[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: survey of isp security practices

To: Merike Kaeo <kaeo@merike.com>, <opsec@ops.ietf.org>
Subject: Re: survey of isp security practices
From: Bora Akyol <bora@cisco.com>
Date: Tue, 09 Nov 2004 13:29:49 -0800
In-reply-to: <630A6B66-3247-11D9-9D0D-000D932F554C@merike.com>
User-agent: Microsoft-Entourage/11.1.0.040913

Thanks for putting this together, some comments inline.

Bora

On 11/9/04 4:03 AM, "Merike Kaeo" <kaeo@merike.com> wrote:

> I  missed the cut-off for submitting a 00-draft for the survey of
> current isp security practices document but would like to at least send
> out the proposed outline so that people interested in contributing can
> comment to the list.  Anything that is glaringly missing?
> 
> - merike
> 
> 
> Table of Contents
> 
>     1.  Introduction
>     2.  Problem Statement
>     3.  Device Access Security
>       3.1   Threat Description
>       3.2   Best Current Practice
>         3.2.1   Logical access
What is logical access (ssh?)

>         3.2.2   Console Access
>         3.2.3   HTTP
>         3.2.4   SNMP

Would like to add API based access to the management interfaces.

>     4.  Authentication / Authorization
>       4.1   Threat Description
>       4.2   Best Current Practice
>         4.2.1   Device Access
>         4.2.2   Routing
>         4.2.3   MAC Address

I think (2) and (3) above are good but their suitability to be classified
under Authentication/Authorization highly depends on what the threat is.

>     5.  Filtering
>       5.1   Threat Description
>       5.2   Best Current Practice
>         5.2.1   General Inbound Traffic Filters
>         5.2.2   General Outbound Traffic Filters
>         5.2.3   Device Access Filters
>         5.2.4   Route Filters
>         5.2.5   MAC Address Filters
>         5.2.6   DoS Mitigation Filtering
>         5.2.7   SinkHole / Blackhole
>         5.2.8   uRPF
>     6.  Logging (accounting)
>       6.1   Threat Description
>       6.2   Best Current Practice
>         6.2.1   What traffic is logged
>         6.2.2   What fields are logged
>         6.2.3   How long are logs kept
>         6.2.4   Local buffer vs syslog (for backup info)
>         6.2.5   Authentication from peer to peer of log files?
>         6.2.6   Integrity check of log files?
>         6.2.7   NTP source considerations
>     7.  Device Integrity
>       7.1   Threat Description
>       7.2   Best Current Practice
>         7.2.1   Device Image Upgrade
>         7.2.2   Device Configuration
>         7.2.3   Management/Logging Information

I don't know it fits under (3) above, but I would like to see a few words
somewhere about core dumps from network devices.


>     8.  Specific Protocol/Service Concerns
>       8.1   Threat Description
>       8.2   Best Current Practice
>         8.2.1   ICMP
>         8.2.2   Generally Unused Services

There is a whole lot more here, SSH, HTTP, SCP, ......
I am wondering if we want to avoid listing specific services here since they
will need to be updated as people come up with new services.

>     9.  Policy/Procedural Considerations
>       9.1   Threat Description
>       9.2   Best Current Practice
>         9.2.1   Equipment Software Update
>         9.2.2   Equipment Configuration Change

(2) Can we add Change and Versioning.

Follow-Ups:
- Re: survey of isp security practices
  - From: Merike Kaeo <kaeo@merike.com>

References:
- survey of isp security practices
  - From: Merike Kaeo <kaeo@merike.com>

Prev by Date: Re: draft-jones-opsec-framework-01 comments
Next by Date: Re: survey of isp security practices
Previous by thread: Re: survey of isp security practices
Next by thread: Re: survey of isp security practices
Index(es):
- Date
- Thread