[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Scope, Profiles

To: ericb@digitaljunkyard.net
Subject: Scope, Profiles
From: George Jones <gmj@pobox.com>
Date: Thu, 19 Jun 2003 10:45:41 -0400 (EDT)
Cc: Dan Hollis <goemon@anime.net>,"Wang,Nai-Pin K." <knwang@mitre.org>, opsec@ops.ietf.org
In-reply-to: <gu9fzm7ghgc.fsf@rivendell.digitaljunkyard.net>
References: <Pine.LNX.4.44.0306181144510.13462-100000@sasami.anime.net><gu9fzm7ghgc.fsf@rivendell.digitaljunkyard.net>
Reply-to: gmj@pobox.com

On Wed, 18 Jun 2003 ericb@digitaljunkyard.net wrote:

>  "dh" == Dan Hollis <goemon@anime.net> writes:
>
> dh> On Tue, 17 Jun 2003, Wang,Nai-Pin K. wrote:
> >> Are we really just focusing on critical server-class machines here? If
> >> so, we should probably replace "hosts" with "critical core servers".
>
> dh> How about "any device whos primary function is to forward packets"?
>
> I'd go one step further.  Perhaps "Any embedded network device"?  Or
> "Anything with an IP address that is not a general purpose host"?

DNS Servers ?  AAA/ACS/Authentication servers ?  Loghosts ?

It's pretty clear (to me anyhow) that we want those "hosts" to be
in scope.  You also mention in a following post that you want
some of the features listed here on things such as managable
power strips, system controllers, etc.

This highlights the need for greater use of the "profiles" mechanism
defined in the document to enumerate lists of requrements appropriate
to certian classes of devices.   You want your power strips to
be managable, you want them to meet basic IP stack requirements,
you probably don't want them to implement fitering of MPLS traffic
or provide extensive packet sampling or monitoring capabilities.
The requirements are a a group of things on the shelf, the
profile is the shopping list for a particular class of device.

This approach needs to be made more explicit in the front matter,
(I'll do that), a pass needs to be made over the requirements
thinking about the MUSTs, etc., and attention needs to be paid
to the profiles (Merike is taking a pass at that).

So the basic question is scope.  It currently reads:

> 1.2 Scope
>
>   These requirements apply to devices that make up the network core
>   infrastructure (such as routers and switches) as well other devices
>   that implement IP (e.g., cable modems, personal firewalls,hosts).

I propose changing to:

>   These requirements apply to devices that make up the network core
>   infrastructure (such as routers and switches) as well other
>   network infrastructure devices that implement IP (e.g., cable
    ^^^^^^^^^^^^^^^^^^^^^^
>   modems, personal firewalls, special purpose hosts, etc.).
                                ^^^^^^^^^^^^^^^

This means that routers, switches, DNS/LOG/AAA servers, managable
UPSs systems, SOHO + CPE networking gear etc are in scope,
but web servers, end user sytems, etc. are out of scope.

This is not to say that you can't can't define useful
profiles for out-of-scope systems (end user systems),
it just means we're not going to spend itme enumerting
requirements for things like filesystem permissions,
screenlock timeouts, application security, etc.

Thoughts ?

---George Jones

Follow-Ups:
- Re: Scope, Profiles
  - From: ericb@digitaljunkyard.net

References:
- Re: Comments/suggestions on draft
  - From: Dan Hollis <goemon@anime.net>
- Re: Comments/suggestions on draft
  - From: ericb@digitaljunkyard.net

Prev by Date: Re: Provisioning, Password Strength (was RE: comments)
Next by Date: Re: Comments/suggestions on draft
Previous by thread: Re: Comments/suggestions on draft
Next by thread: Re: Scope, Profiles
Index(es):
- Date
- Thread