SlideShare a Scribd company logo

Oval Internetworking Devices

Download as PPTX, PDF
C
c3i

Mitre Security Automation Developer Days July 12 2012.

1 of 26
OVAL for Inter-networking Devices Security Automation Developer Days July 12, 2012 Project Martini Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
OVAL for Inter-networking Devices The OVAL specification currently supports a diverse set of platforms. We see Windows and a variety of UNIX operating systems supported of which there is only one Inter-networking platform. Inter- networking devices are routers and switches that connect the Internet. Currently Cisco is only vendor and platform that is represented in the area of inter-networking devices. In this session we propose a new platform to be supported by the OVAL specification. The session will cover new schema, content and tool (jOVALdi) associated with the new platform. The session will also compare similarities between the Cisco IOS schema and the new platform schema. 2 www.apexassurance.com © 2012 Apex Assurance Group
jOVAL SecPod Apex Assurance  Collaboration with alignment of interests.  Apex Assurance – Juniper is a good customer to Apex. This was a worth while effort to get Juniper on the SCAP map and also contribute to the community.  jOVAL – Natural to further extend the tool to other networking platforms.  SecPod – Further expand in content capabilities.  We encourage others to collaborate on common interests. 3 www.apexassurance.com © 2012 Apex Assurance Group
Project Martini Goals  Get Juniper Junos supported in OVAL  Proof of concept  “rough consensus and running code” – Tool – jOVAL(jovaldi, Xpert) – Content OVAL, XCCDF, CCE, CPE – Junos OVAL schema  Acceptance of prototype concept into official OVAL release  Think big but keep it simple 4 www.apexassurance.com © 2012 Apex Assurance Group
Current list platforms supported on OVAL Candidate Platform 5 www.apexassurance.com © 2012 Apex Assurance Group
Ingredients to making this work  Specification support for Junos within OVAL  Content – STIG, SCAP (OVAL, CPE, CCE, XCCDF) – SCAP 1.2 data streams  Tool – jOVAL – Xpert – Jovaldi 6 www.apexassurance.com © 2012 Apex Assurance Group
Juniper Junos OVAL Schema Junos definition schema Junos system characteristics 7 www.apexassurance.com © 2012 Apex Assurance Group
OVAL tests (Inter-networking devices) 8 www.apexassurance.com © 2012 Apex Assurance Group
DISA Network Infrastructure STIG  Cisco IOS specific checklists (XCCDF)  Juniper Junos specific checklists (XCCDF) 9 www.apexassurance.com © 2012 Apex Assurance Group
Juniper Junos Content – SCAP 1.2 data stream • sp- junos-cce-xccdf.xml • sp-junos-cce-oval.xml • sp-junos-cpe-oval.xml • sp-junos-cpe-dictionary.xml OVAL CCE Junos XCCDF CPE 10 www.apexassurance.com © 2012 Apex Assurance Group
DISA STIG NET0400 test  STIG ID NET0400 – Interior routing protocols are not authenticated  Sample Junos CCE  Junos command line interface (CLI) output  Curly brace CLI example [edit protocols ospf] ospf { area 0.0.0.0 { interface em0.0 { authentication { md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN”; } } } }  set CLI example set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN" 11 www.apexassurance.com © 2012 Apex Assurance Group
DISA STIG NET0340 test  STIG ID NET0340 – Login banner is non-existent or not DOD approved  Sample Junos CCE  Simple check  Variable  Junos command line interface (CLI) output  set CLI example set system login message “test banner page” 12 www.apexassurance.com © 2012 Apex Assurance Group
demo XCCDF OVAL CCE/CPE SCAP CONTENT TOOL Results Junos Remote Offline 13 www.apexassurance.com © 2012 Apex Assurance Group
Demo Content  OVAL JunOS schema  OVAL definition  XCCDF – based on DISA STIG  CPE  CCE 14 www.apexassurance.com © 2012 Apex Assurance Group
Challenges and Lessons Learned  Lack of inter-networking vendors participation in the specifications  The focus of the specifications on Windows and Linux Operating Systems. Slow adoption to other platforms.  Incentives to adopt 15 www.apexassurance.com © 2012 Apex Assurance Group
Thanks Reference  www.apexassurance.com  www.joval.org – Tool download http://joval.org/download/mitre  www.secpod.com – Content download http://scaprepo.com/  Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening 16 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript >xpert -d defsp-junos-netconf-datastream-1.1.xml -p xccdf_org.secpod_profile_stig_junos -plugin remote -config remote-junos.properties -l 1 SCAP 1.2 ---------------------------------------------------- data stream XPERT by jOVAL.org XCCDF Profile XCCDF Processing Engine and Reporting Tool Version: 5.10.1.1_Dev Build date: Fri Jun 22 11:57:19 CDT 2012 Plug options for Remote and Copyright (C) 2012 - jOVAL.org offline capabilities Plugin: jOVALRemotePlugin by jOVAL.org(TM) Version: 5.10.1.1_Dev Copyright (C) 2011, 2012 - jOVAL.org ---------------------------------------------------- 17 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Start time: Tue Jun 26 13:07:38 EDT 2012 Loading defsp-junos-netconf-datastream-1.1.xml Selected stream scap_org.secpod_datastream_sp-junos-netconf-datastream.zip Selected benchmark scap_org.secpod_comp_sp-junos-cce-netconf-xccdf.xml Setting org.joval.ssh.system.SshSession: conn.timeout=3000 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: conn.retries=3 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: attach.log=false [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: exec.retries=1 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 Auth: Banner Page 18 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Established SSH connection to host 172.16.177.25 Starting process: pwd Starting process: show version Junos CLI “show version details” Setting org.joval.os.juniper.system.JunosSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 19 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) There are 4 rules to process for the selected profile Starting process: request support information Determining system applicability... CPE check Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 NETCONF session ID: 1441 NETCONF session Passed def oval:org.secpod.devel.oval:def:10 The target system is applicable to the specified XCCDF 20 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Creating engine for href sp-junos-cce-netconf-oval.xml Evaluating definition oval:org.secpod.devel.oval:def:300 Evaluating OVAL rules Evaluating oval:org.secpod.devel.oval:def:300 Beginning scan Evaluating test oval:org.secpod.devel.oval:tst:300 Evaluating definitions Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating definition oval:org.secpod.devel.oval:def:303 Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating oval:org.secpod.devel.oval:def:303 Scan complete Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 Evaluating test oval:org.secpod.devel.oval:tst:303 Scanning object oval:org.secpod.devel.oval:obj:303 OVAL checks Scanning object oval:org.secpod.devel.oval:obj:303 Evaluating definition oval:org.secpod.devel.oval:def:302 Evaluating oval:org.secpod.devel.oval:def:302 Evaluating test oval:org.secpod.devel.oval:tst:302 Scanning object oval:org.secpod.devel.oval:obj:302 Scanning object oval:org.secpod.devel.oval:obj:302 Evaluating definition oval:org.secpod.devel.oval:def:301 Evaluating oval:org.secpod.devel.oval:def:301 Evaluating test oval:org.secpod.devel.oval:tst:301 Scanning object oval:org.secpod.devel.oval:obj:301 Scanning object oval:org.secpod.devel.oval:obj:301 21 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Completed evaluating definitions Evaluating SCE rules Script Check Engine SSH disconnecting from host 172.16.177.25 xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1001: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1002: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1003: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1004: PASS XCCDF processing complete. Saving report: .xccdf-results.xml Transforming to HTML report: xccdf-result.html Finished processing XCCDF bundle 22 www.apexassurance.com © 2012 Apex Assurance Group
Junos OVAL vulnerability results 23 www.apexassurance.com © 2012 Apex Assurance Group
Xpert Junos STIG XCCDF results 24 www.apexassurance.com © 2012 Apex Assurance Group
Network Infrastructure STIG Topology 25 www.apexassurance.com © 2012 Apex Assurance Group
Lack of support for Inter-networking devices  OVAL board members: Tool Vendors, OS Vendors, Others  No Incentives?  Is there demand for (OVAL) routers and switches? Yes 26 www.apexassurance.com © 2012 Apex Assurance Group

Recommended

JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)Shing Wai Chan
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devicesc3i
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0Bruno Borges
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
 
Ora10g Rac Best Practices
Ora10g Rac Best PracticesOra10g Rac Best Practices
Ora10g Rac Best Practicesvasanthkp
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
OSGi-based Workflow Engine
OSGi-based Workflow EngineOSGi-based Workflow Engine
OSGi-based Workflow Engineyocaba
 

Recommended

JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)Shing Wai Chan
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devicesc3i
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0Bruno Borges
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
 
Ora10g Rac Best Practices
Ora10g Rac Best PracticesOra10g Rac Best Practices
Ora10g Rac Best Practicesvasanthkp
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
OSGi-based Workflow Engine
OSGi-based Workflow EngineOSGi-based Workflow Engine
OSGi-based Workflow Engineyocaba
 
Challenge for GlassFish Builpack
Challenge for GlassFish BuilpackChallenge for GlassFish Builpack
Challenge for GlassFish BuilpackKenji Kazumura
 
Using OSGi to Build Better Software
Using OSGi to Build Better SoftwareUsing OSGi to Build Better Software
Using OSGi to Build Better Softwareyocaba
 
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...David Buck
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
 
Testbench Linter: Automated Rule Checker Framework for Testbenches
Testbench Linter: Automated Rule Checker Framework for TestbenchesTestbench Linter: Automated Rule Checker Framework for Testbenches
Testbench Linter: Automated Rule Checker Framework for TestbenchesDVClub
 
Opti x osn 7500 product description
Opti x osn 7500 product description Opti x osn 7500 product description
Opti x osn 7500 product description naserdodo
 
How to Choose a JDK
How to Choose a JDKHow to Choose a JDK
How to Choose a JDKSimon Ritter
 
Skyfire log files100411
Skyfire log files100411Skyfire log files100411
Skyfire log files100411navaidkhan
 
OSGi-enabled Java EE Applications using GlassFish
OSGi-enabled Java EE Applications using GlassFishOSGi-enabled Java EE Applications using GlassFish
OSGi-enabled Java EE Applications using GlassFishArun Gupta
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)David Bosschaert
 
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなどJakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなどオラクルエンジニア通信
 
Spring Performance Gains
Spring Performance GainsSpring Performance Gains
Spring Performance GainsVMware Tanzu
 
O Mundo Oracle e o Que Há de Novo no Java
O Mundo Oracle e o Que Há de Novo no JavaO Mundo Oracle e o Que Há de Novo no Java
O Mundo Oracle e o Que Há de Novo no JavaBruno Borges
 
A Groovy Kind of Java (San Francisco Java User Group)
A Groovy Kind of Java (San Francisco Java User Group)A Groovy Kind of Java (San Francisco Java User Group)
A Groovy Kind of Java (San Francisco Java User Group)Nati Shalom
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Arun Gupta
 
HTML5 Websockets and Java - Arun Gupta
HTML5 Websockets and Java - Arun GuptaHTML5 Websockets and Java - Arun Gupta
HTML5 Websockets and Java - Arun GuptaJAX London
 
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]David Buck
 
OSGi for mere mortals
OSGi for mere mortalsOSGi for mere mortals
OSGi for mere mortalsBertrand Delacretaz
 
DPTF - Dataflow Programming Tools Framework
DPTF - Dataflow Programming Tools FrameworkDPTF - Dataflow Programming Tools Framework
DPTF - Dataflow Programming Tools Frameworkfliordache
 
SCAP and NETCONF
SCAP and NETCONFSCAP and NETCONF
SCAP and NETCONFc3i
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...Cisco DevNet
 
OpenDaylight SDN Controller - Introduction
OpenDaylight SDN Controller - IntroductionOpenDaylight SDN Controller - Introduction
OpenDaylight SDN Controller - IntroductionEueung Mulyana
 

More Related Content

What's hot

Challenge for GlassFish Builpack
Challenge for GlassFish BuilpackChallenge for GlassFish Builpack
Challenge for GlassFish BuilpackKenji Kazumura
 
Using OSGi to Build Better Software
Using OSGi to Build Better SoftwareUsing OSGi to Build Better Software
Using OSGi to Build Better Softwareyocaba
 
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...David Buck
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
 
Testbench Linter: Automated Rule Checker Framework for Testbenches
Testbench Linter: Automated Rule Checker Framework for TestbenchesTestbench Linter: Automated Rule Checker Framework for Testbenches
Testbench Linter: Automated Rule Checker Framework for TestbenchesDVClub
 
Opti x osn 7500 product description
Opti x osn 7500 product description Opti x osn 7500 product description
Opti x osn 7500 product description naserdodo
 
How to Choose a JDK
How to Choose a JDKHow to Choose a JDK
How to Choose a JDKSimon Ritter
 
Skyfire log files100411
Skyfire log files100411Skyfire log files100411
Skyfire log files100411navaidkhan
 
OSGi-enabled Java EE Applications using GlassFish
OSGi-enabled Java EE Applications using GlassFishOSGi-enabled Java EE Applications using GlassFish
OSGi-enabled Java EE Applications using GlassFishArun Gupta
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)David Bosschaert
 
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなどJakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなどオラクルエンジニア通信
 
Spring Performance Gains
Spring Performance GainsSpring Performance Gains
Spring Performance GainsVMware Tanzu
 
O Mundo Oracle e o Que Há de Novo no Java
O Mundo Oracle e o Que Há de Novo no JavaO Mundo Oracle e o Que Há de Novo no Java
O Mundo Oracle e o Que Há de Novo no JavaBruno Borges
 
A Groovy Kind of Java (San Francisco Java User Group)
A Groovy Kind of Java (San Francisco Java User Group)A Groovy Kind of Java (San Francisco Java User Group)
A Groovy Kind of Java (San Francisco Java User Group)Nati Shalom
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Arun Gupta
 
HTML5 Websockets and Java - Arun Gupta
HTML5 Websockets and Java - Arun GuptaHTML5 Websockets and Java - Arun Gupta
HTML5 Websockets and Java - Arun GuptaJAX London
 
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]David Buck
 
DPTF - Dataflow Programming Tools Framework
DPTF - Dataflow Programming Tools FrameworkDPTF - Dataflow Programming Tools Framework
DPTF - Dataflow Programming Tools Frameworkfliordache
 

What's hot (19)

Challenge for GlassFish Builpack
Challenge for GlassFish BuilpackChallenge for GlassFish Builpack
Challenge for GlassFish Builpack
 
Using OSGi to Build Better Software
Using OSGi to Build Better SoftwareUsing OSGi to Build Better Software
Using OSGi to Build Better Software
 
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
 
Testbench Linter: Automated Rule Checker Framework for Testbenches
Testbench Linter: Automated Rule Checker Framework for TestbenchesTestbench Linter: Automated Rule Checker Framework for Testbenches
Testbench Linter: Automated Rule Checker Framework for Testbenches
 
Opti x osn 7500 product description
Opti x osn 7500 product description Opti x osn 7500 product description
Opti x osn 7500 product description
 
How to Choose a JDK
How to Choose a JDKHow to Choose a JDK
How to Choose a JDK
 
Skyfire log files100411
Skyfire log files100411Skyfire log files100411
Skyfire log files100411
 
OSGi-enabled Java EE Applications using GlassFish
OSGi-enabled Java EE Applications using GlassFishOSGi-enabled Java EE Applications using GlassFish
OSGi-enabled Java EE Applications using GlassFish
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
 
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなどJakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
 
Spring Performance Gains
Spring Performance GainsSpring Performance Gains
Spring Performance Gains
 
O Mundo Oracle e o Que Há de Novo no Java
O Mundo Oracle e o Que Há de Novo no JavaO Mundo Oracle e o Que Há de Novo no Java
O Mundo Oracle e o Que Há de Novo no Java
 
A Groovy Kind of Java (San Francisco Java User Group)
A Groovy Kind of Java (San Francisco Java User Group)A Groovy Kind of Java (San Francisco Java User Group)
A Groovy Kind of Java (San Francisco Java User Group)
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
 
HTML5 Websockets and Java - Arun Gupta
HTML5 Websockets and Java - Arun GuptaHTML5 Websockets and Java - Arun Gupta
HTML5 Websockets and Java - Arun Gupta
 
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
 
OSGi for mere mortals
OSGi for mere mortalsOSGi for mere mortals
OSGi for mere mortals
 
DPTF - Dataflow Programming Tools Framework
DPTF - Dataflow Programming Tools FrameworkDPTF - Dataflow Programming Tools Framework
DPTF - Dataflow Programming Tools Framework
 

Similar to Oval Internetworking Devices

SCAP and NETCONF
SCAP and NETCONFSCAP and NETCONF
SCAP and NETCONFc3i
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...Cisco DevNet
 
OpenDaylight SDN Controller - Introduction
OpenDaylight SDN Controller - IntroductionOpenDaylight SDN Controller - Introduction
OpenDaylight SDN Controller - IntroductionEueung Mulyana
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleAkash Pramanik
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkDocker, Inc.
 
"Quantum" Performance Effects
"Quantum" Performance Effects"Quantum" Performance Effects
"Quantum" Performance EffectsSergey Kuksenko
 
Fine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpointsFine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpointsasimkadav
 
OpenStack & OpenDaylight Hands-on Lab
OpenStack & OpenDaylight Hands-on LabOpenStack & OpenDaylight Hands-on Lab
OpenStack & OpenDaylight Hands-on LabMichelle Holley
 
GlassFish in Production Environments
GlassFish in Production EnvironmentsGlassFish in Production Environments
GlassFish in Production EnvironmentsBruno Borges
 
Using ScaleIO in an OpenStack Environment
Using ScaleIO in an OpenStack EnvironmentUsing ScaleIO in an OpenStack Environment
Using ScaleIO in an OpenStack EnvironmentJason Sturgeon
 
Daneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver Meetup
Daneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver MeetupDaneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver Meetup
Daneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver MeetupShannon McFarland
 
Oracle Solaris 11.1 New Features
Oracle Solaris 11.1 New FeaturesOracle Solaris 11.1 New Features
Oracle Solaris 11.1 New FeaturesOrgad Kimchi
 
DEVNET-1006 Getting Started with OpenDayLight
DEVNET-1006 Getting Started with OpenDayLightDEVNET-1006 Getting Started with OpenDayLight
DEVNET-1006 Getting Started with OpenDayLightCisco DevNet
 
The Enhanced Cisco Container Platform
The Enhanced Cisco Container PlatformThe Enhanced Cisco Container Platform
The Enhanced Cisco Container PlatformRobb Boyd
 
COBWEB: Towards an Optimised Interoperability Framework for Citizen Science
COBWEB: Towards an Optimised Interoperability Framework for Citizen ScienceCOBWEB: Towards an Optimised Interoperability Framework for Citizen Science
COBWEB: Towards an Optimised Interoperability Framework for Citizen ScienceCOBWEB Project
 

Similar to Oval Internetworking Devices (20)

SCAP and NETCONF
SCAP and NETCONFSCAP and NETCONF
SCAP and NETCONF
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
 
OpenDaylight SDN Controller - Introduction
OpenDaylight SDN Controller - IntroductionOpenDaylight SDN Controller - Introduction
OpenDaylight SDN Controller - Introduction
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Hybrid Applications
Hybrid ApplicationsHybrid Applications
Hybrid Applications
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by Oracle
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at Splunk
 
"Quantum" Performance Effects
"Quantum" Performance Effects"Quantum" Performance Effects
"Quantum" Performance Effects
 
Fine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpointsFine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpoints
 
OpenStack & OpenDaylight Hands-on Lab
OpenStack & OpenDaylight Hands-on LabOpenStack & OpenDaylight Hands-on Lab
OpenStack & OpenDaylight Hands-on Lab
 
GlassFish in Production Environments
GlassFish in Production EnvironmentsGlassFish in Production Environments
GlassFish in Production Environments
 
Maximizing Oracle RAC Uptime
Maximizing Oracle RAC UptimeMaximizing Oracle RAC Uptime
Maximizing Oracle RAC Uptime
 
Using ScaleIO in an OpenStack Environment
Using ScaleIO in an OpenStack EnvironmentUsing ScaleIO in an OpenStack Environment
Using ScaleIO in an OpenStack Environment
 
New em12c kscope
New em12c kscopeNew em12c kscope
New em12c kscope
 
Daneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver Meetup
Daneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver MeetupDaneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver Meetup
Daneyon Hansen - Intro to OpenStack - Feb13 OpenStack Denver Meetup
 
Oracle Solaris 11.1 New Features
Oracle Solaris 11.1 New FeaturesOracle Solaris 11.1 New Features
Oracle Solaris 11.1 New Features
 
DEVNET-1006 Getting Started with OpenDayLight
DEVNET-1006 Getting Started with OpenDayLightDEVNET-1006 Getting Started with OpenDayLight
DEVNET-1006 Getting Started with OpenDayLight
 
The Enhanced Cisco Container Platform
The Enhanced Cisco Container PlatformThe Enhanced Cisco Container Platform
The Enhanced Cisco Container Platform
 
COBWEB: Towards an Optimised Interoperability Framework for Citizen Science
COBWEB: Towards an Optimised Interoperability Framework for Citizen ScienceCOBWEB: Towards an Optimised Interoperability Framework for Citizen Science
COBWEB: Towards an Optimised Interoperability Framework for Citizen Science
 

Oval Internetworking Devices

  • 1. OVAL for Inter-networking Devices Security Automation Developer Days July 12, 2012 Project Martini Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
  • 2. OVAL for Inter-networking Devices The OVAL specification currently supports a diverse set of platforms. We see Windows and a variety of UNIX operating systems supported of which there is only one Inter-networking platform. Inter- networking devices are routers and switches that connect the Internet. Currently Cisco is only vendor and platform that is represented in the area of inter-networking devices. In this session we propose a new platform to be supported by the OVAL specification. The session will cover new schema, content and tool (jOVALdi) associated with the new platform. The session will also compare similarities between the Cisco IOS schema and the new platform schema. 2 www.apexassurance.com © 2012 Apex Assurance Group
  • 3. jOVAL SecPod Apex Assurance  Collaboration with alignment of interests.  Apex Assurance – Juniper is a good customer to Apex. This was a worth while effort to get Juniper on the SCAP map and also contribute to the community.  jOVAL – Natural to further extend the tool to other networking platforms.  SecPod – Further expand in content capabilities.  We encourage others to collaborate on common interests. 3 www.apexassurance.com © 2012 Apex Assurance Group
  • 4. Project Martini Goals  Get Juniper Junos supported in OVAL  Proof of concept  “rough consensus and running code” – Tool – jOVAL(jovaldi, Xpert) – Content OVAL, XCCDF, CCE, CPE – Junos OVAL schema  Acceptance of prototype concept into official OVAL release  Think big but keep it simple 4 www.apexassurance.com © 2012 Apex Assurance Group
  • 5. Current list platforms supported on OVAL Candidate Platform 5 www.apexassurance.com © 2012 Apex Assurance Group
  • 6. Ingredients to making this work  Specification support for Junos within OVAL  Content – STIG, SCAP (OVAL, CPE, CCE, XCCDF) – SCAP 1.2 data streams  Tool – jOVAL – Xpert – Jovaldi 6 www.apexassurance.com © 2012 Apex Assurance Group
  • 7. Juniper Junos OVAL Schema Junos definition schema Junos system characteristics 7 www.apexassurance.com © 2012 Apex Assurance Group
  • 8. OVAL tests (Inter-networking devices) 8 www.apexassurance.com © 2012 Apex Assurance Group
  • 9. DISA Network Infrastructure STIG  Cisco IOS specific checklists (XCCDF)  Juniper Junos specific checklists (XCCDF) 9 www.apexassurance.com © 2012 Apex Assurance Group
  • 10. Juniper Junos Content – SCAP 1.2 data stream • sp- junos-cce-xccdf.xml • sp-junos-cce-oval.xml • sp-junos-cpe-oval.xml • sp-junos-cpe-dictionary.xml OVAL CCE Junos XCCDF CPE 10 www.apexassurance.com © 2012 Apex Assurance Group
  • 11. DISA STIG NET0400 test  STIG ID NET0400 – Interior routing protocols are not authenticated  Sample Junos CCE  Junos command line interface (CLI) output  Curly brace CLI example [edit protocols ospf] ospf { area 0.0.0.0 { interface em0.0 { authentication { md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN”; } } } }  set CLI example set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN" 11 www.apexassurance.com © 2012 Apex Assurance Group
  • 12. DISA STIG NET0340 test  STIG ID NET0340 – Login banner is non-existent or not DOD approved  Sample Junos CCE  Simple check  Variable  Junos command line interface (CLI) output  set CLI example set system login message “test banner page” 12 www.apexassurance.com © 2012 Apex Assurance Group
  • 13. demo XCCDF OVAL CCE/CPE SCAP CONTENT TOOL Results Junos Remote Offline 13 www.apexassurance.com © 2012 Apex Assurance Group
  • 14. Demo Content  OVAL JunOS schema  OVAL definition  XCCDF – based on DISA STIG  CPE  CCE 14 www.apexassurance.com © 2012 Apex Assurance Group
  • 15. Challenges and Lessons Learned  Lack of inter-networking vendors participation in the specifications  The focus of the specifications on Windows and Linux Operating Systems. Slow adoption to other platforms.  Incentives to adopt 15 www.apexassurance.com © 2012 Apex Assurance Group
  • 16. Thanks Reference  www.apexassurance.com  www.joval.org – Tool download http://joval.org/download/mitre  www.secpod.com – Content download http://scaprepo.com/  Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening 16 www.apexassurance.com © 2012 Apex Assurance Group
  • 17. Xpert output transcript >xpert -d defsp-junos-netconf-datastream-1.1.xml -p xccdf_org.secpod_profile_stig_junos -plugin remote -config remote-junos.properties -l 1 SCAP 1.2 ---------------------------------------------------- data stream XPERT by jOVAL.org XCCDF Profile XCCDF Processing Engine and Reporting Tool Version: 5.10.1.1_Dev Build date: Fri Jun 22 11:57:19 CDT 2012 Plug options for Remote and Copyright (C) 2012 - jOVAL.org offline capabilities Plugin: jOVALRemotePlugin by jOVAL.org(TM) Version: 5.10.1.1_Dev Copyright (C) 2011, 2012 - jOVAL.org ---------------------------------------------------- 17 www.apexassurance.com © 2012 Apex Assurance Group
  • 18. Xpert output transcript (continued) Start time: Tue Jun 26 13:07:38 EDT 2012 Loading defsp-junos-netconf-datastream-1.1.xml Selected stream scap_org.secpod_datastream_sp-junos-netconf-datastream.zip Selected benchmark scap_org.secpod_comp_sp-junos-cce-netconf-xccdf.xml Setting org.joval.ssh.system.SshSession: conn.timeout=3000 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: conn.retries=3 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: attach.log=false [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: exec.retries=1 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 Auth: Banner Page 18 www.apexassurance.com © 2012 Apex Assurance Group
  • 19. Xpert output transcript (continued) Established SSH connection to host 172.16.177.25 Starting process: pwd Starting process: show version Junos CLI “show version details” Setting org.joval.os.juniper.system.JunosSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 19 www.apexassurance.com © 2012 Apex Assurance Group
  • 20. Xpert output transcript (continued) There are 4 rules to process for the selected profile Starting process: request support information Determining system applicability... CPE check Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 NETCONF session ID: 1441 NETCONF session Passed def oval:org.secpod.devel.oval:def:10 The target system is applicable to the specified XCCDF 20 www.apexassurance.com © 2012 Apex Assurance Group
  • 21. Xpert output transcript (continued) Creating engine for href sp-junos-cce-netconf-oval.xml Evaluating definition oval:org.secpod.devel.oval:def:300 Evaluating OVAL rules Evaluating oval:org.secpod.devel.oval:def:300 Beginning scan Evaluating test oval:org.secpod.devel.oval:tst:300 Evaluating definitions Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating definition oval:org.secpod.devel.oval:def:303 Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating oval:org.secpod.devel.oval:def:303 Scan complete Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 Evaluating test oval:org.secpod.devel.oval:tst:303 Scanning object oval:org.secpod.devel.oval:obj:303 OVAL checks Scanning object oval:org.secpod.devel.oval:obj:303 Evaluating definition oval:org.secpod.devel.oval:def:302 Evaluating oval:org.secpod.devel.oval:def:302 Evaluating test oval:org.secpod.devel.oval:tst:302 Scanning object oval:org.secpod.devel.oval:obj:302 Scanning object oval:org.secpod.devel.oval:obj:302 Evaluating definition oval:org.secpod.devel.oval:def:301 Evaluating oval:org.secpod.devel.oval:def:301 Evaluating test oval:org.secpod.devel.oval:tst:301 Scanning object oval:org.secpod.devel.oval:obj:301 Scanning object oval:org.secpod.devel.oval:obj:301 21 www.apexassurance.com © 2012 Apex Assurance Group
  • 22. Xpert output transcript (continued) Completed evaluating definitions Evaluating SCE rules Script Check Engine SSH disconnecting from host 172.16.177.25 xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1001: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1002: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1003: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1004: PASS XCCDF processing complete. Saving report: .xccdf-results.xml Transforming to HTML report: xccdf-result.html Finished processing XCCDF bundle 22 www.apexassurance.com © 2012 Apex Assurance Group
  • 23. Junos OVAL vulnerability results 23 www.apexassurance.com © 2012 Apex Assurance Group
  • 24. Xpert Junos STIG XCCDF results 24 www.apexassurance.com © 2012 Apex Assurance Group
  • 25. Network Infrastructure STIG Topology 25 www.apexassurance.com © 2012 Apex Assurance Group
  • 26. Lack of support for Inter-networking devices  OVAL board members: Tool Vendors, OS Vendors, Others  No Incentives?  Is there demand for (OVAL) routers and switches? Yes 26 www.apexassurance.com © 2012 Apex Assurance Group

Editor's Notes

  1. Discussion on currently supported platforms in OVAL and security automation specifications.
  2. General formula to get new platform support.
  3. Quick overview of DISA Network Infrastructure STIG. Decompose the various check lists that make the STIG. Emphasis on the various roles inter-networking devices play on the network.
  4. Discussion on junos content and 1.2 data stream format.