IETF-61 OPSEC WG OPSEC WG _______ Operational Security Capabilities for IP Network Infrastructure...
-
Upload
claud-woods -
Category
Documents
-
view
212 -
download
0
Transcript of IETF-61 OPSEC WG OPSEC WG _______ Operational Security Capabilities for IP Network Infrastructure...
IETF-61 OPSEC WG
OPSEC WG_______
Operational Security Capabilities for IP Network
Infrastructure IETF #61
IETF-61 OPSEC WG
Note WellAny submission to the IETF intended by the Contributor for publication
as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to: – the IETF plenary session, – any IETF working group or portion thereof, – the IESG, or any member thereof on behalf of the IESG, – the IAB or any member thereof on behalf of the IAB, – any IETF mailing list, including the IETF list itself, any working
group or design team list, or any other list functioning under IETF auspices,
– the RFC Editor or the Internet-Drafts function All IETF Contributions are subject to the rules of RFC 3667 and RFC
3668.Statements made outside of an IETF session, mailing list or other
function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice.
Please consult RFC 3667 for details.
IETF-61 OPSEC WG
Front Administrativia
• Note scribe.• Jabber scribe (opsec) ietfxmpp.org• When speaking:
– Please identify yourself (for the scribes)– Don’t mumble
IETF-61 OPSEC WG
Agenda
1. Agenda bashing.2. The Charter. [ Pat/Ross]
<http://www.ietf.org/html.charters/opsec-charter.html>.
3. The Framework Doc. <draft-jones-opsec-framework-01.txt> * Overview (George) * Threats (Merike)
4. The Standards Survey Doc. <draft-lonvick-sec-efforts-01.txt>
5. The Survey of Service Provider Security Practices Doc. [ Merike ]
6. Go home.
IETF-61 OPSEC WG
Charter: Scope• The working group will list capabilities appropriate for
devices used in:• * Internet Service Provider (ISP) Networks• * Enterprise Networks
• The following areas are excluded:• * Wireless devices• * Small-Office-Home-Office (SOHO) devices• * Security devices (firewalls, Intrusion Detection
Systems, Authentication Servers)• * End Hosts
• The plan is to have multiple small documents
IETF-61 OPSEC WG
Charter: Outputs
1. Framework Document• The plan, scope, etc
2. Current Practices Document– * threats addressed,– * current practices for addressing the threat,– * protocols, tools and technologies extant at the time
of writing
3. Individual Capability Documents• The detail for the various categories
4. Profile Documents
IETF-61 OPSEC WG
Profiles/Capabilities in Charter
• Profiles:– ISP Operational Security Capabilities Profile– Enterprise Operational Security Capabilities Profile
• Capabilities:– Packet Filtering – Event Logging– In-Band management – Out-of-Band management– Configuration and Management Interface– Authentication, Authorization and Accounting (AAA)– Documentation and Assurance– Miscellaneous
IETF-61 OPSEC WG
Charter-related issues
• There are a lot of documents• The document tradeoff:
– One really big on versus many tiny ones.– We need lots of editors
IETF-61 OPSEC WG
Framework Doc
• <draft-jones-opsec-framework-01.txt>
• Specified in charter
IETF-61 OPSEC WG
OPSEC Working Group Framework Document
George Jones [email protected]
November 9, 2004
IETF-61 OPSEC WG
Framework Overview
+ Framework defines docs, work, scope, threats, attacks, etc.
+ Standards Survey surveys related work (Chris)
+ Operator Practices Survey lists current practices (Merike)
+ Capability docs list capabilities to support current and future practices.
IETF-61 OPSEC WG
• - Framework Changes in -01:+ Attacks/Threat Model (Merike)+ 1,$s/Requirements/Capabilities/g
• - Framework Changes for -02 ? + Need to correlate charter and framework document lists. + Drop list of documents from framework ? + Need to clarify intended status of documents. + Reduce # of documents ?
IETF-61 OPSEC WG
Standards Efforts
• <draft-lonvick-sec-efforts-01.txt>• Not currently a workgroup document
– Should it be?
IETF-61 OPSEC WG
Survey of Current Practices
• <no-draft-yet>• Specified in charter
IETF-61 OPSEC WG
Table of Contents• 1. Introduction• 2. Problem Statement• 3. Device Access Security• 3.1 Threat Description• 3.2 Best Current Practice• 3.2.1 Logical access• 3.2.2 Console Access• 3.2.3 HTTP• 3.2.4 SNMP• 4. Authentication / Authorization• 4.1 Threat Description• 4.2 Best Current Practice• 4.2.1 Device Access• 4.2.2 Routing• 4.2.3 MAC Address• 5. Filtering• 5.1 Threat Description• 5.2 Best Current Practice• 5.2.1 General Inbound Traffic Filters• 5.2.2 General Outbound Traffic Filters• 5.2.3 Device Access Filters• 5.2.4 Route Filters• 5.2.5 MAC Address Filters• 5.2.6 DoS Mitigation Filtering• 5.2.7 SinkHole / Blackhole• 5.2.8 uRPF• 6. Logging (accounting)
• 6.1 Threat Description• 6.2 Best Current Practice• 6.2.1 What traffic is logged• 6.2.2 What fields are logged• 6.2.3 How long are logs kept• 6.2.4 Local buffer vs syslog (for backup info)• 6.2.5 Authentication from peer to peer of log
files?• 6.2.6 Integrity check of log files?• 6.2.7 NTP source considerations• 7. Device Integrity• 7.1 Threat Description• 7.2 Best Current Practice• 7.2.1 Device Image Upgrade• 7.2.2 Device Configuration• 7.2.3 Management/Logging Information• 8. Specific Protocol/Service Concerns• 8.1 Threat Description• 8.2 Best Current Practice• 8.2.1 ICMP• 8.2.2 Generally Unused Services• 9. Policy/Procedural Considerations• 9.1 Threat Description• 9.2 Best Current Practice• 9.2.1 Equipment Software Update• 9.2.2 Equipment Configuration Change
IETF-61 OPSEC WG
Discussion/Administratia
• Time for Discussion• Maillist:
– General Discussion: [email protected]– To Subscribe: [email protected]
In Body: subscribe– Archive: http://ops.ietf.org/lists/opsec/