[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments
Dan Hollis wrote:
2.3.12 Ability to Disable Directed Broadcasts
'These SHOULD be the default settings.'
s/SHOULD/MUST/
Change already made.
I've posted (and will contnue to post) updated copies of the draft
@ http://www.port111.com/opsec/ See the -00a draft and the
diffs.txt file.
If you give vendors leeway to make stupid defaults, they WILL choose the
stupid ones. History has conclusively proven this. Look at all the open
smtp relays, and open proxies out there.
Another way of saying that is "they have other priorities ($), and
something needs
to be done to help them adjust their priorities and spell out specific
security needs"
(I'm getting too good a weasel words for my own comort).
In all fairness, open SMTP relays were reasonable before spam got going.
Problem is, something that was reasonable became unreasonable.
But I hear your sentement....it is exactly why this document was created.
This RFC MUST be far more anal with defaults.
Make a pass and tell me where you think defaults need to change.
Basically, the opsec RFC should mandate that a device plugged into a
network with its default settings and no changes from defaults whatsoever
MUST NOT be able to be exploited or used for any known attack.
See how this (slightly reworded) requirment grabs you:
2.3.8 Ability to Withstand Well-Known Attacks and Exploits
! Requirement. The IP stack, operating system and default configuration
! of the device MUST be robust enough to withstand well-known
! attacks and exploits.
There doesnt seem to be anything regarding default passwords, which is a
known avenue of attack on many devices.
Does this do it for you ?
2.3.8 Ability to Withstand Well-Known Attacks and Exploits
! Requirement. The IP stack, operating system and default configuration
! of the device MUST be robust enough to withstand well-known
! attacks and exploits.
Thanks,
---George Jones