[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SOHO/Profiles

To: kaeo@merike.com
Subject: SOHO/Profiles
From: George Jones <gmj@pobox.com>
Date: Mon, 4 Aug 2003 13:14:29 -0400 (EDT)
Cc: opsec@ops.ietf.org
In-reply-to: <004401c33ae2$46604500$6401a8c0@santacruz>
References: <Pine.LNX.4.44.0306181144510.13462-100000@sasami.anime.net><gu9fzm7ghgc.fsf@rivendell.digitaljunkyard.net><Pine.LNX.4.53.0306190942270.25522@mall.pulltheplug.com><gu9brwuayns.fsf@rivendell.digitaljunkyard.net><3EF78E09.9080409@mitre.org><gu9ptl4b9pk.fsf@rivendell.digitaljunkyard.net> <004401c33ae2$46604500$6401a8c0@santacruz>
Reply-to: gmj@pobox.com

Merike, I'm integrating the profile text/requirements that you sent
sent.   I've got some questions about the SOHO reqs, related to
current scope, etc.

First, I think *all* devices need at least the ability to filter
traffic directed *to* it, particularly devices that allow in-band
management.  See CA-2003-17 for justification.

Second, your current profile does not seem to anticipate any sort
of ongoing management (or even capability to do so).  I think,
given the current definition of scope, for a device to be covered
by these requirements, it would have to be at least potentially
managable by the network operator.   This means, for instance,
that cable modems and other operator owned CPE[1] would be in-scope,
but joes-$49-fireall from circuts-R-Us, purchased and operated
by the customer, would be out of scope.

This is not to say that you can't define a profile out of the
existing requiremnts that is intended to be useful as guidance
for joes firewall, it simply means we're not going to add and
requirements for it.

If you want to define profiles for unmanagable (by the operator)
or customer managed devices, that's fine, just indicate clearly
in the intro text that that's what's being done.

I'm attaching a copy of prof.all.xml, which is the source for
set of profile requirements that has every currently defined
profile.  Simply change the intro paragraph text and edit out
all the sections/requirements that don't apply and send back to
me.

[1] I do have some question about including any CPE since physical
    access then becomes an issue.

Thanks,
---George

<!-- $Id: prof.min.xml,v 1.8 2003/06/27 00:53:03 george Exp $ -->

<section title="Minimum Requirements Profile">

<t>
The functionality listed here represents a bare minimum set of 
requirements which any managed networking infrastructure device should 
adhere to.  This includes all core and edge devices
which are part of an IP network (such as routers, 
and switches).  Note that SOHO equipment (typically DSL 
modem/routers, cable modem/routers, etc) and wireless networking 
infrastructure equipment have their own set of requirements and are 
not expected to adhere to this particular set of minimal requirements. 
</t>

<t>
The minimal requirements profile addresses functionality which will 
provide reasonable capabilities to manage the devices in the event of 
attacks, simplify troubleshooting, keep track of events which affect 
system integrity, help analyze causes of attacks, as well as provide 
administrators  control over IP addresses and protocols to help mitigate 
the most common attacks and exploits. 
</t>

<section title="Functional Requirements" >

<section title="Device Management Requirements" >

<list style="symbols">
<t><xref target="Req.SecureManagement" format="title"/></t>
<t><xref target="Req.RemoteBackup" format="title"/></t>
<t><xref target="Req.RemoteRestore" format="title"/></t>
<t><xref target="Req.Slow" format="title"/></t>
<t><xref target="Req.Scripting" format="title"/></t>
<t><xref target="Req.LocalMgmt" format="title"/></t>
</list>
</section>

<section title="In-Band Management Requirements" >
<list style="symbols">
<t><xref target="Req.OpenEncryption" format="title"/></t>
<t><xref target="Req.StrongKeys" format="title"/></t>
<t><xref target="Req.ScalableKeyMgt" format="title"/></t>
</list>
</section>

<section title="Out-of-Band (OoB) Management Requirements" >
<list style="symbols">
<t><xref target="Req.OoBMgt" format="title"/></t>
<t><xref target="Req.Separation" format="title"/></t>
<t><xref target="Req.SeparationNotFiltering" format="title"/></t>
<t><xref target="Req.SeparationIPStacks" format="title"/></t>
</list>
</section>

<section title="User Interface Requirements">
<list style="symbols">
<t><xref target="Req.HumanConfig" format="title"/></t>
<t><xref target="Req.SanitizedConfigs" format="title"/></t>
<t><xref target="Req.VerboseConfig" format="title"/></t>
</list>
</section>

<section title="IP Stack Requirements">
<list style="symbols">
<t><xref target="Req.RFCCompliance" format="title"/></t>
<t><xref target="Req.ListServices" format="title"/></t>
<t><xref target="Req.DisableServices" format="title"/></t>
<t><xref target="Req.ControlBindings" format="title"/></t>
<t><xref target="Req.ControlSource" format="title"/></t>

<t><xref target="Req.AntiSpoof" format="title"/></t>
<t><xref target="Req.DisableOptions" format="title"/></t>
<t><xref target="Req.DisableDirectedBroadcasts" format="title"/></t>
<t><xref target="Req.DoSTrack" format="title"/></t>
<t><xref target="Req.TrafficMonitoring" format="title"/></t>
<t><xref target="Req.TrafficSampling" format="title"/></t>
</list>
</section>

<section title="Rate Limiting Requirements">
<list style="symbols">
<t><xref target="Req.RateLimiting" format="title"/></t>
<t><xref target="Req.RateStateful" format="title"/></t>
</list>
</section>

<section title="Basic Filtering Capabilities" >
<list style="symbols">
<t><xref target="Req.Filter" format="title"/></t>
<t><xref target="Req.FilterTo" format="title"/></t>
<t><xref target="Req.FilterThrough" format="title"/></t>
<t><xref target="Req.FilterUpdates" format="title"/></t>
<t><xref target="Req.FilterAction" format="title"/></t>
<t><xref target="Req.FilterLogActions" format="title"/></t>
<t><xref target="Req.FilterFast" format="title"/></t>
</list>
</section>

<!-- filter criteria -->
<section title="Packet Filtering Criteria" >
<list style="symbols">
<t><xref target="Req.FilterProtocol" format="title"/></t>
<t><xref target="Req.FilterAddresses" format="title"/></t>
<t><xref target="Req.FilterAnyHeader" format="title"/></t>
<t><xref target="Req.FilterInOrOut" format="title"/></t>
<t><xref target="Req.FilterL2MAC" format="title"/></t>
</list>
</section>

<section title="Packet Filtering Counter Requirements" >
<list style="symbols">
<t><xref target="Req.FilterCounters" format="title"/></t>
<t><xref target="Req.FilterCounterDisplay" format="title"/></t>
<t><xref target="Req.FilterCounterPerRule" format="title"/></t>
<t><xref target="Req.FilterCounterPerApplication" format="title"/></t>
<t><xref target="Req.FilterCounterReset" format="title"/></t>
<t><xref target="Req.FilterCountersAccurate" format="title"/></t>
</list>
</section>

<section title="Other Packet Filtering Requirements">
<list style="symbols">
<t><xref target="Req.FilterPerformance" format="title"/></t>
<t><xref target="Req.FilterLogGranularity" format="title"/></t>
</list>
</section>

<section title="Event Logging Requirements" >
<list style="symbols">
<t><xref target="Req.LogAll" format="title"/></t>
<t><xref target="Req.LogOpen" format="title"/></t>
<t><xref target="Req.LogRemote" format="title"/></t>
<t><xref target="Req.LogReliable" format="title"/></t>
<t><xref target="Req.LogControls" format="title"/></t>
<t><xref target="Req.LogLocal" format="title"/></t>
<t><xref target="Req.LogByClass" format="title"/></t>
<t><xref target="Req.LogClassifyEvents" format="title"/></t>
<t><xref target="Req.AccurateTime" format="title"/></t>
<t><xref target="Req.TimestampLogs" format="title"/></t>
<t><xref target="Req.LogsContainIP" format="title"/></t>
<t><xref target="Req.LogsNotTranslated" format="title"/></t>
</list>
</section>

<section title="Authentication, Authorization, and Accounting (AAA) Requirements" >
<list style="symbols">
<t><xref target="Req.AuthAllUsers" format="title"/></t>
<t><xref target="Req.AuthIndividualUsers" format="title"/></t>
<t><xref target="Req.AuthSimultaneousUsers" format="title"/></t>
<t><xref target="Req.AuthDisableAllAccounts" format="title"/></t>
<t><xref target="Req.AuthCentralized" format="title"/></t>
<t><xref target="Req.AuthLocal" format="title"/></t>
<t><xref target="Req.AuthOrder" format="title"/></t>
<t><xref target="Req.AuthNoPlaintext" format="title"/></t>
<t><xref target="Req.AuthD2D" format="title"/></t>

<!-- Authorization -->
<t><xref target="Req.AuthDefinePrivLevels" format="title"/></t>
<t><xref target="Req.AuthAssignLevels" format="title"/></t>
<t><xref target="Req.AuthDefaultPrivLevel" format="title"/></t>
<t><xref target="Req.AuthPrivLevelChange" format="title"/></t>

<!-- Accounting -->
<t><xref target="Req.AccouningRecords" format="title"/></t>

</list>
</section>

<section title="Layer 2 Requirements">
<list style="symbols">
<t><xref target="Req.FilterMPLS" format="title"/></t>
<t><xref target="Req.VLANIsolation" format="title"/></t>
<t><xref target="Req.L2DoS" format="title"/></t>
<t><xref target="Req.L3Dependencies" format="title"/></t>
</list>
</section>

</section>  <!-- Req.Functional -->

<section title="Documentation Requirements">

<list style="symbols">
<t><xref target="Req.DocServices" format="title"/></t>
<t><xref target="Req.ListProtocols" format="title"/></t>
<t><xref target="Req.DocumentProtocols" format="title"/></t>
<t><xref target="Req.StackOrigin" format="title"/></t>
<t><xref target="Req.OSOrigin" format="title"/></t>
<t><xref target="Req.LogCatalog" format="title"/></t>
</list>

</section> <!-- Req.Documentation -->

<section title="Assurance Requirements">
<list style="symbols">
<t><xref target="Req.WellKnowAttacks" format="title"/></t>
<t><xref target="Req.VendorResponsive" format="title"/></t>
</list>
</section> <!-- Req.Assurance -->

</section>

<!--
$Log: prof.min,v $
Revision 1.8  2003/06/27 00:53:03  george
Fixed minor breakages to Make/xml2rfc

Revision 1.7  2003/05/05 11:14:44  george
Fixed spelling

Revision 1.6  2003/04/22 12:11:44  george
Added requirement for simultaneous users

Revision 1.5  2003/04/22 11:31:23  george
Reviewed and rewrote authorization sections

Revision 1.4  2003/04/22 01:23:32  george
* Complete rework, simplification of AAA reqs

Revision 1.3  2003/04/21 12:20:54  george
* Changed AuthProtocol to AuthCentralized

Revision 1.2  2003/04/16 15:01:08  george
* Renamed "Implementation" sections "Examples"
* Changed "Encrypted Management Channels" to "Secure Management Channels"
  and added requirements WRT encrytion.
* Cite ANSI draft on secure management where aprropriate.

Revision 1.1.1.1  2003/04/11 23:32:20  george
Initial version split into seperate source

-->

Follow-Ups:
- Re: SOHO/Profiles
  - From: Merike Kaeo <kaeo@merike.com>

References:
- Re: Comments/suggestions on draft
  - From: Dan Hollis <goemon@anime.net>
- Re: Comments/suggestions on draft
  - From: ericb@digitaljunkyard.net
- Scope, Profiles
  - From: George Jones <gmj@pobox.com>
- Re: Scope, Profiles
  - From: ericb@digitaljunkyard.net
- Re: Scope, Profiles
  - From: "George M. Jones" <gmjones@mitre.org>
- Re: Scope, Profiles
  - From: ericb@digitaljunkyard.net
- Re: Scope, Profiles
  - From: "merike kaeo" <merike@groovy.com>

Prev by Date: Re: MUSTs/contextualizing
Next by Date: Need wording for wireless reqs
Previous by thread: Re: Scope, Profiles
Next by thread: Re: SOHO/Profiles
Index(es):
- Date
- Thread