[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: survey of isp security practices

To: <gmj@pobox.com>, "'Randy Presuhn'" <randy_presuhn@mindspring.com>
Subject: RE: survey of isp security practices
From: "David B Harrington" <ietfdbh@comcast.net>
Date: Wed, 17 Nov 2004 13:43:59 -0500
Cc: <opsec@ops.ietf.org>
In-reply-to: <c1468ac504111710142b9c3bb1@mail.gmail.com>
Reply-to: <ietfdbh@comcast.net>

Hi George,

I agree with Randy that user, access control, and key management need
to be included in this discussion.
Assuming RADIUS will "handle it" is insufficient.

What happens when RADIUS authentication is not accessible because of
network problems? 
Is there a fallback to local authentication?
How are the local authentication keys distributed and managed?

RADIUS can provide per-user authorization; what happens when RADIUS is
not available? 
Is there a fallback to local per-user authorization?
How are the local per-user authorization rules managed (created,
deleted, etc.)?

You mention "per-command" access control.
Is per-command the only type of access control desired?
What about access to different subsets of information, such as
writable MIB module data, security configuration data, sensitive
directory data?
Does RADIUS provide enough info for controlling access to data
subsets, when a user is permitted to modify some things but not
others?
What happens in a local-authorization fallback scenario?

Some protocols provide for encrypted messaging, such as SSH and
SNMPv3.
Does RADIUS provide authentication for the encryption protocols?
How are the encryption keys managed?
How are the keys managed in a local-authnetication fallback scenario?

Without answering some of these questions, the discussion is really
incomplete.

David Harrington
dbharrington@comcast.net

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On 
> Behalf Of George Jones
> Sent: Wednesday, November 17, 2004 1:14 PM
> To: Randy Presuhn
> Cc: opsec@ops.ietf.org
> Subject: Re: survey of isp security practices
> 
> On Sun, 14 Nov 2004 18:54:58 -0800, Randy Presuhn 
> <randy_presuhn@mindspring.com> wrote:
> > Hi -
> > 
> > > From: "Merike Kaeo" <kaeo@merike.com>
> > > To: <opsec@ops.ietf.org>
> > > Sent: Tuesday, November 09, 2004 4:03 AM
> > > Subject: survey of isp security practices
> > ...
> > >     4.  Authentication / Authorization
> > >       4.1   Threat Description
> > >       4.2   Best Current Practice
> > >         4.2.1   Device Access
> > >         4.2.2   Routing
> > >         4.2.3   MAC Address
> > ...
> > 
> > In this, or the updated structure, any discussion of
authentication 
> > and authorization would be incomplete if it didn't address user, 
> > access control list, and key management.
> 
> The scope here is core network device capabilities.
> I would submit that, given protocols such as RADIUS 
> (Diameter, TACACS) that user mangement is largely an external 
> issue (it happens on the
> RADIUS server, etc).   The important bit is that the device needs to
> be able to talk to the  [radius] server, be sure which server 
> it's talking to, and be able to get authentication and 
> authorization data (per command...your "access control lists 
> ?") from the server.
> 
> ---George
> 
>

Follow-Ups:
- Re: survey of isp security practices
  - From: "George M. Jones" <gmjones@mitre.org>

References:
- Re: survey of isp security practices
  - From: George Jones <eludom@gmail.com>

Prev by Date: Re: survey of isp security practices
Next by Date: Re: survey of isp security practices
Previous by thread: Re: survey of isp security practices
Next by thread: Re: survey of isp security practices
Index(es):
- Date
- Thread