[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Less is more

To: Neal Ziring <nziring@thecouch.ncsc.mil>
Subject: Re: Less is more
From: George Jones <gmj@pobox.com>
Date: Wed, 20 Aug 2003 13:41:36 -0400 (EDT)
Cc: opsec@ops.ietf.org
In-reply-to: <3F4395AB.50300@thecouch.ncsc.mil>
References: <Pine.LNX.4.53.0308200942390.20288@mall.pulltheplug.com><3F4395AB.50300@thecouch.ncsc.mil>
Reply-to: gmj@pobox.com

> However, I'm concerned about harmonization with the ANSI T1M1
> specification.  In particular, it seems that dropping the
> following items might it too easy for a device to meet our
> Opsec requirements but fail to satisfy T1M1.5/2003-007.
>
>

>
> In particular, I'm worried about 2.11.1.  It seems particularly
> important, although I don't know of any vendor that does it yet.
>
> > O   2.11.1  Ability to Log All Events That Affect System Integrity . . 34


There are just no good definitions of "what stuff log for security" (that
I know of...pointers ?).  It's big enough that it deserves treatment
on its own.   What we have now is a general statement.  It works as
hints, but fails as a testable, implementable requirement.

We had some discssions at the USENIX Securtiy log-analysis BOF (Tina
Bird, Marcus Ranum, etc.).  There the focus (well, mostly Marcus') was
"how can we classify/parse/use the info the vendors happen to give us"
with aparent resignation on ever being able to improve/standardize
what can be done.  I think it's possible to do better than live at the
whim of coders for logging content.

There were a few there (some on this list...speak up if you like) who
were talking about starting with some work that's been done on
firewall logging.  Start with something small and fairly well baked.
Move out from there.

>
> > O   2.11.4  Ability to Select Reliable Delivery  . . . . . . . . . . . 35

So, here's a case where the standards exist (RFC3195), but the
implementations arn't there yet.  I beleive they will be, but they
arn't now....so can I call this a "best current practice" ?

A good canditate for the first update of the RFC (projecting...) if
the implemenations catch up.

>
> > O   2.12.11 Enforce Selection of Strong Local Static
> > O           Authentication Tokens (Passwords)  . . . . . . . . . . . . 43

Can you name devices that do this now for local passwords ?


> > O   2.12.12 Support Device-to-Device Authentication  . . . . . . . . . 43

I could be talked into reinstating that one.  Do you think it's
specific enough ?

Thanks,
---George

References:
- Less is more
  - From: George Jones <gmj@pobox.com>
- Re: Less is more
  - From: Neal Ziring <nziring@thecouch.ncsc.mil>

Prev by Date: Re: Less is more
Next by Date: Re: Less is more
Previous by thread: Re: Less is more
Next by thread: Re: Less is more
Index(es):
- Date
- Thread