[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: survey of isp security practices

To: Merike Kaeo <kaeo@merike.com>
Subject: Re: survey of isp security practices
From: George Jones <eludom@gmail.com>
Date: Tue, 9 Nov 2004 14:34:50 -0500
Cc: opsec@ops.ietf.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=c8K/x5BjRnFd8snFU8IxhqDeFAQNPk102u0RkROW4az6HY37mTLmrHMIfdKCpwcV/Z4IblQU3q9VetTfyuipB+CGikssDpYjX1qbyefhSKue4lA8POvlqjA1fIePhubfLlFcIPs0RVaf81mGGM3vIJME9KEK3XGgvFqrVBqezSQ=
In-reply-to: <630A6B66-3247-11D9-9D0D-000D932F554C@merike.com>
References: <630A6B66-3247-11D9-9D0D-000D932F554C@merike.com>
Reply-to: gmj@pobox.com

The categorization you've proposed looks good for a feature set...
but if I were doing it, I would start with operator practices
(e.g. sending logs to 3 remote servers) and work backwards
(in the capababilities docs) to features.

Below are some notes that I started making on your outline
yesterday.   It will take some time to finish this list, but 
this should give you an idea of the type of changes I'm 
suggesting.

Let me know what you think and if I should spend the time
to do a more comprehensive list of practices.

The question (for the practice document) is what are operators *doing*.
The questions for the capabilites docs are what's needed to support this.

---George


  5.  Filtering  . . . . . . . . . . . . . . . . . . . . . . . . . .  9
     5.1   Threat Description . . . . . . . . . . . . . . . . . . . .  9
     5.2   Best Current Practice  . . . . . . . . . . . . . . . . . .  9

       [gmj - these seem more like capabilities than practices...one way
        to do this is to look at 3871 feature list and work backwards
        to obtain practices ... see examles below]

       5.2.1   General Inbound Traffic Filters  . . . . . . . . . . .  9
       5.2.2   General Outbound Traffic Filters . . . . . . . . . . .  9
       5.2.3   Device Access Filters  . . . . . . . . . . . . . . . .  9
       5.2.4   Route Filters  . . . . . . . . . . . . . . . . . . . .  9
       5.2.5   MAC Address Filters  . . . . . . . . . . . . . . . . .  9
       5.2.6   DoS Mitigation Filtering . . . . . . . . . . . . . . .  9
       5.2.7   SinkHole / Blackhole . . . . . . . . . . . . . . . . .  9
       5.2.8   uRPF . . . . . . . . . . . . . . . . . . . . . . . . .  9


       [gmj - sample filtering practices]

       5.2.x Filter remote console traffic.  Require managment source addresses.
       5.2.x Filter inbound SNMP.  Require address of known mangement stations.
       .
       .
       5.2.x Log filter violations
       5.2.x Profile suspected bad traffic using filters and counters
       5.2.x Block bad traffic using filters

References:
- survey of isp security practices
  - From: Merike Kaeo <kaeo@merike.com>

Prev by Date: Re: survey of isp security practices
Next by Date: Re: draft-jones-opsec-framework-01 comments
Previous by thread: Re: survey of isp security practices
Next by thread: Re: survey of isp security practices
Index(es):
- Date
- Thread