[Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
Ponds-White, Trev
trevolip at amazon.com
Tue Feb 6 21:49:45 UTC 2024
Do we think that is already sufficiently taken care of by #5 (System crashes, hardware failures, and other anomalies;) on the security events list then? Or does it need to be specifically repeated for this item?
From: Tim Hollebeek <tim.hollebeek at digicert.com>
Sent: Tuesday, February 6, 2024 10:08 AM
To: Ponds-White, Trev <trevolip at amazon.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Christophe Bonjean <christophe.bonjean at globalsign.com>
Subject: RE: [EXTERNAL] [Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
There are a number of attack scenarios that cause network devices to crash/restart either as part of the attack, or as a consequence of the fallout from an attack. So paying attention to if some of your network hardware and software crashes unexpectedly and/or becomes significantly less stable can be a useful signal.
That’s at least the historical reason for including this sort of monitoring, I’ll ask Bindi if it still makes sense to be watching for that sort of stuff today.
-Tim
From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Ponds-White, Trev via Servercert-wg
Sent: Tuesday, February 6, 2024 12:59 PM
To: Christophe Bonjean <christophe.bonjean at globalsign.com<mailto:christophe.bonjean at globalsign.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
I had the same thought about firewall rules vs configuration changes being duplicative. I also agree about the dubious value of “hardware failures, software crashes, and system restarts”. I left it in since it was there but I was kind of struggling to figure out the purpose of some of that information. I assume its there for the purpose of understanding the impact and duration of an unexpected outage of your boundary protections? I don’t think that list really gets you that but it might be a piece of the picture for some, but not all, environments.
From: Christophe Bonjean <christophe.bonjean at globalsign.com<mailto:christophe.bonjean at globalsign.com>>
Sent: Tuesday, February 6, 2024 5:39 AM
To: Ponds-White, Trev <trevolip at amazon.com<mailto:trevolip at amazon.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: RE: [EXTERNAL] [Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
I agree with Trev’s perspective.
A few comments:
* Firewall rules are a separate item, but aren’t firewall rules covered by configuration changes? Should we merge it?
* What’s the purpose of “hardware failures, software crashes, and system restarts”? System restarts I could see how it’s relevant for audit logging purposes, but not sure what the additional value is of logging hardware failures and software crashes.
Christophe
From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Ponds-White, Trev via Servercert-wg
Sent: Tuesday, February 6, 2024 3:08 AM
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>; Clint Wilson <clintw at apple.com<mailto:clintw at apple.com>>
Subject: Re: [Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
I think “router and firewall activities” are solutions that don’t identify the problem we are trying to solve. Ultimately we want to know that the CA systems are segregated and protected. In this section we are specifying the required logs the CAs should have that allow them to monitor this and investigate if issues occur. I think it would be better to change this something like
“Network boundary controls (firewall, switch, router, gateway, or other network control device or system) activities. Relevant activities to log include configuration changes, firmware updates, and access control modifications. As well as system events and errors, including hardware failures, software crashes, and system restarts.”
This also better aligns with NetSec 1.f “Configure each network boundary control (firewall, switch, router, gateway, or other network control device or system) with rules that support only the services, protocols, ports, and communications that the CA has identified as necessary to its operations;”
From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Martijn Katerbarg via Servercert-wg
Sent: Monday, February 5, 2024 12:52 PM
To: Clint Wilson <clintw at apple.com<mailto:clintw at apple.com>>; ServerCert CA/BF <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: RE: [EXTERNAL] [Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hi Clint,
Thanks for the feedback!
1. I’m not sure the wording "Router and firewall activities" is considered an unspecified term, and leaves the exact definition and scope up to the CA, however” is necessary or even really helpful. I think it would be clearer to introduce Section 5.4.1.1 with something like “Logging of router and firewall activities necessary to meet the requirements of Section 5.4.1, Subsection 3.6 MUST at a minimum include:”
I’d agree, this makes sense to update.
* I’m not sold on the “Subsection” part, but I don’t recall if we have good semantics established for referencing the numbered paragraphs/sections under a Section heading.
This was more a design decision, since Section 5.4.1 is already a lengthy section with a lot of information. Personally I feel creating the subsection make it easier to follow through. I’m open to changing if more people feel this should be addressed.
1. I think the entire section including and under "Logging of router and firewall activities SHOULD NOT include:” should be removed.
Based on the reasoning provided, I agree that it doesn’t really add anything extra to the requirements.
1. The concluding sentence "CAs are encouraged to recommend additional MUST and SHOULD NOT requirements through an email to questions at cabforum.org<mailto:questions at cabforum.org>, for future discussion within the appropriate Working Group.” stands out as I think it’s the only such “encouragement” in the BRs. I don’t think that makes it bad or that it should be removed, but I’m also not sure how valuable it is to the BRs as a policy. I admit that may be because I view this encouragement as fundamental to membership and participation in the CA/B Forum at all — every member, regardless of type, should feel welcome and encouraged to recommend changes to any of the CA/B Forum documents. But we don’t say that anywhere, so maybe this is a good start?
I took this approach from the CSWG, which used it during the switch to hardware-based keys. I’m not sure it was ever utilized however.
If there’s strong opinions on removing this, I don’t have a problem with that.
I’ll leave the comments open for a bit, before I make the above changes, in case there is more feedback.
Regards,
Martijn
From: Clint Wilson <clintw at apple.com<mailto:clintw at apple.com>>
Date: Saturday, 3 February 2024 at 01:13
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>, ServerCert CA/BF <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
Hi Martijn,
Thanks for sending this out for discussion. Just a few comments at this point:
1. I’m not sure the wording "Router and firewall activities" is considered an unspecified term, and leaves the exact definition and scope up to the CA, however” is necessary or even really helpful. I think it would be clearer to introduce Section 5.4.1.1 with something like “Logging of router and firewall activities necessary to meet the requirements of Section 5.4.1, Subsection 3.6 MUST at a minimum include:”
* I’m not sold on the “Subsection” part, but I don’t recall if we have good semantics established for referencing the numbered paragraphs/sections under a Section heading.
1. I think the entire section including and under "Logging of router and firewall activities SHOULD NOT include:” should be removed.
* The first item listed seems overly broad (arguably, imo, even covering the “inbound and outbound” connections of the second item) and so making it a SHOULD NOT seems too strong a recommendation.
* The second item seems counterintuitive and difficult to implement correctly+consistently. It could be read as something like “don’t log unless you know you’re being exploited”, which doesn’t sound like a recommendation we should be making (especially in the context of post-incident data analysis).
* Neither of these recommendations seems necessary to accomplish the goals of additional clarity and specificity of what MUST be logged.
1. The concluding sentence "CAs are encouraged to recommend additional MUST and SHOULD NOT requirements through an email to questions at cabforum.org<mailto:questions at cabforum.org>, for future discussion within the appropriate Working Group.” stands out as I think it’s the only such “encouragement” in the BRs. I don’t think that makes it bad or that it should be removed, but I’m also not sure how valuable it is to the BRs as a policy. I admit that may be because I view this encouragement as fundamental to membership and participation in the CA/B Forum at all — every member, regardless of type, should feel welcome and encouraged to recommend changes to any of the CA/B Forum documents. But we don’t say that anywhere, so maybe this is a good start?
Cheers!
-Clint
On Jan 29, 2024, at 10:30 AM, Martijn Katerbarg via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
Summary:
This ballot aims to clarify what data needs to be logged as part of the "Firewall and router activities" logging requirement in the Baseline Requirements.
This ballot is proposed by Martijn Katerbarg (Sectigo) and endorsed by Daniel Jeffery (Fastly) and Ben Wilson (Mozilla).
--- Motion Begins ---
This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Reuqirements"), based on Version 2.0.2.
MODIFY the Baseline Requirements as specified in the following Redline: https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5<https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5___.YXAzOmRpZ2ljZXJ0OmE6bzpkZDMwYTE1OTM3NTE0N2FmZTg5YjA4MWU1ODY4MTcyNTo2OmM3N2E6YjkwMzgyMzVlN2MwNTA3NDZiMGY0ZTMxOTllODlkMmRkNWE0MzJhYTFjYTk2Njg1Y2JiNGZiZjIwODBjNzU3YzpoOkY>
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
1. Start time: 2024-01-29 18:30:00 UTC
2. End time: not before 2024-02-05 18:30:00 UTC
Vote for approval (7 days)
1. Start time: TBD
2. End time: TBD
_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/servercert-wg<https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/servercert-wg___.YXAzOmRpZ2ljZXJ0OmE6bzpkZDMwYTE1OTM3NTE0N2FmZTg5YjA4MWU1ODY4MTcyNTo2OmM3MTc6M2Q2YTM5NDYxNjVhNDM1NGNkMmZhN2RmOGFkMjJhYzhkMjM2ODQ2M2VjYzgyN2ZhMDQyZjcxNGNjZTM0ZDIwYTpoOkY>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240206/0f01d1be/attachment-0001.html>
More information about the Servercert-wg
mailing list