FW: ARF 0.41

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

FW: ARF 0.41

Wolfkiel, Joseph

All -- just some feedback on progress with ARF and ASR.  We’ve been building out tools and capabilities to use the standards in DoD and I’ve reached the point where we can share some of the use cases for ARF and ASR. 


In the attached zip, you’ll find 4 files.  The file “Three Device winxp FDCC Results from SCC.zip” is the output, in XCCDF Results, from the GOTS tool “SCAP Compliance Checker” after running WinXP FDCC against 3 VMs.  Using the raw XCCDF results, you get three files that, taken together are over 2.4MB in size.


By just converting to ARF, as seen in “Three Device winxp FDCC Results after Stylesheet Conversion to ARF.zip”, and eliminating the excess baggage from XCCDF (such as sending a copy of the benchmark with every XCCDF Results file), we get a set of files that are 330KB, taken together.


Then, converting to ASR with detailed device records, as seen in “Three Device Detailed WinXP FDCC Results with Groupings in ASR.asr.zip”, you get the compliance results for all three devices in a single file that is 259k – and scales as a function of one line per rule/per device by sacrificing some detail, but allowing for groupings by organization, location, region, and MAC level – which isn’t supported by XCCDF.


Using ASR with counts only, as seen in “Three Device Summary WinXP FDCC Results with Groupings.asr.xml you get a file, 136KB, that provides high-level decision maker reports of compliance with FDCC, with groupings that scales flat – i.e. the file will always stay the same size, regardless of how many devices are reported with only the counts changing.


My thought is to use ARF to communicate between sensors on a common LAN – on the assumption that bandwidth is more or less unlimited.  For transmission of detailed compliance over the WAN, we can use ASR with device records.  For reporting of compliance at the DoD Enterprise and Federal levels, we can use ASR with counts only.


Also note, from the file sizes, how well compression works on all the files.  I’m thinking any enterprise use of any SCAP standard for reporting should assume compression using GZIP (supported as part of TCP/IP) or other compression function to be required and supported.



Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700



FDCC Scalability Demo Files.zip (451K) Download Attachment
smime.p7s (6K) Download Attachment