kumar-i2nsf-client-facing-interface-im Revision: 00 Title: Information model for Client-Facing Interface to Security Controller Document date: 2016-10-31 Group: Individual Submission Pages: 17 URL: https://www.ietf.org/internet-drafts/draft-kumar-i2nsf-client-facing-interface-im-00.txt Status: https://datatracker.ietf.org/doc/draft-kumar-i2nsf-client-facing-interface-im/ Htmlized: https://tools.ietf.org/html/draft-kumar-i2nsf-client-facing-interface-im-00 Abstract: This document defines information model for the client-facing interface to security controller based on the requirements identfied in the [I-D.kumar-i2nsf-client-facing-interface-req]. The information model defines various managed objects and the relationship among these objects needed to build the client interfaces. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf
_______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf
