1 / 12

INCH Requirements

This document outlines the refined requirements for CSIRT Incident Report Databases based on a review of RFC3067 discussed at IETF-55 in Atlanta, November 2002. Key aspects include the importance of clear semantics for data exchange across regions, structured formats, and extensibility of incident reports. It emphasizes integrity, authenticity, and global uniqueness in identification. Additionally, it presents communication protocols that ensure no impact on data integrity, along with guidelines for uniform incident description and localization support.

mattox
Télécharger la présentation

INCH Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INCH Requirements Glenn Mansfield Keeni Cyber Solutions Inc (glenn@cysols.com) Hiroyuki Ohno Wide Project (hohno@wide.ad.jp) IETF-55 Atlanta, November, 2002

  2. Based on a review of RFC3067 CERT Processes IDWG requirements

  3. CSIRT Incident Report Database Other CSIRTs Operational Model

  4. CSIRT Incident Report Database Other CSIRTs Alerts, Reports Statistics Operational Model-2

  5. Human Sensor Cryptic (codes etc.) Descriptive May contain Alerts Manager & Humans Standard based app. Standard ? Incident Report Handling Requirements:Changes from RFC3067 Alerts Incident Reports

  6. Intent of the IR Data Model controlled exchange and sharing clear and unambiguous semantics even across regional/national boundaries (as far as possible) well defined syntax (atleast for parts of it) enable categorization and statistical analysis ensure integrity and the authenticity

  7. Requirements: General Format Communication Contents Process

  8. IR Format Requirements: Internationalization & Localization Structured Well defined semantics for the components Unambiguous and reducible time references Record of time development Access control (who will have to access what ) different components, users Globally unique identification (for IR ) Extensibility

  9. IR Communication Requirements: Must have no effect on integrity, authenticity

  10. IR Content Requirements: Various facets of the entities involved Not only network related information Various naming rules for the entities Globally unique identifier(components) Classification scheme (enumerated) Several classifications Originator, Owner, Contacts, History, Reference to advisories Description of the incident

  11. IR Content Requirements: Multiple versions (in different languages) Indication of “original” vs “translated copies” IDMEF Alerts Logs, Dumps Additional references/pointers Impact (Guidelines for uniform description) Actions taken Authenticity, Integrity verification info

  12. IR Process Requirements: Must be deployed real soon !

More Related