[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: survey of isp security practices

At 4:03 AM -0800 11/9/04, Merike Kaeo wrote:
I missed the cut-off for submitting a 00-draft for the survey of current isp security practices document but would like to at least send out the proposed outline so that people interested in contributing can comment to the list. Anything that is glaringly missing?

- merike

I need to think some more about exactly where it would go and what would be in it, but my initial reaction is that there needs to be a section on "routing". I'd move blackholes/sinkholes out of filtering, as well as uRPF, and add the issues of routing protocol security, sanity checks on routing (correlation with routing registries, prefix limits, etc.), and information-gathering from such things as flaps and generic changes-from-baseline of routing protocol specifics.

It's a tossup whether routing packet authentication would go here or in section 4.

Under section 6, logging, redundancy and physical distribution of log storage devices, as well as physical security and other integrity for these devices.

Under section 9, policy and procedures, I'd put several issues:
Acceptable Use Policies (to include permissible ports)
Dealing with the top management problem that auditors like security and operations to be separate
Announcement/enforcement of user system patch policies
Coordination with peers and vendors; legal framework for disclosing sensitive information in the interest of mutual problem resolution; keeping one's sales force from making inappropriate or premature comments.
NOC and IRT communications channels, intended for a closed community as well as for selected problem notification
Coordination with national critical infrastructure bodies, including restoration priority for NOC/IRT facilities


Table of Contents

   1.  Introduction
   2.  Problem Statement
   3.  Device Access Security
     3.1   Threat Description
     3.2   Best Current Practice
       3.2.1   Logical access
       3.2.2   Console Access
       3.2.3   HTTP
       3.2.4   SNMP
   4.  Authentication / Authorization
     4.1   Threat Description
     4.2   Best Current Practice
       4.2.1   Device Access
       4.2.2   Routing
       4.2.3   MAC Address
   5.  Filtering
     5.1   Threat Description
     5.2   Best Current Practice
       5.2.1   General Inbound Traffic Filters
       5.2.2   General Outbound Traffic Filters
       5.2.3   Device Access Filters
       5.2.4   Route Filters
       5.2.5   MAC Address Filters
       5.2.6   DoS Mitigation Filtering
       5.2.7   SinkHole / Blackhole
       5.2.8   uRPF
   6.  Logging (accounting)
     6.1   Threat Description
     6.2   Best Current Practice
       6.2.1   What traffic is logged
       6.2.2   What fields are logged
       6.2.3   How long are logs kept
       6.2.4   Local buffer vs syslog (for backup info)
       6.2.5   Authentication from peer to peer of log files?
       6.2.6   Integrity check of log files?
       6.2.7   NTP source considerations
   7.  Device Integrity
     7.1   Threat Description
     7.2   Best Current Practice
       7.2.1   Device Image Upgrade
       7.2.2   Device Configuration
       7.2.3   Management/Logging Information
   8.  Specific Protocol/Service Concerns
     8.1   Threat Description
     8.2   Best Current Practice
       8.2.1   ICMP
       8.2.2   Generally Unused Services
   9.  Policy/Procedural Considerations
     9.1   Threat Description
     9.2   Best Current Practice
       9.2.1   Equipment Software Update
       9.2.2   Equipment Configuration Change