[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
front matter/scope changes
I've made most of the structural changes discussed at the BOF,
reworked the scope, added a section (1.3 below) listing the "Goals of
Security", which gives the street-level view of what requirements are
intended to accomplish (Emir, if you're welcome to try spinning this
section differently/more formally), I've split everything into
functional/documentation/assurance sections ("withstand well-know
attacks" has moved to "assurance", not functional)...I've gotten rid
of the "Non-Standard" and "Advanced" sections and dropped out things
that are clearly non-BCP (stealthing).
I'm aiming for -01 early next week. I still have to fold in Merike's
contribution to the profiles section and make another pass over the
BOF feedback. The entire work-in-progress can be seen at
http://www.port111.com/opsec/draft-jones-opsec-00a.txt
Please review the front matter changes, esp. the scope, and let me
know what you think. Also, if you see anything else you think
defiantly needs to get added for -01/was missed, please yell
(Chris, the term "yell" here is used figuratively as a generic term
for all forms of communication, with email, either personal or to
the list being what I have primarily in mind).
Thanks,
---George
-------------------------------cut here------------------------------
None. G. Jones, Editor
Internet-Draft The MITRE Corporation
Expires: January 29, 2004 July 31, 2003
Operational Security Requirements for IP Network Infrastructure
draft-jones-opsec-00a
.
.
.
Abstract
This document defines a list of operational security requirements for
the infrastructure large IP networks (such as routers and switches).
.
.
.
Jones, Editor Expires January 29, 2004 [Page 4]
Internet-Draft Operational Security Requirements July 2003
1. Introduction
1.1 Goals
The goal of this document is to define a list of operational security
requirements for network infrastructure devices that implement
Internet Protocol (IP).
.
.
.
1.2 Scope
The primary scope of these requirements is intended to cover the
infrastructure of large IP networks (e.g. routers and switches).
Certain groups (or "profiles", see below) apply only in specific
situations (e.g. edge or core routers). The requirements listed in
the minimum profile are intended to apply to all managed
infrastructure devices.
General purpose hosts (including infrastructure hosts such as name/
time/log/aaa servers, etc.), unmanaged, or customer managed devices
(e.g. firewalls, Intrusion Detection System, dedicated VPN devices,
etc.) are explicitly out of scope. This means that while the
requirements in the minimum profile (and others) may apply,
additional requirements will not be added to account for their unique
needs.
While, the examples given are written with IPv4 in mind, most of the
requirements are general enough to apply to IPv6.
1.3 Goals of Security
The purpose of security requirements in this document are to enable
network operators to insure that:
o the network keeps passing legitimate customer traffic
(availability)
o traffic goes where it's supposed to go (availability)
o the network elements remain manageable (availability)
o only authorized users can manage network elements (authorization)
o there is record of all security related events (accountability)
o the network operator has the necessary tools to detect and respond
to illegitimate traffic
.
.
.
1.6 Format
The individual requirements are listed in one of the three sections
listed below.
o Section 2 lists functional requirements ... xxx
o Section 3 lists documentation requirements ... xxx
o Section 4 lists assurance requirements ... xxx