idnits 2.17.1 draft-lin-sacm-nid-mp-security-baseline-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 69 instances of too long lines in the document, the longest one being 173 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 228 has weird spacing: '...-period uint...' == Line 229 has weird spacing: '...-minlen uin...' == Line 257 has weird spacing: '...e-level uin...' == Line 262 has weird spacing: '...e-level uint...' == Line 264 has weird spacing: '...-enable bool...' == (23 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 2, 2018) is 2119 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-netmod-acl-model' is defined on line 1251, but no explicit reference was found in the text == Outdated reference: A later version (-36) exists of draft-ietf-netconf-netconf-client-server-06 == Outdated reference: A later version (-40) exists of draft-ietf-netconf-ssh-client-server-06 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-06 == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-19 == Outdated reference: A later version (-32) exists of draft-ietf-netmod-syslog-model-26 == Outdated reference: A later version (-03) exists of draft-xia-sacm-nid-dp-security-baseline-02 Summary: 1 error (**), 0 flaws (~~), 15 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Security Automation and Continuous Monitoring (SACM) Q. Lin 3 Internet-Draft L. Xia 4 Intended status: Standards Track Huawei 5 Expires: January 3, 2019 H. Birkholz 6 Fraunhofer SIT 7 July 2, 2018 9 The Data Model of Network Infrastructure Device Management Plane 10 Security Baseline 11 draft-lin-sacm-nid-mp-security-baseline-03 13 Abstract 15 This document provides security baseline for network infrastructure 16 device management plane, which is represented by YANG data model. 17 The corresponding values of this YANG data model can be transported 18 between Security Automation and Continuous Monitoring (SACM) 19 components and used for network infrastructure device security 20 evaluation. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 3, 2019. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 58 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 4 61 5.1. Administrator Management Security . . . . . . . . . . . . 5 62 5.1.1. Administrator Security Policy . . . . . . . . . . . . 5 63 5.1.2. Administrator Login Security . . . . . . . . . . . . 6 64 5.1.3. AAA . . . . . . . . . . . . . . . . . . . . . . . . . 8 65 5.1.4. Administrator Access Statistics . . . . . . . . . . . 9 66 5.2. System Management Security . . . . . . . . . . . . . . . 10 67 5.2.1. SNMP Management Security . . . . . . . . . . . . . . 10 68 5.2.2. NETCONF Management Security . . . . . . . . . . . . . 11 69 5.2.3. Port Management Security . . . . . . . . . . . . . . 11 70 5.3. Log Security . . . . . . . . . . . . . . . . . . . . . . 12 71 5.4. File Security . . . . . . . . . . . . . . . . . . . . . . 12 72 6. Network Infrastructure Device Security Baseline Yang Module . 13 73 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 74 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 75 9. Security Considerations . . . . . . . . . . . . . . . . . . . 27 76 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 77 10.1. Normative References . . . . . . . . . . . . . . . . . . 27 78 10.2. Informative References . . . . . . . . . . . . . . . . . 28 79 Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 82 1. Introduction 84 Besides user devices and servers, network infrastructure devices such 85 as routers, switches, and firewalls are crucial to enterprise network 86 security. The security baseline defined in this document is a 87 minimal set of security controls that are essential to provide 88 network security. The security posture of network devices can then 89 be assessed by compare the applied security controls with security 90 baseline and organization-specific security controls. 92 Network devices are typically perform three planes of operation: 93 management plane, control plane and data plane. All the planes 94 should be protected and monitored to secure the network. This 95 document focuses on security baseline for network device management 96 plane. Management plane provides configuration and monitoring 97 services to network administrator or device owner. Unauthorized 98 access, insecure access channels, weak cryptographic algorithms are 99 common security issues that break management plane security. A 100 number of security best practices have been proposed to deal with 101 these security issues, such as disabling unused services and ports, 102 discarding insecure access channels, and enforcing strong user 103 authentication and authorization. In this document, we provide a 104 minimal set of security controls that are expected to be widely 105 applicable to common network devices. In order to conduct security 106 posture assessment,the values of these security controls that applied 107 on network devices will then be compared with the reference values 108 defined by an organization or third party. As for interoperability 109 and extensibility, additional security controls can be specified by 110 organizations or provided by specific vendors. 112 YANG data model is used in this document to describe the security 113 baseline for network device management plane. 114 [I-D.birkholz-sacm-yang-content] defines a method to construct the 115 YANG data model scheme for the security posture assessment of the 116 network device by brokering YANG push telemetry via SACM statements. 117 In this document, we follow the same way to define the YANG output 118 for network device security posture based on the 119 [I-D.ietf-sacm-information-model]. 121 Besides management plane security baseline, the security baselines 122 for control plane, data plane, and infrastructure layer of network 123 infrastructure devices are described in 124 [I-D.dong-sacm-nid-cp-security-baseline], 125 [I-D.xia-sacm-nid-dp-security-baseline] and 126 [I-D.dong-sacm-nid-infra-security-baseline] respectively. 128 2. Requirements Language 130 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 131 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 132 document are to be interpreted as described in [RFC2119]. 134 3. Terminology 136 This document uses the terms defined in [RFC6020]. 138 4. Tree Diagrams 140 Tree diagram defined in [RFC8340] is used to represent the YANG data 141 model of network device management plane security. The meaning of 142 the symbols used in the tree diagram and the syntax are as follows: 144 o A module is identified by "module:" followed the module-name. The 145 top-level data nodes defined in the module, offset by 2 spaces. 146 Submodules are represented in the same fashion as modules, but are 147 identified by "submodule:" followed the (sub)module-name. 149 o Groupings, offset by 2 spaces, and identified by the keyword 150 "grouping" followed by the name of the grouping and a colon (":") 151 character. 153 o Each node in the tree is prefaces with "+--". Schema nodes that 154 are children of another node are offset from the parent by 3 155 spaces. 157 o Brackets "[" and "]" enclose list keys. 159 o Abbreviations before data node names: "rw" means configuration 160 (read-write) and "ro" means state data (read-only), "x" is used to 161 mark rpcs and actions, "w" denotes the input parameters to rpcs 162 and actions, and "u" indicates the use of a predefined grouping. 164 o Symbols after data node names: "?" means an optional node, "!" 165 means a presence container, and "*" denotes a "list" and "leaf- 166 list". 168 o Parentheses enclose choice and case nodes, and case nodes are also 169 marked with a colon (":"). 171 o Ellipsis ("...") stands for contents of subtrees that are not 172 shown. 174 o Curly brackets and a question mark "{...}?" are combined to 175 represent the features that node depends on. 177 5. Data Model Structure 179 This document focuses on network infrastructure device management 180 plane security, including security of administrator management, 181 system management protocols, sytem ports, log, and local file system. 182 Both security configuration and runtime state of security controls 183 are taken into consideration. Four submodules will be illustrated in 184 the following sections to represent the security baseline for: 186 o Administrator management security 188 o System management protocol security and port management security 190 o Log security 191 o Local file system security 193 There exists a multitude of YANG models for network devices and 194 network protocols. For management plane security, several RFCs and 195 drafts have defined some related parts. But an overall data model of 196 management plane security is still missing. Moreover, the related 197 data models may only focus on part of the security functions. 198 Besides defining new submodules and groupings, the following sections 199 will also reuse the existing YANG modules and provide additional 200 attributes or groupings for the missing parts. Appendix A provides a 201 summary of existing YANG modules and the relationship to the security 202 baseline defined in this document. 204 5.1. Administrator Management Security 206 The "admin-management-security" submodule is divided into four parts: 208 submodule: admin-management-security 209 +--rw admin-management-security 210 +--rw admin-security-policy 211 +--rw admin-login-security 212 +--rw aaa-security 213 +--ro admin-access-statistics 215 5.1.1. Administrator Security Policy 217 In order to provide basic protection of administrator accounts, 218 security controls on account properties and passwords should be 219 applied. The commonly applied security controls include limiting the 220 length of account name, checking the password complied to the 221 complexity policy, forbidding the use of some strings in password, 222 blocking accounts after several login fails, etc. The following data 223 model illustrates these kinds of security controls. 225 +--rw admin-security-policy 226 +--rw account-security-policy 227 | +--rw security-policy boolean 228 | +--rw account-aging-period uint64 229 | +--rw account-name-minlen uint64 230 +--rw pwd-security-policy 231 | +--rw expire-days uint64 232 | +--rw prompt-days uint64 233 | +--rw change-check boolean 234 | +--rw complexity-check boolean 235 | +--rw history-pwd-num uint64 236 | +--rw pwd-minlen uint64 237 +--rw forbidden-word-rules 238 | +--rw forbidden-word-rule* [forbidden-word] 239 | +--rw forbidden-word string 240 +--rw login-failed-limit 241 +--rw failed-times uint64 242 +--rw period uint64 243 +--rw reactive-time uint64 245 5.1.2. Administrator Login Security 247 Network infrastructure devices typically can be managed through 248 command line interface (CLI) or web user interface. The web user 249 interface provides basic maintenance and management functions. 250 Sometimes an administrator still needs to use the CLI to implement 251 complex or fine-grained management. If insecure access channels have 252 to be used, several security controls should be enforced. 254 +--rw admin-login-security 255 +--rw console 256 | +--rw auth-mode auth-mode-type 257 | +--rw privilege-level uint8 258 +--rw vtys 259 | +--rw vty* [vty-number] 260 | +--rw vty-number uint8 261 | +--rw auth-mode auth-mode-type 262 | +--rw privilege-level uint8 263 | +--rw acl-name-list*? string 264 | +--rw ip-block-enable boolean 265 | +--rw ip-block-limit {ip-block-config}? 266 | +--rw failed-times uint64 267 | +--rw period uint64 268 | +--rw reactive-time uint64 269 +--rw telnet 270 | +--rw telnet-ipv4-enable boolean 271 | +--rw telnet-ipv4-server-port? inet:port-number 272 | +--rw telnet-ipv6-enable boolean 273 | +--rw telnet-ipv6-server-port? inet:port-number 274 | +--rw telnet-server-interface? string 275 | +--rw acl-name-list* string 276 | +--rw ip-block-enable boolean 277 | +--rw ip-block-limit {ip-block-config}? 278 | +--rw failed-times uint64 279 | +--rw period uint64 280 | +--rw reactive-time uint64 281 +--rw ssh 282 | +--rw ssh-enable boolean 283 | +--u ssh-server-grouping [I-D.ietf-netconf-ssh-client-server] 284 | +--u ssh-security-hardening 285 +--rw web {web-interface}? 286 +--rw auth-mode auth-mode-type 287 +--rw privilege-level uint8 288 +--rw http-server-interface? string 289 +--rw https-ipv4-enable boolean 290 +--rw https-ipv6-enable boolean 291 +--rw https-source-port? inet:port-number 292 +--rw https-timeout? uint32 293 +--rw ip-block-enable boolean 294 +--rw ip-block-limit {ip-block-config}? 295 | +--rw failed-times uint64 296 | +--rw period uint64 297 | +--rw reactive-time uint64 298 +--u tls-server-grouping 299 [I-D.ietf-netconf-tls-client-server] 301 In the above structure, several groupings are used. 303 o When an administrator log in to a device through SSH based 304 service, e.g. STelnet, the device acts as a SSH server. Thus, 305 the grouping "ssh-server-grouping" defined in 306 [I-D.ietf-netconf-ssh-client-server] is used. This grouping only 307 focuses on SSH-specific configuration, transport-level 308 configuration such as what ports to listen-on is not included. 309 Thus, configurations related to security hardening of SSH server, 310 for example, configuration of port number and rekey interval, are 311 added as grouping "ssh-security-hardening" in this document. 313 o When an administrator log in to a device through web interface, 314 the device acts as a web server. Thus, the grouping "tls-server- 315 grouping" defined in [I-D.ietf-netconf-tls-client-server] is used. 316 This grouping also focuses on TLS-specific configuration, 317 additional security configuration nodes are provided to augment it 318 in this document. 320 The structure of grouping "ssh-security-hardening" : 322 grouping ssh-security-hardening: 323 +--rw ssh-security-hardening 324 +--rw ssh-server-port? inet:port-number 325 +--rw ssh-rekey-interval? uint32 326 +--rw ssh-timeout? uint32 327 +--rw ssh-retry-times? uint32 328 +--rw ssh-compatible-ssh1x-enable boolean 329 +--rw ssh-server-interface? string 330 +--rw ip-block-enable boolean 331 +--rw ip-block-limit {ip-block-config}? 332 +--rw failed-times uint64 333 +--rw period uint64 334 +--rw reactive-time uint64 336 5.1.3. AAA 338 Authentication, Authorization, and Accounting (AAA) provides user 339 management for network devices. RADIUS (Remote Authentication Dial 340 In User Service) and TACACS+ (Terminal Access Controller Access 341 Control System) are the commonly used AAA mechanisms. In order to 342 implement AAA, network devices act as AAA clients to communicate with 343 AAA servers. [RFC7317] defined YANG module for client to configure 344 the RADIUS authentication server information. In this document, 345 authentication, authorization and accounting schemes, as well as AAA 346 server lists are all included. 348 +--rw aaa-security 349 +--rw authentication-scheme* [authen-scheme-name] 350 | +--rw authen-scheme-name string 351 | +--rw authen-mode* aaa-authen-mode 352 | +--rw authen-type? radius-authen-type 353 | +--rw authen-fail-policy boolean 354 +--rw authorization-scheme* [author-scheme-name] 355 | +--rw author-scheme-name string 356 | +--rw author-mode* aaa-author-mode 357 | +--rw cmd-author-mode* aaa-cmd-author-mode 358 +--rw accounting-scheme* [account-scheme-name] 359 | +--rw account-scheme-name string 360 | +--rw account-mode aaa-account-name 361 +--rw radius-security 362 | +--rw radius-authen-servers* [address] 363 | | +--rw address inet:host 364 | | +--rw port inet:port-number 365 | +--rw radius-author-servers*? [address] 366 | | +--rw address inet:host 367 | | +--rw port inet:port-number 368 | +--rw radius-account-servers* [address] 369 | +--rw address inet:host 370 | +--rw port inet:port-number 371 +--rw tacacs-security 372 +--rw tacacs-authen-servers* [address] 373 | +--rw address inet:host 374 | +--rw port inet:port-number 375 +--rw tacacs-author-servers*? [address] 376 | +--rw address inet:host 377 | +--rw port inet:port-number 378 +--rw tacacs-account-servers* [address] 379 +--rw address inet:host 380 +--rw port inet:port-number 382 5.1.4. Administrator Access Statistics 384 The statistics of the current online administrators, the failed login 385 attempts and the blocked addresses are useful for the monitoring of 386 network infrastructure devices. The structure is as follows: 388 +--ro admin-access-statistics 389 +--ro total-online-users uint32 390 +--ro online-admin-list {display-online-info}? 391 | +--ro online-users* [account-name] 392 | +--ro account-name string 393 | +--ro ip-address inet:ip-address-no-zone 394 | +--ro mac-address yang:mac-address 395 +--ro ip-block-list 396 +--ro blocked-ip* [ip-address] 397 +--ro ip-address inet:ip-address-no-zone 398 +--ro vpn-instance string 399 +--rw state ip-block-state-type 400 +--rw authen-fail-account uint32 402 5.2. System Management Security 404 The "system-management-security" submodule is divided into three 405 parts: 407 submodule: system-management-security 408 +--rw system-management-security 409 +--rw snmp-security 410 +--rw netconf-security 411 +--rw port-management-security 413 5.2.1. SNMP Management Security 415 Simple Network Management Protocol (SNMP) is a network management 416 standard to monitor network devices. Three SNMP versions are 417 available: SNMPv1, SNMPv2c, and SNMPv3. [RFC7407] defines community- 418 based security model for SNMPv1 and SNMPv2c, view-based access 419 control model and user-based security model for SNMPv3. The 420 following module reuses the subtrees defined in RFC7407 for SNMP 421 security configuration, and only supplements ACL configuration for 422 VACM group. 424 +--rw snmp-security [RFC7407] 425 +--rw target* [name] 426 | ... 427 +--rw target-params* [name] 428 | ... 429 +--rw community* [index] 430 | ... 431 +--rw vacm 432 | +--rw group* [name] 433 | +--rw name snmp:group-name 434 | +--rw access* [context security-model security-level] 435 | ... 436 | +--rw acl-name-list* string 437 +--rw usm 438 ... 440 5.2.2. NETCONF Management Security 442 The NETCONF server model defined in 443 [I-D.ietf-netconf-netconf-client-server] supports both the SSH and 444 TLS transport protocols. To conduct more security controls on 445 NETCONF based operations, authorization rules can be used to control 446 which operations can be done and which resources can be accessed. 448 +--rw netconf-security 449 +--rw listen {listen}? [I-D.ietf-netconf-netconf-client-server] 450 | ... 451 +--rw call-home {call-home}? [I-D.ietf-netconf-netconf-client-server] 452 | ... 453 +--rw netconf-authorization? 454 +--rw task-group-rules* [task-group-name] 455 | +--rw task-group-name string 456 | +--rw task-group-rule* [rule-name] 457 | +--rw rule-name string 458 | +--rw rule-type identityref 459 +--rw user-group-rules* [user-group-name] 460 +--rw user-group-name string 461 +--rw user-group-rule* [rule-name] 462 +--rw rule-name string 463 +--rw rule-type identityref 465 5.2.3. Port Management Security 467 As it is suggested to disable unused service and ports, the current 468 status (open or shut-down) of the ports that are available on the 469 network devices can be retrieved and compared with the communication 470 matrix to check the device security posture. 472 +--rw port-management-security 473 +--rw port-list* [port-number] 474 +--rw port-number inet:port-number 475 +--rw port-status boolean 477 5.3. Log Security 479 To monitor the running status and diagnose faults or attacks on 480 network devices, the activities of network administrators, the 481 operations conducted on devices, and the security notification of 482 abnormal events are needed to be recorded in logs. Besides, policy 483 should be defined to deal with log overflow. Log records can be 484 outputted to console, or stored locally, or outputted to remote 485 Syslog server. The following defined "log-mode" subtree reuses the 486 security configuration of log remote transfer in 487 [I-D.ietf-netmod-syslog-model], and adds access control for locally 488 stored log files. 490 submodule: log-security 491 +--rw log-security 492 +--rw alert-notification 493 | +--rw login-fail-threshold uint8 494 | +--rw system-abnormal boolean 495 | +--rw attack boolean 496 | +--rw log-overflow-lost boolean 497 +--rw (log-overflow-action) 498 | +--:(rewrite-when-overflow) boolean 499 | | +--ro rewrite-numbers uint16 500 | +--:(discard-new-logs) boolean 501 | +--ro discard-numbers uint16 502 +--rw (log-mode) 503 +--:(file) {file-action}? 504 | +--rw user-level-for-read uint8 505 | +--rw user-level-for-delete uint8 506 +--:(remote) {remote-action}? [I-D.ietf-netmod-syslog-model] 507 +--rw destination* [name] 508 +--rw name string 509 +--rw (transport) 510 | ... 511 +--rw signing! {signed-messages}? 512 ... 514 5.4. File Security 516 Patches, packages, configuration files, password files are critical 517 system files for network infrastructure devices. To provide 518 security, only administrators with certain security privilege levels 519 are allowed to access or operate on these files. For file transfer 520 security, secure protocol should be used. If insecure protocol has 521 to be used, security hardening needs to be implemented. 523 +--rw file-security 524 +--rw role-based-access-control boolean 525 +--rw ftp-transfer 526 | +--rw ftp-enable boolean 527 | +--rw ftp-server-port inet:port-number 528 | +--rw ip-block-enable boolean 529 | +--rw ip-block-limit {ip-block-config}? 530 | +--rw failed-times uint64 531 | +--rw period uint64 532 | +--rw reactive-time uint64 533 +--rw sftp-transfer 534 | +--rw sftp-enable boolean 535 | +--rw sftp-server-port inet:port-number 536 | +--u ssh-server-grouping 537 | [I-D.ietf-netconf-ssh-client-server] 538 | +--u ssh-security-hardening 539 +--rw scp-transfer 540 | +--rw scp-enable boolean 541 | +--rw scp-server-port inet:port-number 542 | +--u ssh-server-grouping 543 | [I-D.ietf-netconf-ssh-client-server] 544 | +--u ssh-security-hardening 545 +--rw ftps-transfer 546 +--rw ftps-enable boolean 547 +--rw ftps-server-port inet:port-number 548 +--u tls-server-grouping 549 [I-D.ietf-netconf-tls-client-server] 550 +--rw ip-block-enable boolean 551 +--rw ip-block-limit {ip-block-config}? 552 +--rw failed-times uint64 553 +--rw period uint64 554 +--rw reactive-time uint64 556 6. Network Infrastructure Device Security Baseline Yang Module 558 file "ietf-management-plane-security@2018-06-29.yang" 559 module ietf-management-plane-security { 560 yang-version 1.1; 561 namespace "urn:ietf:params:xml:ns:yang:ietf-management-plane-security"; 562 prefix mp-sec; 564 import ietf-inet-types { 565 prefix inet; 566 reference "RFC 6991 - Common YANG Data Types."; 567 } 568 import ietf-yang-types { 569 prefix yang; 570 reference 571 "RFC 6991 - Common YANG Data Types."; 572 } 574 import ietf-tls-server { 575 prefix tlss; 576 reference "draft-ietf-netconf-tls-client-server"; 577 } 579 import ietf-ssh-server { 580 prefix sshs; 581 reference "draft-ietf-netconf-ssh-client-server"; 582 } 584 organization 585 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 587 contact 588 "WG Web: http://tools.ietf.org/wg/sacm/ 589 WG List: sacm@ietf.org 591 Editor: Qiushi Lin 592 linqiushi@huawei.com; 593 Editor: Liang Xia 594 frank.xialiang@huawei.com 595 Editor: Henk Birkholz 596 henk.birkholz@sit.fraunhofer.de"; 598 description 599 "This YANG module defines groupings that are used by ietf-management-plane-security YANG module. Their usage is not limited to ietf-management-plane-security and can be used anywhere as applicable."; 601 revision 2018-06-29 { 602 description "Initial version."; 603 reference "draft-lin-sacm-nid-mp-security-baseline-03"; 604 } 606 /* 607 * features 608 */ 609 feature web-interface { 610 description "The network device supports web interface for administrator to manage itself."; 611 } 613 feature ip-block-config { 614 description "Whether the network device supports the configuration of ip block function."; 615 } 616 feature display-online-info { 617 description "Whether the device supports providing a list of online administrators."; 618 } 620 /* 621 * typedefs 622 */ 623 typedef auth-mode-type { 624 type enumeration { 625 enum "none" { 626 description "Authentication mode: none."; 627 } 628 enum "password" { 629 description "Authentication mode: password."; 630 } 631 enum "aaa" { 632 description "Authentication mode: aaa."; 633 } 634 } 635 description "The Authentication mode of console and vty interface."; 636 } 638 typedef aaa-authen-mode { 639 type enumeration { 640 enum "invalid" { 641 description "Invalid authentication mode."; 642 } 643 enum "local" { 644 description "Local authentication mode."; 645 } 646 enum "tacacs" { 647 description "TACACS authentication mode. "; 648 } 649 enum "radius" { 650 description "RADIUS authentication mode. "; 651 } 652 enum "none" { 653 description "In this mode, users can pass with authentication."; 654 } 655 enum "radius-proxy" { 656 description "RADIUS proxy authentication mode."; 657 } 658 } 659 description "Diffrent types of authentication modes."; 660 } 662 typedef radius-authen-type { 663 type enumeration { 664 enum "pap" { 665 description "PAP authentication"; 666 } 667 enum "chap" { 668 description "CHAP authentication."; 669 } 670 } 671 description "Different authentication types of RADIUS authentication."; 672 } 674 typedef aaa-author-mode { 675 type enumeration { 676 enum "invalid" { 677 description "Invalid authorization mode."; 678 } 679 enum "local" { 680 description "Local authorization mode."; 681 } 682 enum "tacacs" { 683 description "TACACS authorization mode."; 684 } 685 enum "if-authenticated" { 686 description "If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed."; 687 } 688 enum "none" { 689 description "Users can pass without authorization."; 690 } 691 } 692 description "Different types of AAA authorization modes."; 693 } 695 typedef aaa-cmd-author-mode { 696 type enumeration { 697 enum "invalid" { 698 description "Invalid command line authorization mode."; 699 } 700 enum "local" { 701 description "Local command line authorization mode."; 702 } 703 enum "tacacs" { 704 description "Specifies that the TACACS mode is applied."; 705 } 706 } 707 description "Different types of command line authorization modes."; 708 } 710 typedef aaa-account-mode { 711 type enumeration { 712 enum "invalid" { 713 description "invalid accounting mode."; 714 } 715 enum "radius" { 716 description "RADIUS accounting mode. "; 717 } 718 enum "tacacs" { 719 description "TACACS accounting mode. "; 720 } 721 enum "none" { 722 description "In this mode, users do not be accounting."; 723 } 724 } 725 description "Different types of accounting modes."; 726 } 728 typedef ip-block-state-type { 729 type enumeration { 730 enum "authenfail" { 731 description "Authentication fialed State"; 732 } 733 enum "blocked" { 734 description "BLOCKED State"; 735 } 736 } 737 description "The status of an login failed IP address"; 738 } 740 /* 741 * groupings 742 */ 743 grouping ssh-security-hardening { 744 leaf ssh-server-port { 745 type inet:port-number; 746 description "The port number of SSH server."; 747 } 748 leaf ssh-rekey-interval { 749 type uint32; 750 description "The interval for updating the key pair of the SSH server."; 751 } 752 leaf ssh-timeout { 753 type uint32; 754 description "The authentication timeout period of SSH."; 755 } 756 leaf ssh-retry-times { 757 type uint32; 758 description "The authentication retry times."; 759 } 760 leaf ssh-compatible-ssh1x-enable { 761 type boolean; 762 description "The status of version-compatible function on the SSH server: enabled, disabled."; 763 } 764 leaf ssh-server-interface { 765 type string; 766 description "The source interface of SSH server."; 767 } 768 leaf ip-block-enable { 769 type boolean; 770 description "The status of ip block function: enabled, or disabled."; 771 } 772 container ip-block-limit { 773 if-feature ip-block-config; 774 leaf failed-times { 775 type uint64; 776 description "The failed times in a certain perid."; 777 } 778 leaf peroid { 779 type uint64; 780 description "The certain period in which the failed times are counted."; 781 } 782 leaf reactive-time { 783 type uint64; 784 description "The reactive time after which the address is not blocked."; 785 } 786 description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 787 } 788 description "A set of SSH configuration status to enhance security."; 789 } 791 /* 792 * admin-security-policy 793 */ 794 container admin-security-policy { 795 container account-sec-policy { 796 leaf security-policy { 797 type boolean; 798 description "The status of account security policy: enabled, or disabled."; 799 } 800 leaf account-aging-period { 801 type uint64; 802 description "The aging period of an administrator."; 803 } 804 leaf account-name-minlen { 805 type uint64; 806 description "The minimum length of an administrator account name"; 807 } 808 description "Get configuration data about administrator account security policy."; 809 } 810 container pwd-sec-policy { 811 leaf expire-days { 812 type uint64; 813 description "The password validity period."; 814 } 815 leaf prompt-days { 816 type uint64; 817 description "The period for advance warning before the password expires."; 818 } 819 leaf change-check { 820 type boolean; 821 description "The status of mandatory password change when a password is used for the first time: enabled, or disabled."; 822 } 823 leaf complexity-check { 824 type boolean; 825 description "The status of password complexity check: enable, or disable."; 826 } 827 leaf history-pwd-num { 828 type uint64; 829 description "The newly configured password should not be the same as the several past passwords."; 830 } 831 leaf pwd-minlen { 832 type uint64; 833 description "The minimum length of a password."; 834 } 835 description "Get configuration data about password security policy."; 836 } 837 container forbidden-word-rules { 838 list forbidden-word-rule { 839 key "forbidden-word"; 840 leaf forbidden-word { 841 type string; 842 description "A forbidden word in password."; 843 } 844 description "A list of forbidden words that are not allowed to be used in password."; 845 } 846 description "Password blacklist."; 847 } 848 container login-failed-limit { 849 leaf failed-times { 850 type uint64; 851 description "The failed time in a certain period."; 852 } 853 leaf peroid { 854 type uint64; 855 description "The certain period in which the failed times are counted."; 857 } 858 leaf reactive-time { 859 type uint64; 860 description "The reactive time after which the account is not blocked."; 861 } 862 description "If an account login failed several times in a certain period, this account will be blocked for a certain time range."; 863 } 864 description "Get configuration data about administrator security policy."; 865 } 867 /* 868 * admin-login-security 869 */ 870 grouping admin-login-security { 871 container console { 872 leaf auth-mode { 873 type auth-mode-type; 874 description "The authentication mode used when administrator login through console interface: none, password, AAA."; 875 } 876 leaf privilege-level { 877 type uint8; 878 description "User privilege level."; 879 } 880 description "Status of security contorls for console interface."; 881 } 882 container vtys { 883 list vty { 884 key "vty-number"; 885 leaf vty-number { 886 type uint8; 887 description "The number of the vty interface."; 888 } 889 leaf auth-mode { 890 type auth-mode-type; 891 description "The authentication mode used when administrator login through vty interface: none, password, AAA."; 892 } 893 leaf privilege-level { 894 type uint8; 895 description "User privilege level."; 896 } 897 leaf-list acl-name-list { 898 type string; 899 description "The name of the acl."; 900 } 901 leaf ip-block-enable { 902 type boolean; 903 description "The status of ip block function: enabled, or disabled."; 905 } 906 container ip-block-limit { 907 if-feature ip-block-config; 908 leaf failed-times { 909 type uint64; 910 description "The failed times in a certain perid."; 911 } 912 leaf peroid { 913 type uint64; 914 description "The certain period in which the failed times are counted."; 915 } 916 leaf reactive-time { 917 type uint64; 918 description "The reactive time after which the address is not blocked."; 919 } 920 description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 921 } 922 description "A list of vty interface configuration status."; 923 } 924 description "Configuration status of security contorls for vty interface."; 925 } 926 container telnet { 927 leaf telnet-ipv4-enable { 928 type boolean; 929 description "The status of ipv4 telnet server: enabled, or disabled."; 930 } 931 leaf telnet-ipv4-server-port { 932 type inet:port-number; 933 description "The port number of ipv4 telnet server."; 934 } 935 leaf telnet-ipv6-enable { 936 type boolean; 937 description "The status of ipv6 telnet server: enabled, or disabled."; 938 } 939 leaf telnet-ipv6-server-port { 940 type inet:port-number; 941 description "The port number of ipv6 telnet server."; 942 } 943 leaf telnet-server-interface { 944 type string; 945 description "The source interface of telnet server."; 946 } 947 leaf-list acl-name-list { 948 type string; 949 description "The name of the acl."; 950 } 951 leaf ip-block-enable { 952 type boolean; 953 description "Whether the ip block function is enabled: enabled, disabled."; 954 } 955 container ip-block-limit { 956 if-feature ip-block-config; 957 leaf failed-times { 958 type uint64; 959 description "The failed times in a certain perid."; 960 } 961 leaf peroid { 962 type uint64; 963 description "The certain period in which the failed times are counted."; 964 } 965 leaf reactive-time { 966 type uint64; 967 description "The reactive time after which the address is not blocked."; 968 } 969 description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 970 } 971 description "Configuration status of security contorls for telnet login."; 972 } 973 container ssh { 974 leaf ssh-enable { 975 type boolean; 976 description "The status of SSH server: enabled, or disabled."; 977 } 978 uses sshs:ssh-server-grouping; 979 uses ssh-security-hardening; 980 description "Configuration status of security contorls for SSH login."; 981 } 982 container web { 983 if-feature web-interface; 984 uses tlss:tls-server-grouping; 985 leaf auth-mode { 986 type auth-mode-type; 987 description "The authentication mode used when administrator login through web interface: none, password, AAA."; 988 } 989 leaf privilege-level { 990 type uint8; 991 description "User privilege level."; 992 } 993 leaf http-server-interface { 994 type string; 995 description "The source interface of web server."; 996 } 997 leaf https-ipv4-enable { 998 type boolean; 999 description "The status of ipv4 https server: enabled, disabled."; 1000 } 1001 leaf https-ipv6-enable { 1002 type boolean; 1003 description "The status of ipv6 https server: enabled, disabled."; 1004 } 1005 leaf https-source-port { 1006 type inet:port-number; 1007 description "The port number of web server."; 1008 } 1009 leaf https-timeout { 1010 type uint32; 1011 description "The authentication timeout period of https."; 1012 } 1013 leaf ip-block-enable { 1014 type boolean; 1015 description "The status of ip block function: enabled, or disabled."; 1016 } 1017 container ip-block-limit { 1018 if-feature ip-block-config; 1019 leaf failed-times { 1020 type uint64; 1021 description "The failed times in a certain perid."; 1022 } 1023 leaf peroid { 1024 type uint64; 1025 description "The certain period in which the failed times are counted."; 1026 } 1027 leaf reactive-time { 1028 type uint64; 1029 description "The reactive time after which the address is not blocked."; 1030 } 1031 description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 1032 } 1033 description "If the network device supports web interface. The configuration status of the web server."; 1034 } 1035 description "Configuration status of different types of login interfaces."; 1036 } 1038 container aaa-security { 1039 list authentication-scheme { 1040 key "authen-scheme-name"; 1041 leaf authen-scheme-name { 1042 type string; 1043 description "The name of the authentication scheme."; 1044 } 1045 leaf-list authen-mode { 1046 type aaa-authen-mode; 1047 description "A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond."; 1048 } 1049 leaf authen-type { 1050 type radius-authen-type; 1051 description "Authentication type of RADIUS: PAP, CHAP."; 1052 } 1053 leaf authen-fail-policy { 1054 type boolean; 1055 description "The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control."; 1056 } 1057 description "Authentication scheme list."; 1058 } 1059 list authorization-scheme { 1060 key "author-scheme-name"; 1061 leaf author-scheme-name { 1062 type string; 1063 description "The name of the authorization scheme."; 1064 } 1065 leaf-list auhtor-mode { 1066 type aaa-author-mode; 1067 description "A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond."; 1068 } 1069 leaf-list cmd-auhtor-mode { 1070 type aaa-cmd-author-mode; 1071 description "A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond."; 1072 } 1073 description "Authorization scheme list."; 1074 } 1075 list accounting-scheme { 1076 key "account-scheme-name"; 1077 leaf account-scheme-name { 1078 type string; 1079 description "The name of the accounting scheme."; 1080 } 1081 leaf account-mode { 1082 type aaa-account-mode; 1083 description "Accounting mode."; 1084 } 1085 description "Accounting scheme list."; 1086 } 1087 container radius-security { 1088 list radius-authen-servers { 1089 key "address"; 1090 leaf address { 1091 type inet:host; 1092 description "The ip address of the authentication server."; 1093 } 1094 leaf port { 1095 type inet:port-number; 1096 description "The port number of the authentication server."; 1098 } 1099 description "A list of RADIUS authentication servers"; 1100 } 1101 list radius-author-servers { 1102 key "address"; 1103 leaf address { 1104 type inet:host; 1105 description "The ip address of the authorization server."; 1106 } 1107 leaf port { 1108 type inet:port-number; 1109 description "The port number of the authorization server."; 1110 } 1111 description "A list of RADIUS authorization servers"; 1112 } 1113 list radius-account-servers { 1114 key "address"; 1115 leaf address { 1116 type inet:host; 1117 description "The ip address of the accounting server."; 1118 } 1119 leaf port { 1120 type inet:port-number; 1121 description "The port number of the accounting server."; 1122 } 1123 description "A list of RADIUS accounting servers"; 1124 } 1125 description "RADIUS authentication servers, authorization servers and accounting servers."; 1126 } 1127 container tacacs-security { 1128 list tacacs-authen-servers { 1129 key "address"; 1130 leaf address { 1131 type inet:host; 1132 description "The ip address of the authentication server."; 1133 } 1134 leaf port { 1135 type inet:port-number; 1136 description "The port number of the authentication server."; 1137 } 1138 description "A list of TACACS+ and TACACS+ compatible authentication servers"; 1139 } 1140 list tacacs-author-servers { 1141 key "address"; 1142 leaf address { 1143 type inet:host; 1144 description "The ip address of the authorization server."; 1145 } 1146 leaf port { 1147 type inet:port-number; 1148 description "The port number of the authorization server."; 1149 } 1150 description "A list of TACACS+ and TACACS+ compatible authorization servers"; 1151 } 1152 list tacacs-account-servers { 1153 key "address"; 1154 leaf address { 1155 type inet:host; 1156 description "The ip address of the accounting server."; 1157 } 1158 leaf port { 1159 type inet:port-number; 1160 description "The port number of the accounting server."; 1161 } 1162 description "A list of TACACS+ and TACACS+ compatible accounting servers"; 1163 } 1164 description "TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers."; 1165 } 1166 description "Configuration status of AAA."; 1167 } 1169 container admin-access-statistics { 1170 config false; 1171 leaf total-online-users { 1172 type uint32; 1173 config false; 1174 description "The number of administrators that are current online."; 1175 } 1176 container online-admin-list { 1177 if-feature display-online-info; 1178 config false; 1179 list online-users { 1180 key "account-name"; 1181 leaf account-name { 1182 type string; 1183 config false; 1184 description "The account name of the online account."; 1185 } 1186 leaf ip-address { 1187 type inet:ip-address-no-zone; 1188 config false; 1189 description "The ip address of the online account."; 1190 } 1191 leaf mac-address { 1192 type yang:mac-address; 1193 config false; 1194 description "The MAC address of the online account."; 1195 } 1196 description "Online adminstrator list."; 1197 } 1198 description "If the device supports providing information of online administrators, a list of account details are provided."; 1199 } 1200 description "online administrator lists, ip addresses authentication failure or blocked ip addresses. "; 1201 } 1202 } 1204 7. Acknowledgements 1206 8. IANA Considerations 1208 This document requires no IANA actions. 1210 9. Security Considerations 1212 Secure transport should be used to retrieve the current status of 1213 management plane security baseline. 1215 10. References 1217 10.1. Normative References 1219 [I-D.birkholz-sacm-yang-content] 1220 Birkholz, H. and N. Cam-Winget, "YANG subscribed 1221 notifications via SACM Statements", draft-birkholz-sacm- 1222 yang-content-01 (work in progress), January 2018. 1224 [I-D.dong-sacm-nid-cp-security-baseline] 1225 Dong, Y. and L. Xia, "The Data Model of Network 1226 Infrastructure Device Control Plane Security Baseline", 1227 draft-dong-sacm-nid-cp-security-baseline-00 (work in 1228 progress), September 2017. 1230 [I-D.dong-sacm-nid-infra-security-baseline] 1231 Dong, Y. and L. Xia, "The Data Model of Network 1232 Infrastructure Device Infrastructure Layer Security 1233 Baseline", draft-dong-sacm-nid-infra-security-baseline-01 1234 (work in progress), May 2018. 1236 [I-D.ietf-netconf-netconf-client-server] 1237 Watsen, K. and G. Wu, "NETCONF Client and Server Models", 1238 draft-ietf-netconf-netconf-client-server-06 (work in 1239 progress), June 2018. 1241 [I-D.ietf-netconf-ssh-client-server] 1242 Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and 1243 SSH Servers", draft-ietf-netconf-ssh-client-server-06 1244 (work in progress), June 2018. 1246 [I-D.ietf-netconf-tls-client-server] 1247 Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and 1248 TLS Servers", draft-ietf-netconf-tls-client-server-06 1249 (work in progress), June 2018. 1251 [I-D.ietf-netmod-acl-model] 1252 Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, 1253 "Network Access Control List (ACL) YANG Data Model", 1254 draft-ietf-netmod-acl-model-19 (work in progress), April 1255 2018. 1257 [I-D.ietf-netmod-syslog-model] 1258 Wildes, C. and K. Koushik, "A YANG Data Model for Syslog 1259 Configuration", draft-ietf-netmod-syslog-model-26 (work in 1260 progress), March 2018. 1262 [I-D.ietf-sacm-information-model] 1263 Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, 1264 M., Haynes, D., and H. Birkholz, "SACM Information Model", 1265 draft-ietf-sacm-information-model-10 (work in progress), 1266 April 2017. 1268 [I-D.xia-sacm-nid-dp-security-baseline] 1269 Xia, L. and G. Zheng, "The Data Model of Network 1270 Infrastructure Device Data Plane Security Baseline", 1271 draft-xia-sacm-nid-dp-security-baseline-02 (work in 1272 progress), June 2018. 1274 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 1275 System Management", RFC 7317, DOI 10.17487/RFC7317, August 1276 2014, . 1278 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for 1279 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, 1280 December 2014, . 1282 10.2. Informative References 1284 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1285 Requirement Levels", BCP 14, RFC 2119, 1286 DOI 10.17487/RFC2119, March 1997, 1287 . 1289 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1290 the Network Configuration Protocol (NETCONF)", RFC 6020, 1291 DOI 10.17487/RFC6020, October 2010, 1292 . 1294 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1295 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1296 . 1298 Appendix A. 1300 The following is the whole structure of the YANG tree diagram for 1301 network infrastructure device management plane. The existed RFCs and 1302 drafts that related this document are listed at the right side. 1304 module: nid-management-plane-security 1305 +--rw admin-management-security 1306 | +--rw admin-security-policy 1307 | +--rw admin-login-security [I-D.ietf-netconf-ssh-client-server] 1308 | [I-D.ietf-netconf-tls-client-server] 1309 | +--rw aaa-security [RFC7317] 1310 | +--rw admin-access-statistics 1311 +--rw system-management-security 1312 | +--rw snmp-security [RFC7407] 1313 | +--rw netconf-security [I-D.ietf-netconf-netconf-client-server] 1314 | +--rw port-management-security 1315 +--rw log-security 1316 | +--rw alert-notification 1317 | +--rw log-overflow-action 1318 | +--rw log-mode [I-D.ietf-netmod-syslog-model] 1319 +--rw file-security [I-D.ietf-netconf-ssh-client-server] 1320 [I-D.ietf-netconf-tls-client-server] 1322 Draft [I-D.ietf-netconf-tls-client-server] and draft 1323 [I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS- 1324 specific configuration and SSH-specific configuration respectively. 1325 The transport-level configuration, such as what ports to listen-on or 1326 connect-to, is not included. Draft 1327 [I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model 1328 based on the data models defined in the above two documents. 1330 [RFC7317] defines a YANG data model for system management of device 1331 containing a NETCONF sever. It summarizes data modules for NETCONF 1332 user authentication, and defined YANG module for client to configure 1333 the RADIUS authentication server information. Three methods are 1334 defined for user authentication: public key for local users over SSH, 1335 password for local users over any secure transport, password for 1336 RADIUS users over any secure transport. 1338 [RFC7407] defines a YANG model for SNMP configuration, including 1339 community-based security module for SNMPv1 and SNMPv2c, as well as 1340 view-based access control module and user-based security module for 1341 SNMPv3. 1343 Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog 1344 configuration, including TLS based transport security and syslog 1345 messages signing. 1347 Authors' Addresses 1349 Qiushi Lin 1350 Huawei 1351 Huawei Industrial Base 1352 Shenzhen, Guangdong 518129 1353 China 1355 Email: linqiushi@huawei.com 1357 Liang Xia 1358 Huawei 1359 101 Software Avenue, Yuhuatai District 1360 Nanjing, Jiangsu 210012 1361 China 1363 Email: Frank.xialiang@huawei.com 1365 Henk Birkholz 1366 Fraunhofer SIT 1367 Rheinstrasse 75 1368 Darmstadt 64295 1369 Germany 1371 Email: henk.birkholz@sit.fraunhofer.de