[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SOHO/Profiles
Merike, I'm integrating the profile text/requirements that you sent
sent. I've got some questions about the SOHO reqs, related to
current scope, etc.
First, I think *all* devices need at least the ability to filter
traffic directed *to* it, particularly devices that allow in-band
management. See CA-2003-17 for justification.
Second, your current profile does not seem to anticipate any sort
of ongoing management (or even capability to do so). I think,
given the current definition of scope, for a device to be covered
by these requirements, it would have to be at least potentially
managable by the network operator. This means, for instance,
that cable modems and other operator owned CPE[1] would be in-scope,
but joes-$49-fireall from circuts-R-Us, purchased and operated
by the customer, would be out of scope.
This is not to say that you can't define a profile out of the
existing requiremnts that is intended to be useful as guidance
for joes firewall, it simply means we're not going to add and
requirements for it.
If you want to define profiles for unmanagable (by the operator)
or customer managed devices, that's fine, just indicate clearly
in the intro text that that's what's being done.
I'm attaching a copy of prof.all.xml, which is the source for
set of profile requirements that has every currently defined
profile. Simply change the intro paragraph text and edit out
all the sections/requirements that don't apply and send back to
me.
[1] I do have some question about including any CPE since physical
access then becomes an issue.
Thanks,
---George
<!-- $Id: prof.min.xml,v 1.8 2003/06/27 00:53:03 george Exp $ -->
<section title="Minimum Requirements Profile">
<t>
The functionality listed here represents a bare minimum set of
requirements which any managed networking infrastructure device should
adhere to. This includes all core and edge devices
which are part of an IP network (such as routers,
and switches). Note that SOHO equipment (typically DSL
modem/routers, cable modem/routers, etc) and wireless networking
infrastructure equipment have their own set of requirements and are
not expected to adhere to this particular set of minimal requirements.
</t>
<t>
The minimal requirements profile addresses functionality which will
provide reasonable capabilities to manage the devices in the event of
attacks, simplify troubleshooting, keep track of events which affect
system integrity, help analyze causes of attacks, as well as provide
administrators control over IP addresses and protocols to help mitigate
the most common attacks and exploits.
</t>
<section title="Functional Requirements" >
<section title="Device Management Requirements" >
<list style="symbols">
<t><xref target="Req.SecureManagement" format="title"/></t>
<t><xref target="Req.RemoteBackup" format="title"/></t>
<t><xref target="Req.RemoteRestore" format="title"/></t>
<t><xref target="Req.Slow" format="title"/></t>
<t><xref target="Req.Scripting" format="title"/></t>
<t><xref target="Req.LocalMgmt" format="title"/></t>
</list>
</section>
<section title="In-Band Management Requirements" >
<list style="symbols">
<t><xref target="Req.OpenEncryption" format="title"/></t>
<t><xref target="Req.StrongKeys" format="title"/></t>
<t><xref target="Req.ScalableKeyMgt" format="title"/></t>
</list>
</section>
<section title="Out-of-Band (OoB) Management Requirements" >
<list style="symbols">
<t><xref target="Req.OoBMgt" format="title"/></t>
<t><xref target="Req.Separation" format="title"/></t>
<t><xref target="Req.SeparationNotFiltering" format="title"/></t>
<t><xref target="Req.SeparationIPStacks" format="title"/></t>
</list>
</section>
<section title="User Interface Requirements">
<list style="symbols">
<t><xref target="Req.HumanConfig" format="title"/></t>
<t><xref target="Req.SanitizedConfigs" format="title"/></t>
<t><xref target="Req.VerboseConfig" format="title"/></t>
</list>
</section>
<section title="IP Stack Requirements">
<list style="symbols">
<t><xref target="Req.RFCCompliance" format="title"/></t>
<t><xref target="Req.ListServices" format="title"/></t>
<t><xref target="Req.DisableServices" format="title"/></t>
<t><xref target="Req.ControlBindings" format="title"/></t>
<t><xref target="Req.ControlSource" format="title"/></t>
<t><xref target="Req.AntiSpoof" format="title"/></t>
<t><xref target="Req.DisableOptions" format="title"/></t>
<t><xref target="Req.DisableDirectedBroadcasts" format="title"/></t>
<t><xref target="Req.DoSTrack" format="title"/></t>
<t><xref target="Req.TrafficMonitoring" format="title"/></t>
<t><xref target="Req.TrafficSampling" format="title"/></t>
</list>
</section>
<section title="Rate Limiting Requirements">
<list style="symbols">
<t><xref target="Req.RateLimiting" format="title"/></t>
<t><xref target="Req.RateStateful" format="title"/></t>
</list>
</section>
<section title="Basic Filtering Capabilities" >
<list style="symbols">
<t><xref target="Req.Filter" format="title"/></t>
<t><xref target="Req.FilterTo" format="title"/></t>
<t><xref target="Req.FilterThrough" format="title"/></t>
<t><xref target="Req.FilterUpdates" format="title"/></t>
<t><xref target="Req.FilterAction" format="title"/></t>
<t><xref target="Req.FilterLogActions" format="title"/></t>
<t><xref target="Req.FilterFast" format="title"/></t>
</list>
</section>
<!-- filter criteria -->
<section title="Packet Filtering Criteria" >
<list style="symbols">
<t><xref target="Req.FilterProtocol" format="title"/></t>
<t><xref target="Req.FilterAddresses" format="title"/></t>
<t><xref target="Req.FilterAnyHeader" format="title"/></t>
<t><xref target="Req.FilterInOrOut" format="title"/></t>
<t><xref target="Req.FilterL2MAC" format="title"/></t>
</list>
</section>
<section title="Packet Filtering Counter Requirements" >
<list style="symbols">
<t><xref target="Req.FilterCounters" format="title"/></t>
<t><xref target="Req.FilterCounterDisplay" format="title"/></t>
<t><xref target="Req.FilterCounterPerRule" format="title"/></t>
<t><xref target="Req.FilterCounterPerApplication" format="title"/></t>
<t><xref target="Req.FilterCounterReset" format="title"/></t>
<t><xref target="Req.FilterCountersAccurate" format="title"/></t>
</list>
</section>
<section title="Other Packet Filtering Requirements">
<list style="symbols">
<t><xref target="Req.FilterPerformance" format="title"/></t>
<t><xref target="Req.FilterLogGranularity" format="title"/></t>
</list>
</section>
<section title="Event Logging Requirements" >
<list style="symbols">
<t><xref target="Req.LogAll" format="title"/></t>
<t><xref target="Req.LogOpen" format="title"/></t>
<t><xref target="Req.LogRemote" format="title"/></t>
<t><xref target="Req.LogReliable" format="title"/></t>
<t><xref target="Req.LogControls" format="title"/></t>
<t><xref target="Req.LogLocal" format="title"/></t>
<t><xref target="Req.LogByClass" format="title"/></t>
<t><xref target="Req.LogClassifyEvents" format="title"/></t>
<t><xref target="Req.AccurateTime" format="title"/></t>
<t><xref target="Req.TimestampLogs" format="title"/></t>
<t><xref target="Req.LogsContainIP" format="title"/></t>
<t><xref target="Req.LogsNotTranslated" format="title"/></t>
</list>
</section>
<section title="Authentication, Authorization, and Accounting (AAA) Requirements" >
<list style="symbols">
<t><xref target="Req.AuthAllUsers" format="title"/></t>
<t><xref target="Req.AuthIndividualUsers" format="title"/></t>
<t><xref target="Req.AuthSimultaneousUsers" format="title"/></t>
<t><xref target="Req.AuthDisableAllAccounts" format="title"/></t>
<t><xref target="Req.AuthCentralized" format="title"/></t>
<t><xref target="Req.AuthLocal" format="title"/></t>
<t><xref target="Req.AuthOrder" format="title"/></t>
<t><xref target="Req.AuthNoPlaintext" format="title"/></t>
<t><xref target="Req.AuthD2D" format="title"/></t>
<!-- Authorization -->
<t><xref target="Req.AuthDefinePrivLevels" format="title"/></t>
<t><xref target="Req.AuthAssignLevels" format="title"/></t>
<t><xref target="Req.AuthDefaultPrivLevel" format="title"/></t>
<t><xref target="Req.AuthPrivLevelChange" format="title"/></t>
<!-- Accounting -->
<t><xref target="Req.AccouningRecords" format="title"/></t>
</list>
</section>
<section title="Layer 2 Requirements">
<list style="symbols">
<t><xref target="Req.FilterMPLS" format="title"/></t>
<t><xref target="Req.VLANIsolation" format="title"/></t>
<t><xref target="Req.L2DoS" format="title"/></t>
<t><xref target="Req.L3Dependencies" format="title"/></t>
</list>
</section>
</section> <!-- Req.Functional -->
<section title="Documentation Requirements">
<list style="symbols">
<t><xref target="Req.DocServices" format="title"/></t>
<t><xref target="Req.ListProtocols" format="title"/></t>
<t><xref target="Req.DocumentProtocols" format="title"/></t>
<t><xref target="Req.StackOrigin" format="title"/></t>
<t><xref target="Req.OSOrigin" format="title"/></t>
<t><xref target="Req.LogCatalog" format="title"/></t>
</list>
</section> <!-- Req.Documentation -->
<section title="Assurance Requirements">
<list style="symbols">
<t><xref target="Req.WellKnowAttacks" format="title"/></t>
<t><xref target="Req.VendorResponsive" format="title"/></t>
</list>
</section> <!-- Req.Assurance -->
</section>
<!--
$Log: prof.min,v $
Revision 1.8 2003/06/27 00:53:03 george
Fixed minor breakages to Make/xml2rfc
Revision 1.7 2003/05/05 11:14:44 george
Fixed spelling
Revision 1.6 2003/04/22 12:11:44 george
Added requirement for simultaneous users
Revision 1.5 2003/04/22 11:31:23 george
Reviewed and rewrote authorization sections
Revision 1.4 2003/04/22 01:23:32 george
* Complete rework, simplification of AAA reqs
Revision 1.3 2003/04/21 12:20:54 george
* Changed AuthProtocol to AuthCentralized
Revision 1.2 2003/04/16 15:01:08 george
* Renamed "Implementation" sections "Examples"
* Changed "Encrypted Management Channels" to "Secure Management Channels"
and added requirements WRT encrytion.
* Cite ANSI draft on secure management where aprropriate.
Revision 1.1.1.1 2003/04/11 23:32:20 george
Initial version split into seperate source
-->