[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ability to withstand well known attacks

To: "'opsec@ops.ietf.org'" <opsec@ops.ietf.org>
Subject: RE: Ability to withstand well known attacks
From: "Smith, Donald" <Donald.Smith@qwest.com>
Date: Tue, 22 Jul 2003 08:56:34 -0600

Excluding bandwidth floods and other resource depletion attacks. IE a denial
of service attack that works 
by opening N +1  ftp sessions where your system can only support N ftp
sessions. While that is an attack
as long as the system under attack does not crash or hang it has not
"failed" this test.

At no point should we allow equipment through the test phase that have KNOWN
high severity vulnerabilities as defined above.

Since nessus (and other tools) do provide a level of severity could we say
only HIGH severity vulnerabilities
cause a "failure"?

Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
(coffee != sleep) & (!coffee == sleep)
<SNIP>
 
> OK, this makes two vendors who strenuously objected to this
> requirement.   I'd like feedback/discssion/suggested wording.
> 
> For the record, the requirement currently reads:
> 
> > 2.3.8 Ability to Withstand Well-Known Attacks and Exploits
> >
> >    Requirement. The device MUST have an IP stack and 
> operating system
> >       that is robust enough to withstand well-known attacks and
> >       exploits. For the purpose of this document, 
> well-known attacks and
> >       exploits are defined as those that have been published by the
> >       following:
> >
> >       *  Computer Emergency Response Team Coordination 
> Center [CERT/CC]
> >          Advisories
> >
> >       *  Common Vulnerabilities and Exposures [CVE] entries
> >
> >       *  Bugtraq [Bugtraq] postings
> >
> >       *  Standard Nessus [Nessus] Plugins
> >
> >       *  Vendor security bulletins for the device in question.



> 
> One of the first things I do with a new bit of equipment is take it
> into the lab and hit it with nessus.  What this requirement is saying
> is "if a vendor hands me piece of equipment to test/buy/deploy that
> has well known vulnerabilities/exploits, I (as the
> customer/operator/purchaser) will fail it until the know problems are
> fixed".   I don't want to buy/use broken/breakable systems.
> 
> If I'm missing something please point it out.
> 
> I think last weeks little bug 
> (http://www.cert.org/advisories/CA-2003-15.html)
> and subsequent exploit 
> (http://www.cert.org/advisories/CA-2003-17.html)
> are people's exhibit #1 (no intention to pick on the particular
> vendor).   If today, July 22, 2003, said vendor were to bring me a new
> piece of equipment for evaluation/deployment, and I were to take it
> into the lab and find that it were vulnerable to CA-2003-15, I would
> tell said vendor to take their equipment back and take a hike....but
> fortunately in this case, said vendor appears to acting very
> responsibly and is all over fixing the problem/mitigating the risk.
> 
> I would even argue that a simple nessus (or ISS, or whatever) scan
> could, today, be strongly considered to be a Best Current Practice.
> 
> So, help me out.  Show me where this is not reasonable and/or suggest
> better wording.
> 
> ---George
> 
> 
> 
>

Prev by Date: Re: Ability to withstand well known attacks
Next by Date: Re: Ability to withstand well known attacks
Previous by thread: Prelimary BOF meeting notes
Next by thread: RE: Ability to withstand well known attacks
Index(es):
- Date
- Thread