[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

First attempt at 'ISP' GRIP document

To: grip-wg@UU.NET
Subject: First attempt at 'ISP' GRIP document
From: Nevil Brownlee <n.brownlee@auckland.ac.nz>
Date: Mon, 4 Aug 1997 09:43:39 +1200 (New Zealand Standard Time)
Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
Reply-to: Nevil Brownlee <n.brownlee@auckland.ac.nz>

Hello all:

At our Memphis meeting I volunteered (with help from Don Stikvoort) to 
make put forward an outline for a GRIP document aimed at ISPs.  Here it 
is, just in time for everyone to read before the unich meeting!

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee                     Director, Technology Development |
| Phone: +64 9 373 7599 x8941        ITSS, The University of Auckland |
|   FAX: +64 9 373 7425      Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P


GRIP document outline: Security and ISPs

Nevil Brownlee, The University of Auckland
1 Aug 97


This is a first try at a GRIP document aimed at providing 
Guidelines on Security for ISPs.  It doesn't attempt to set
expectations, merely to provide a short list of issues that
ISPs should consider, and that their users (customers) should
be aware of.


1) Does the ISP have a Security Incident Response Team (SIRT)?

   If so, what services does it provide?
   If not, where should users report security incidents?  
   Where/how can they find answers to their security-related
   questions?
   

2) Usage Policy

   Does the ISP have an Acceptable Use Policy (AUP) i.e. guidelines
   as to what users may or may not do?


3) Response to improper behaviour

   How will the ISP respond to formal reports of
   - abuse, e.g. spamming?  (Remember that abuse@somecomp.somedomain
     is also the mailbox alias one should implement for this purpose, 
     according to the Common Mailbox Names RFC).  
   - apparent security incidents (e.g. probe attacks, 
       IP address spoofing)?

   Does the ISP monitor their network for any 'unusual' activity
   (e.g. do they run something like Argus)?  Can the ISP dectect
   probe attacks to/from their customers?

   Does the ISP provide any channel for informal reporting of
   incidents (e.g. security@somecomp.somedomain?  If so, how will
   they respond to such reports?

   If improper behaviour is confirmed, how will the ISP react?

   Does the ISP have spoofing filters?  All ISPs should have at least 
   INPUT filters at all their customer attachments, meaning that none 
   of their customers is able to send out packets with originator 
   addresses outside their range.  If all ISPs did this, the ISP 
   spoofing problem would become void.
 

4) Downstream Sites

   Are downstream sites permitted (i.e. may a user have other sites
   connected to the Internet via his/her network)?  What guidelines
   (or contractural arrangements) does the ISP have for this?

   Does the ISP accept any responsibility for downstream sites?

   Does the ISP permit loose source routing?
 

5) Software Status

   Does the ISP keep up with security reports relating to both
   system software?  Are security patches to the ISP's system software
   and user-accessible application programs installed as soon as 
   possible after they are announced?

   Does the ISP check any software they may distribute to users
   to ensure it is secure and virus-free?

   
   ----------------------------------------------

Prev by Date: I-D ACTION:draft-ietf-grip-framework-irt-06.txt
Next by Date: technology producer doc outline
Previous by thread: I-D ACTION:draft-ietf-grip-framework-irt-06.txt
Next by thread: technology producer doc outline
Index(es):
- Date
- Thread