[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ability to withstand well known attacks

To: opsec@ops.ietf.org
Subject: Ability to withstand well known attacks
From: George Jones <gmj@pobox.com>
Date: Tue, 22 Jul 2003 08:07:48 -0400 (EDT)
In-reply-to: <Pine.LNX.4.53.0307211133340.23603@mall.pulltheplug.com>
References: <3F1BF53F.5020408@thecouch.ncsc.mil><Pine.LNX.4.53.0307211133340.23603@mall.pulltheplug.com>
Reply-to: opsec@ops.ietf.org

> OPSEC BOF - Operation Security Requirements for
> IP Network Elements Session
>
> 17 July 2003, IETF #57, Vienna
>
> BS: (Bill Somerfeld, Sun) Vendors will have trouble
>     with 2.3.8.  No vendor could comply with
>     2.3.8, it is too hard as written.  GJ: admits that
>     2.3.8 needs work.  BS: it is also a moving target!

OK, this makes two vendors who strenuously objected to this
requirement.   I'd like feedback/discssion/suggested wording.

For the record, the requirement currently reads:

> 2.3.8 Ability to Withstand Well-Known Attacks and Exploits
>
>    Requirement. The device MUST have an IP stack and operating system
>       that is robust enough to withstand well-known attacks and
>       exploits. For the purpose of this document, well-known attacks and
>       exploits are defined as those that have been published by the
>       following:
>
>       *  Computer Emergency Response Team Coordination Center [CERT/CC]
>          Advisories
>
>       *  Common Vulnerabilities and Exposures [CVE] entries
>
>       *  Bugtraq [Bugtraq] postings
>
>       *  Standard Nessus [Nessus] Plugins
>
>       *  Vendor security bulletins for the device in question.

One of the first things I do with a new bit of equipment is take it
into the lab and hit it with nessus.  What this requirement is saying
is "if a vendor hands me piece of equipment to test/buy/deploy that
has well known vulnerabilities/exploits, I (as the
customer/operator/purchaser) will fail it until the know problems are
fixed".   I don't want to buy/use broken/breakable systems.

If I'm missing something please point it out.

I think last weeks little bug (http://www.cert.org/advisories/CA-2003-15.html)
and subsequent exploit (http://www.cert.org/advisories/CA-2003-17.html)
are people's exhibit #1 (no intention to pick on the particular
vendor).   If today, July 22, 2003, said vendor were to bring me a new
piece of equipment for evaluation/deployment, and I were to take it
into the lab and find that it were vulnerable to CA-2003-15, I would
tell said vendor to take their equipment back and take a hike....but
fortunately in this case, said vendor appears to acting very
responsibly and is all over fixing the problem/mitigating the risk.

I would even argue that a simple nessus (or ISS, or whatever) scan
could, today, be strongly considered to be a Best Current Practice.

So, help me out.  Show me where this is not reasonable and/or suggest
better wording.

---George

Follow-Ups:
- Re: Ability to withstand well known attacks
  - From: Dan Hollis <goemon@anime.net>
- Re: Ability to withstand well known attacks
  - From: Chris Lonvick <clonvick@cisco.com>
- Re: Ability to withstand well known attacks
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- Re: Ability to withstand well known attacks
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

References:
- Prelimary BOF meeting notes
  - From: George Jones <gmj@pobox.com>

Prev by Date: Prelimary BOF meeting notes
Next by Date: Re: Ability to withstand well known attacks
Previous by thread: Prelimary BOF meeting notes
Next by thread: Re: Ability to withstand well known attacks
Index(es):
- Date
- Thread