Essential Security Requirements: MTD

[erahn]

This item does not feel well defined: "The SDN Controller shall provide a moving target defense mechanism (MTD) that protects the network from attacks by using dynamic network configuration."

I can imagine a number of features (VXLAN?) that would allow for this and would want to see this better defined as this is fleshed out.

[heimannrj]

NIST defines MTD as: "The concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity, and increase the costs of their probing and attack efforts."

Suggest rewording this statement to reflect that it is the concept of MTD that is important, not any given implementation of it, which is likely not going to be durable over the long term. Suggest:

"The SDN Controller shall incorporate concepts of moving target defense mechanisms (MTD) which can help defend the network controller from attacks by using controlled change management."

I would be reluctant to give examples here becasue there is the risk that they will become the de facto standard and this is not the intent.

[hubertdcruze]

Thank you for rephrasing and for your deep thought about it, which helped us to think differently. Appreciate it. Implementing the MTD can be a very beneficial strategy for enhanced security but on the other hand, implementing could be very complex. I have included a few other ways to express your thoughts. Would like to hear from others what they think about it.

"The SDN Controller should integrate moving target defense (MTD) strategies, assisting in protecting the network against attacks by applying managed change processes."

"The SDN Controller can be designed to employ moving target defense (MTD) techniques, which could be instrumental in shielding the network from potential attacks via systematic and controlled alterations in its configuration and operational environment"

"The SDN Controller may implement the principles of moving target defense (MTD) to enhance its security. By employing a strategy of controlled and deliberate changes, it aims to safeguard the network controller from adversarial actions"

"The SDN Controller can adopt moving target defense (MTD) methodologies. This approach will aid in fortifying the network controller against attacks through deliberate and regulated modification techniques"

"The SDN Controller can embrace moving target defense (MTD) tactics, effectively securing the network controller from cyber threats through the strategic implementation of change management protocols"

[arubadean]

The programmability aspects of SDN are the mechanism by which a moving target defense would be implemented. However, I don't believe that the SDN controller itself is the correct component to be making decisions of this nature. Other security components which interface with the SDN controller via the northbound API are the appropriate place, and that'd be outside the scope of the PP.

My major issues with this requirement are:

• I don't see that any enterprise environment with any sort of change management board or related processes/procedures is going to sign off on wide-spread reworking of the network during business hours, in an automated fashion. Many mature environments are going to be unhappy about changing basic firewall policies outside of well-defined change windows if they might potentially impact on-going operations. Not all, but those environments are out there
• Because of that, I don't see that this is going to be a great want in the commercial space. Because the purpose of CC is to certify commercial solutions for deployment in government networks, not to create government-specific solutions, if there isn't an commercial benefit to creating a feature, there's going to be pushback from product and dev teams.
• that can be mitigated by making it an optional or objective requirement, but even then it needs to be narrowly tailored in scope and made clearly testable. frankly, just being able to direct via an API call the SDN controller to put a specific port into a specific quarantine VLAN or something should be sufficient demonstration.

In summary, if we can make this extremely narrowly tailored and focus on the ability to support that policy, rather than having it be broadly worded in such a way that the SDN controller itself is fully responsible for this functionality, then it may be appropriate to leave it in, if and only if it's not a mandatory requirement. Otherwise, I'd want to remove this language. Failure to do so, in my opinion, will see a number of vendors forego this PP entirely if their product can be described in terms of an appliance that can be put through NDcPP, which would mean they miss out on the additional scrutiny of SDN-specific features like API security. That'd be counterproductive to the creation of an SDN-specific PP/module.

[hubertdcruze]

Comments from TC Meeting on Feb 8, 2024:

Make the MTD an optional requirement o How will we keep pace with the evaluation activities o If this is deployed in an operational environment, this would be more disruptive than remedial o Not a necessary requirement bc the controller wouldn't be making the decision, just carrying out the action which is already a basic function

[hubertdcruze]

Thank you Dean for your detailed explanation. I agree with Dean. I also propose to remove MTD from ESR, for now.