[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: survey of isp security practices

To: opsec@ops.ietf.org
Subject: Re: survey of isp security practices
From: "Howard C. Berkowitz" <hcb@gettcomm.com>
Date: Fri, 12 Nov 2004 13:17:00 -0500
In-reply-to: <5.1.1.6.0.20041109073600.01e7c888@popd.ix.netcom.com>
References: <5.1.1.6.0.20041109073600.01e7c888@popd.ix.netcom.com>

Table of Contents
   1.  Introduction
   2.  Problem Statement
   3.  Device Access Security
     3.1   Threat Description
     3.2   Best Current Practice
physical access? does this need to be covered here, not to become a phy security definitive work, but perhaps to outline key requirements and tactics and to offer other references that are more definitive?

This might be old, but still serve as a starting point for some guidance. When FED-STD-1026 was passed to standardize the first government DES implementation rules, in the late seventies, it was a cooperative document of the Federal Telecommunications Standards Committee.

At the same time, FED-STD-1027 was prepared by NSA as a companion document, and had some decent guidance on physical security for an unclassified-level encryption device -- details of a cabinet, locks, etc. Now, we aren't dealing specifically with crypto security, but I wonder if some best current practices in protecting master logs, for example, might not be inappropriate. The more secure the logs, I suspect, the easier it will be to respond to the objections of traditional business auditors that NOC and IRT personnel are kept separate to avoid collaboration. In real-time incident response, there seems a consensus that we MUST have such collaboration to have a timely response. There still can be quite separate audit teams reviewing logs.

A couple of years ago, in a clinical medical application, I went well beyond what probably is sane best current practice in log protection, for clinical systems that were intended to include online prescribing of narcotics. I cite this as an extreme case and a thought experiment only; even my customer had second thoughts.

In a cipher-locked small room off the main data center, we had a cabinet containing multiple syslog servers writing to redundant CD's-- in other words, there was no single point of syslog failure. The cabinet itself had two combination locks on opposite sides, arranged that no one person could plausibly operate both, and the cabinet was under recorded video surveillance from the remote guard office. When the CD's were changed, one of each pair was sent to a different remote location (we also had a working hard disk copy). In parallel with writing to CD, we also telemetered a cryptographically authenticated copy to a remote site.

I admit most freely that the paranoia at this site was very profound, although I've been at military sites that seemed even worse. Nevertheless, this probably silly example may serve as a point of reference.

References:
- Re: survey of isp security practices
  - From: Gregory M Lebovitz <gregory-ietf@earthlink.net>

Prev by Date: First cut at capabilities doc template
Next by Date: Re: survey of isp security practices
Previous by thread: Re: survey of isp security practices
Next by thread: Re: survey of isp security practices
Index(es):
- Date
- Thread