Quantcast

[CCE-WORKING-GROUP-LIST] Windows Vista/7 Firewall Settings?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[CCE-WORKING-GROUP-LIST] Windows Vista/7 Firewall Settings?

Mann, Dave
Folks,

The CCE team needs your input on a set of proposed CCEs for Windows Vista/7 Firewall settings.  

QUESTION:  Should CCEs be assigned on a "per rule" basis (fewer CCEs but a lot of parameters) or on a "per setting" basis (lots of CCEs, each with a traditionally small number of parameters)?

Windows Vista and 7 Firewall contains a large number of predefined Firewall rules.  When you edit a rule (Properties),  the UI presents you with 7 tabs, such as: General, Programs and Services, Computer and several others.  On each tab, there are several sub-dialog boxes with somewhat traditional Microsoft style settings.

By and large, CCEs are assigned at the lowest level of human comprehensibility.  As a practical matter, this generally means that CCEs have only a single parameter (with a range of values).   This is always true, but it's generally true for nearly all CCEs.  This sits at the core of CCE's 5th content decision, "Issue Decomposition"

http://cce.mitre.org/lists/cce_list_editorialpolicies.html#cd5

Applying this rule in a manner that is traditional for other Windows CCEs would lead us to assign Windows Firewall rules on a "per setting" basis.  The implication of this would be that for any single firewall rule, there would be something on the order of 12-15 different CCEs, each with a single parameter.

A counter-argument might be made that it is more natural in the security model for the Windows Firewall product to think in terms of rules and to admit that to be fully specified a single rule has 12-15 parameters.

So, this is the question.    Assign CCEs on a per-rule basis?  Or on a per-setting basis?

We would like very much to make a decision in as timely a manner as possible, so please weigh in.


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:[hidden email] | cell:781.424.6003
==================================================================
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Windows Vista/7 Firewall Settings?

Adam Montville
From a human's perspective, CCE per-rule sounds better.  But does that
make sense from an automation perspective?  It might not make a difference
if every configuration within a rule is parameterized.

If we create a CCE per-setting and not per-rule, then how do we represent
a single rule?  If I'm authoring a policy, I'm going to want to reference
a rule and say "set it with the following parameters," so it seems that
the per-rule method might be well aligned with human perspective, but not
be a hinderance on automation capability.

I think either way would work, but at this point I'm preferring the
per-rule CCE with multiple parameters.

Regards,

Adam W. Montville | Compliance and Security Architect


Direct: 503 276-7661
Mobile: 360 471-7815

TRIPWIRE | Take CONTROL
http://www.tripwire.com




On 5/9/11 1:07 PM, "Mann, Dave" <[hidden email]> wrote:

>Folks,
>
>The CCE team needs your input on a set of proposed CCEs for Windows
>Vista/7 Firewall settings.
>
>QUESTION:  Should CCEs be assigned on a "per rule" basis (fewer CCEs but
>a lot of parameters) or on a "per setting" basis (lots of CCEs, each with
>a traditionally small number of parameters)?
>
>Windows Vista and 7 Firewall contains a large number of predefined
>Firewall rules.  When you edit a rule (Properties),  the UI presents you
>with 7 tabs, such as: General, Programs and Services, Computer and
>several others.  On each tab, there are several sub-dialog boxes with
>somewhat traditional Microsoft style settings.
>
>By and large, CCEs are assigned at the lowest level of human
>comprehensibility.  As a practical matter, this generally means that CCEs
>have only a single parameter (with a range of values).   This is always
>true, but it's generally true for nearly all CCEs.  This sits at the core
>of CCE's 5th content decision, "Issue Decomposition"
>
>http://cce.mitre.org/lists/cce_list_editorialpolicies.html#cd5
>
>Applying this rule in a manner that is traditional for other Windows CCEs
>would lead us to assign Windows Firewall rules on a "per setting" basis.
>The implication of this would be that for any single firewall rule, there
>would be something on the order of 12-15 different CCEs, each with a
>single parameter.
>
>A counter-argument might be made that it is more natural in the security
>model for the Windows Firewall product to think in terms of rules and to
>admit that to be fully specified a single rule has 12-15 parameters.
>
>So, this is the question.    Assign CCEs on a per-rule basis?  Or on a
>per-setting basis?
>
>We would like very much to make a decision in as timely a manner as
>possible, so please weigh in.
>
>
>-Dave
>==================================================================
>David Mann | Principal Infosec Scientist | The MITRE Corporation
>------------------------------------------------------------------
>e-mail:[hidden email] | cell:781.424.6003
>==================================================================
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Windows Vista/7 Firewall Settings?

Mann, Dave
Adam (and others),

We think there are really 3 alternatives, not 2 as we first posted.

1) Assign CCEs on a per rule basis.
2) Assign CCEs on a sub-setting basis.
3) DON'T ISSUE FOR CCEs FOR FIREWALL RULES!!

Regarding the decision between 1) and 2), we should note that CCEs are assigned to other large cardinality sets of system object that are shipped as defaults and that can be created by the system.  Files, directories and users are such examples.  In these situations, we typically assign CCEs to important system objects that frequently get discussed in security guides.  Permissions for \Win32 would be an example.    In these cases, we have in the past typically assigned the CCE to the system object, and individual sub-settings.  Instead, we've treated those sub-settings as parameters, even when the number of parameters grew as they did when XP file permissions offered more granular control than in Windows 2000.   This argues for apply CCEs to each rule.

On the other hand, in many Windows security policy settings, we occasionally find sub-settings that are only available when a parent setting is first enabled.  In those cases, we've assigned CCEs to both the "parent" and the "child" settings.  (parent and child is somewhat misleading here).

Regarding the 3rd option, that of not issuing CCEs at all...  It is not unreasonable to assume that more enumerative end point management capabilities are going to become prebundled as parts of operating systems. Do we want CCEs for every enumerated item within those capabilities?  Or only when they are configurable, which might allow for CCEs for firewall rules but not, say, anti-virus signature.  What happens if/when IDS capabilities get folded into the OS.  A CCE for each precanned and configurable IDS rule?  

Thoughts?

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:[hidden email] | cell:781.424.6003
==================================================================


>-----Original Message-----
>From: Adam Montville [mailto:[hidden email]]
>Sent: Friday, May 13, 2011 9:24 AM
>To: Mann, Dave; cce-working-group-list
>Subject: Re: [CCE-WORKING-GROUP-LIST] Windows Vista/7 Firewall Settings?
>
>From a human's perspective, CCE per-rule sounds better.  But does that
>make sense from an automation perspective?  It might not make a difference
>if every configuration within a rule is parameterized.
>
>If we create a CCE per-setting and not per-rule, then how do we represent
>a single rule?  If I'm authoring a policy, I'm going to want to reference
>a rule and say "set it with the following parameters," so it seems that
>the per-rule method might be well aligned with human perspective, but not
>be a hinderance on automation capability.
>
>I think either way would work, but at this point I'm preferring the
>per-rule CCE with multiple parameters.
>
>Regards,
>
>Adam W. Montville | Compliance and Security Architect
>
>
>Direct: 503 276-7661
>Mobile: 360 471-7815
>
>TRIPWIRE | Take CONTROL
>http://www.tripwire.com
>
>
>
>
>On 5/9/11 1:07 PM, "Mann, Dave" <[hidden email]> wrote:
>
>>Folks,
>>
>>The CCE team needs your input on a set of proposed CCEs for Windows
>>Vista/7 Firewall settings.
>>
>>QUESTION:  Should CCEs be assigned on a "per rule" basis (fewer CCEs but
>>a lot of parameters) or on a "per setting" basis (lots of CCEs, each with
>>a traditionally small number of parameters)?
>>
>>Windows Vista and 7 Firewall contains a large number of predefined
>>Firewall rules.  When you edit a rule (Properties),  the UI presents you
>>with 7 tabs, such as: General, Programs and Services, Computer and
>>several others.  On each tab, there are several sub-dialog boxes with
>>somewhat traditional Microsoft style settings.
>>
>>By and large, CCEs are assigned at the lowest level of human
>>comprehensibility.  As a practical matter, this generally means that CCEs
>>have only a single parameter (with a range of values).   This is always
>>true, but it's generally true for nearly all CCEs.  This sits at the core
>>of CCE's 5th content decision, "Issue Decomposition"
>>
>>http://cce.mitre.org/lists/cce_list_editorialpolicies.html#cd5
>>
>>Applying this rule in a manner that is traditional for other Windows CCEs
>>would lead us to assign Windows Firewall rules on a "per setting" basis.
>>The implication of this would be that for any single firewall rule, there
>>would be something on the order of 12-15 different CCEs, each with a
>>single parameter.
>>
>>A counter-argument might be made that it is more natural in the security
>>model for the Windows Firewall product to think in terms of rules and to
>>admit that to be fully specified a single rule has 12-15 parameters.
>>
>>So, this is the question.    Assign CCEs on a per-rule basis?  Or on a
>>per-setting basis?
>>
>>We would like very much to make a decision in as timely a manner as
>>possible, so please weigh in.
>>
>>
>>-Dave
>>==================================================================
>>David Mann | Principal Infosec Scientist | The MITRE Corporation
>>------------------------------------------------------------------
>>e-mail:[hidden email] | cell:781.424.6003
>>==================================================================
>>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Windows Vista/7 Firewall Settings?

Adam Montville
>
>Regarding the 3rd option, that of not issuing CCEs at all...  It is not
>unreasonable to assume that more enumerative end point management
>capabilities are going to become prebundled as parts of operating
>systems. Do we want CCEs for every enumerated item within those
>capabilities?  Or only when they are configurable, which might allow for
>CCEs for firewall rules but not, say, anti-virus signature.  What happens
>if/when IDS capabilities get folded into the OS.  A CCE for each
>precanned and configurable IDS rule?

What catches my eye here is your IDS question.  This is not unlike the
firewall, and shines a light on the platform vs. configuration discussion.
 I believe there is a line to be drawn somewhere.  I don't like the idea
of a CCE for every AV signature or even for every IDS rule.  It seems most
reasonable to apply CCE where configuration is applicable, which, as you
mention, might permit CCE Ids for firewall rules, but not for AV
signatures.  I would initially view IDS as AV and not issue CCEs for every
signature.
Loading...