[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments/suggestions on draft
Known attacks vs well known.
I believe george did a good job of defining this nessus modules, cert, ciac, and bugtrack.
If anything I would want to add known vulnerabilites from other products.
Like the ping of death was originally an known vulnerablity with windows. But it affected
other ip stacks also. So just because your os/network gear has not been listed
as being vulnerable to an attack doesnt eliminate the vendor from being
expected to test for it.
-----Original Message-----
From: George Jones
To: ericb@digitaljunkyard.net
Cc: opsec@ops.ietf.org
Sent: 6/19/2003 10:51 AM
Subject: Re: Comments/suggestions on draft
> dh> This would cover CPE routers, edge routers, and core routers. As
it should
> dh> IMHO. Im rather tired of customer routers being exploited at the
slightest
> dh> puff of air due to stupid vendor defaults.
>
> That there is a whole new can of worms. When Oulu released their SNMP
> happiness upon the world, we determined that something like 90% of our
> CPE was vilnerable. But our contracts were written such that it was
> illegal for us to reconfigure or upgrade their code. The CPE belonged
> to us, but was their responsibility.
>
> I don't think that ISP contract law is within the scope of this
> document,
No, but requiring that vendors produce/support devices that:
2.3.8 Ability to Withstand Well-Known Attacks and Exploits
Requirement. The device MUST have an IP stack and operating system
that is robust enough to withstand well-known attacks and
exploits.
> but somewhere in there is a pressing issue begging to be
> resolved. There's a whole world of people out there that talk about
> "THE router", rather than "A router". There's gotta be some way to
> help them keep things up to date.
This doc is asking that vendors provide technology that can be
operationally secured. Deployment is a different, much more
social/messy problem.
---George