13:59:24 <LukeHinds> #startmeeting Security Group June 3rd
13:59:24 <collabot> Meeting started Wed Jun  3 13:59:24 2015 UTC.  The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:59:24 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:59:24 <collabot> The meeting name has been set to 'security_group_june_3rd'
13:59:51 <LukeHinds> ok, we might be a little lite on numbers today, juan is on holiday, as is marcin I believe
13:59:57 <MikeCamel> Hi, Luke.  Mike here: just trying to get Kapil in.
14:00:02 <LukeHinds> Hi Mike!
14:00:09 <kapil> hello Mike and Luke
14:00:10 <MikeCamel> And Kapil's here, as well!
14:00:16 <LukeHinds> I will get the agenda stuff out the way
14:00:21 <LukeHinds> hi kapil
14:00:30 <kapil> Ashutosh said he would be joiining
14:00:36 <LukeHinds> good! thanks
14:00:49 <LukeHinds> #topic last meetings minutes
14:00:54 <LukeHinds> #link https://wiki.opnfv.org/meetings/security/27052015
14:01:35 <LukeHinds> #info main action points were to get kapil and asutosh in to discuss SEC008 mapping to inspector.
14:01:45 <LukeHinds> #info luke to contact ODL
14:02:00 <LukeHinds> #info define work tasks for inspector
14:02:11 <LukeHinds> #agenda bashing
14:02:16 <LukeHinds> #undo
14:02:16 <collabot> Removing item from minutes: <MeetBot.ircmeeting.items.Info object at 0x1cd9750>
14:02:23 <LukeHinds> #topic agenda bashing
14:02:38 <LukeHinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:03:21 <LukeHinds> Inspector , OSVM, ETSI Wiki page filling and Project Mapping SEC-8)
14:03:36 <LukeHinds> #info LukeHinds: did anyone want to add to the agenda?
14:04:27 <LukeHinds> going, going, going....
14:04:35 <LukeHinds> #agree agenda
14:04:48 <LukeHinds> #topic OSVM
14:05:21 <LukeHinds> #info quick one here, I am back in touch with Aric to finalise this (they were busy with the release) and hope to present the whole process to the TSC
14:06:00 <LukeHinds> #topic Inspector (and possibly ETSI mapping)
14:06:52 <LukeHinds> #info I had an action to contact the ODL. Next week  David Jorm and Colin Dixon of ODL will join us to discuss Inspector and how that would work in a collaborative effort with opendaylight
14:07:05 <LukeHinds> #info David Jorm started the security group there
14:07:56 <LukeHinds> #info Colin Dixon is the TSC chair on opendaylight
14:08:17 <LukeHinds> so we have a good audience to pitch the benefits of inspector
14:08:56 <LukeHinds> #info ari and juan had to call off listing work items for inspector this week, as juan is on leave/
14:09:10 <LukeHinds> I think he returns this week, so he will be there for next week
14:09:58 <LukeHinds> So now I think we can start to discuss SEC008 and how it relates to inspector
14:10:08 <LukeHinds> and the overall mapping effort.
14:10:09 <kapil> is ashutosh on?
14:10:47 <LukeHinds> not sure he is. I have given him a few lessons on how to connect to web based irc, but he is finding it challenging
14:10:55 <kapil> ok - I can start to discuss highlights of SEC008 and we can see how it can work with Inspector
14:11:15 <LukeHinds> sounds good
14:11:21 <kapil> he helped me yesterday to do a Trial run...Maybe, he got busy
14:11:28 <LukeHinds> ashutoh is out of the office, so it might be that
14:11:36 <LukeHinds> hey there we go
14:11:38 <LukeHinds> right on cue
14:11:42 <kapil> SEC008 is a an ETS INFV SEC project which kicked off in Jan'15
14:12:26 <kapil> goal is to define network security functions for monitoring virtual networks
14:12:34 <kapil> ashutosh please feel free to jump in
14:13:26 <kapil> we called it Monitoring, others call it orchestration, some call it Management - we found in last meeting that  the arch and flows were have developed there are similar to what others have been thinking about
14:13:30 <ashutosh> Yes Kapil, I iad the VPN issues as I was describing yesterday, VPN does not allow to get to IRC
14:14:11 <ashutosh> SEC 008 takes a comprehensive approach to security monitoring with different deployment scenarios
14:14:41 <kapil> vEPC, Network Malware are some use cases
14:15:02 <LukeHinds> so network monitoring?
14:15:26 <ashutosh> Thus, it takes a pragmatic approach in terms of what is available, what are the challenges for security monitoring in different scenarios
14:15:42 <kapil> we have defined requirements for Security Monitoring, incl. active and passive monitoring of networks, securely bootstrapping agents, arch. and flows for provisioning
14:15:57 <ashutosh> It could include vEPC, vIMS and also enterprise networks also
14:16:41 <MikeCamel> One question is whether this is more relevant to Moon, but I don't know enough about either Moon or Inspector to be sure, which is why I suggested inviting Ashutosh and Kapil.
14:16:47 <ashutosh> We also describe thing like API-based monitoring and how to include use cases where certain interfaces are not exposed etc.
14:17:01 <LukeHinds> I think it might have a foot in both mike
14:17:27 <kapil> we have Audit requirements as well
14:18:01 <ashutosh> I have briefly looked at Moon and Inspector and both will have com correlation with SEC 008, but need to look into it more thoroughly
14:18:03 <kapil> some security properties of integrity protection, non-repudiation and potentially confidentiality,
14:18:37 <kapil> we identify key points that can used for developing audit trails
14:18:54 <kapil> definitely from teh Security Controller
14:19:23 <kapil> In addition, from Security Agents/VNFs
14:19:40 <LukeHinds> so i think this will be be the likely interplay here...
14:20:08 <kapil> so, be good to start putting together specific requirements for Inspector - for instance, which elements we want to track Audits and access to a secure Audit DB
14:20:27 <ashutosh> SEC 008 is still in the process of getting developed and there are rooms for addition including modifying the scope if needed, but both Moon and Inspector can certainly play a role in SEC 008
14:20:29 <kapil> we do describe Audit-DB as part of teh overall system
14:20:39 <LukeHinds> moon would be the proj that would potentially implement the specs of SEC-008
14:20:53 <kapil> correct - Moon would implement SEC008
14:21:10 <LukeHinds> inspector would be the project to insure upstreams produce the audit data needed to be complaint
14:21:41 <kapil> As ashutosh said, we barely started 5 months back, so lots of opportunity to contribute - welcome! :)
14:21:47 <LukeHinds> #link here is a good little overview of inspector that ari / juan just did https://etherpad.opnfv.org/p/inspector_preliminary
14:22:33 <LukeHinds> key points: *not* a monitoring solution, and *not* a new standard for audit
14:23:03 <ashutosh> We need to find a way to collaborate between Moon/Inspector and SEC 008 to keep them in sync
14:23:08 <kapil> totally agree with that
14:23:13 <LukeHinds> its an effort to get others to produce the needed audit event meta data so that elements such as moon can process and act on those events
14:24:04 <LukeHinds> how I see this (which can be changed) is all would feed their requirements into inspector
14:24:17 <kapil> v good write up - are you considering security requirements for audits in inspector
14:24:20 <LukeHinds> inspector will then work with upstream projs to get the needed implemented
14:24:40 <LukeHinds> how do you mean kapil?
14:25:02 <kapil> well - depends on the purpose of the Audit
14:25:32 <kapil> and, the threat model based on system arch
14:26:21 <LukeHinds> I guess that is up to the projects in opnfv. there will be some standard initiatives that will seek to address current known concerns.
14:26:55 <LukeHinds> one example being keystone, which lacks security reporting
14:27:55 <LukeHinds> from there if moon, or dpacc has a need, they can raise that inspectors jira and an approach is formulated and taken upstream
14:28:05 <kapil> a dumb question - are you considering logs and traces as part of Audit trails?
14:28:48 <rex_lee> not good idea
14:29:19 <ashutosh> How about API-based Pub/Sub?
14:29:47 <LukeHinds> CADF
14:30:28 <LukeHinds> how its implemented needs to be dicussed with the upstream project (I guess, I need juan / ari to comment here)
14:30:43 <LukeHinds> for example, I don't think we can say 'hey, implement snmp v3 now!'
14:30:59 <LukeHinds> but we can say, 'please report when a user access x,y,z,'
14:31:04 <kapil> are there any implementations of CADF out there? or, will this be first?
14:31:13 <LukeHinds> ceilometer
14:31:23 <LukeHinds> i likely spelt that wrong :)
14:31:38 <LukeHinds> #link https://wiki.openstack.org/wiki/Ceilometer/blueprints/support-standard-audit-formats
14:33:40 <LukeHinds> keystone is already starting to use CADF as well
14:34:08 <LukeHinds> #link http://docs.openstack.org/developer/keystone/event_notifications.html
14:34:13 <LukeHinds> lower part of the page
14:34:33 <rex_lee> yes,it will filter service req
14:36:21 <LukeHinds> so the next steps will be Juan / Ari are going to define the work items for Inspector and get the tools set up (gerrit / jira) as the project only recently got approved.
14:37:10 <rex_lee> maybe we need some usecase
14:38:11 <LukeHinds> and then we start to collate a set of initial needs (which will be the use cases)
14:39:14 <LukeHinds> hi luigi, are you on any other opnfv projs or do you want to contribute, its good to have you hear and we can find something if you have a wish to work on this.
14:39:50 <LukeHinds> its also fine if you just want to observe for now
14:40:28 <rex_lee> mypleasure
14:40:37 <LukeHinds> :)
14:41:10 <rex_lee> it is my first project
14:41:40 <LukeHinds> that's fine, please do keep coming here :0)
14:41:41 <ashutosh> What is the path forward for Moon and Inspector project, do we have a POC that we can see?
14:42:07 <ashutosh> And how do we align with SEC 008?
14:42:15 <ashutosh> in a mutual way
14:42:23 <LukeHinds> For Moon I am not sure, i think they have a date on there wiki. Inspector is not a solution, so no POC as such
14:42:25 <rex_lee> if u have work list, i am happy to pick up one
14:43:43 <LukeHinds> I think we first need to get inspector set up and see how requirements are entered and in what format. So that should happen over the next 2 weeks.
14:45:07 <LukeHinds> we then need to start to explore where inspector can help enact the needs of SEC-008 (or SEC-008 byproxy of opnfv projects)
14:45:41 <LukeHinds> I would encourage you guys to also put anything you can on the wiki
14:46:00 <LukeHinds> ofc, not confidential / un public ETSI drafts
14:47:11 <LukeHinds> but anything which would be useful. We started with the problem statements, but it seems SEC-008 has substantially more areas that require lots development
14:48:36 <LukeHinds> I put together the following rough wiki page #link https://wiki.opnfv.org/security/upstream/etsi
14:50:26 <LukeHinds> as an action point, I recommend you both think of audit events you would need to fufill sec-008 and these can be entered into the projects jira to be assessed to if they are possible in the current infra elements we have (being ODL, OpenStack)
14:51:19 <LukeHinds> but lets wait for the tools and work items to be defined, consider now a good oppounity to have visibility into this as its just starting
14:53:22 <LukeHinds> #info Moon OPNFV Rel 2 timeframe: 2S 2015
14:53:57 <LukeHinds> ok, we are almost at the end now...does anyone have any other business?
14:53:57 <kapil> excellent...sounds good, Luke.  thx for the hard work..
14:54:12 <MikeCamel> thx, Luke.
14:54:19 <LukeHinds> my pleasure
14:54:57 <rex_lee> thx,luke
14:55:34 <LukeHinds> ok, we can call it day, please all attend next week and welcome luigi.
14:55:49 <LukeHinds> minutes will go up later or tomorrow
14:55:52 <LukeHinds> #endmeeting