INCH Requirements

1
INCH Requirements
Glenn Mansfield Keeni Cyber Solutions
Inc (glenn_at_cysols.com)
Hiroyuki Ohno Wide Project (hohno_at_wide.ad.jp)
IETF-55 Atlanta, November, 2002
2
Based on a review of RFC3067
CERT Processes
IDWG requirements
3
Operational Model
4
Operational Model-2
5
Alerts
Incident Report Handling RequirementsChanges
from RFC3067
Incident Reports
6
Intent of the IR Data Model
controlled exchange and sharing
clear and unambiguous semantics even across
regional/national boundaries
(as far as
possible)
well defined syntax
(atleast for parts of it)
enable categorization and statistical analysis
ensure integrity and the authenticity
7
Requirements
General
Format
Communication
Contents
Process
8
IR Format Requirements
Internationalization Localization
Structured
Well defined semantics for the components
Unambiguous and reducible time references
Record of time development
Access control (who will have to access what )
different components, users
Globally unique identification (for IR )
Extensibility
9
IR Communication Requirements
Must have no effect on integrity, authenticity
10
IR Content Requirements
Various facets of the entities involved
Not only network related information
Various naming rules for the entities
Globally unique identifier (components)
Classification scheme (enumerated)
Several classifications
Originator, Owner, Contacts, History,
Reference to advisories
Description of the incident
11
IR Content Requirements
Multiple versions (in different languages)
Indication of original vs translated copies
IDMEF Alerts Logs, Dumps
Additional references/pointers
Impact
(Guidelines for uniform description)
Actions taken
Authenticity, Integrity verification info
12
IR Process Requirements
Must be deployed real soon !