Re: Last Call: draft-jones-opsec "Operational Security Requirements for IP Network Infrastructure
George M Jones <gmjones@mitre.org> Fri, 23 January 2004 16:28 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10299 for <routing-discussion-archive@lists.ietf.org>; Fri, 23 Jan 2004 11:28:42 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ak4A4-0007G0-UK; Fri, 23 Jan 2004 11:28:00 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ak49m-0007Ds-96 for routing-discussion@optimus.ietf.org; Fri, 23 Jan 2004 11:27:42 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10276 for <routing-discussion@ietf.org>; Fri, 23 Jan 2004 11:27:39 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ak49l-0000gG-00 for routing-discussion@ietf.org; Fri, 23 Jan 2004 11:27:41 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ak48m-0000ee-00 for routing-discussion@ietf.org; Fri, 23 Jan 2004 11:26:41 -0500
Received: from smtp-bedford-x.mitre.org ([192.160.51.76] helo=smtp-bedford.mitre.org) by ietf-mx with esmtp (Exim 4.12) id 1Ak47v-0000Zt-00 for routing-discussion@ietf.org; Fri, 23 Jan 2004 11:25:47 -0500
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.11.6/8.11.6) with ESMTP id i0NGPk900592 for <routing-discussion@ietf.org>; Fri, 23 Jan 2004 11:25:46 -0500
Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) by smtp-bedford.mitre.org (8.11.6/8.11.6) with ESMTP id i0NGPkK00565; Fri, 23 Jan 2004 11:25:46 -0500
Received: from mm110847-2k.mitre.org (128.29.245.3) by mailhub2.mitre.org with SMTP id 1116650; Fri, 23 Jan 2004 11:25:39 -0500
Subject: Re: Last Call: draft-jones-opsec "Operational Security Requirements for IP Network Infrastructure
From: George M Jones <gmjones@mitre.org>
To: routing-discussion@ietf.org
Cc: dmm@1-4-5.net, zinin@psg.com
Content-Type: text/plain
Message-Id: <1074875091.3052.104.camel@mm110847-2k.mitre.org>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5)
Date: Fri, 23 Jan 2004 11:24:51 -0500
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Sender: routing-discussion-admin@ietf.org
Errors-To: routing-discussion-admin@ietf.org
X-BeenThere: routing-discussion@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/routing-discussion>, <mailto:routing-discussion-request@ietf.org?subject=unsubscribe>
List-Id: Routing Area General mailing list <routing-discussion.ietf.org>
List-Post: <mailto:routing-discussion@ietf.org>
List-Help: <mailto:routing-discussion-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/routing-discussion>, <mailto:routing-discussion-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
> Subject: Re: Last Call: draft-jones-opsec "Operational Security > Requirements for IP Network Infrastructure" > From: David Meyer <dmm@1-4-5.net <mailto:dmm@1-4-5.net>> > Date: Thu, 22 Jan 2004 16:31:46 -0800 > References: <12758206266.20040122142453@psg.com <msg00731.html>> > > Folks, > > A few initial comments in-line. Please search for @@@. > > Dave > > -- > None. G. Jones, Editor > Internet-Draft The MITRE Corporation > Expires: June 15, 2004 December 16, 2003 > > > Operational Security Requirements for IP Network Infrastructure: > Best-Current-Practices > draft-jones-opsec-03 > ... > 2.3.7 No Forwarding Between Management Plane And Other Interfaces > > Requirement. If the device implements separate network interface(s) > for the management plane per Section 2.3.6 then the device MUST > NOT forward traffic between the management plane and > non-management plane interfaces. > > @@@ what if I want this (i.e., MUST NOT)? How's this ? Requirement. If the device implements separate network interface(s) for the management plane per Section 2.3.6 then the device MUST provide a mechanism to disable and enable forwarding of traffic between the management plane and non-management plane interfaces. Forwarding MUST be disabled by default. > 2.3.8 Provide Separate Resources For The Management Plane > > @@@ isn't this an implementation issue (which perhaps should be > @@@ left for vendor differentiation)? > > Requirement. If the device implements separate network interface(s) > for the management plane per Section 2.3.6 then the device SHOULD > provide separate resources and use separate software for different > classes of interface. It is an implementation issue, but one with potentially large security implications. Hence it's inclusion. Note that it is a SHOULD. > 2.4.2 CLI Supports Scripting of Configuration > > @@@ In some sense, this shouldn't be a MUST, as again, there may be many > @@@ ways to achieve the goals stated in the Justifiation (again, > @@@ and implementation issue?) > > Requirement. The CLI or equivalent MUST support external scripting of > configuration functions. The scripting capability MUST NOT be > restricted to use with one specific scripting language. Note the words "or equivalent" and the definition from 1.8: CLI Several requirements refer to a Command Line Interface (CLI). While this refers at present to a classic text oriented command interface, it is not intended to preclude other mechanisms which ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may meet all the requirements that reference "CLI". ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Today, for a BCP, a CLI fits the bill. It is Current. It is a Practice. and it's arguably the Best thing that's out there today to meet the reqs. Room has been intentionally left for future improvements. > 2.4.6 Support Remote Configuration Backup > > @@@ maybe we want to get away from "in the clear" > @@@ or "anonymous" protocols(e.g. tftp/ftp)? This section doesn't > @@@ say that the remote config backup MUST be over a secure channel 2.1.1 does: > 2.1.1 Support Secure Channels For Management > > Requirement. The device MUST provide mechanisms to ensure end-to-end > integrity and confidentially for all network traffic and protocols > used to support management functions. This MUST include at least > protocols used for configuration, monitoring, configuration ^^^^^^^^^^^^^ > backup, ^^^^^^ > > 2.4.7 Support Remote Configuration Restore > > @@@ ditto Added to 2.1.1. > > 2.4.8 Support Text Configuration Files > > Requirement. The device MUST provide a means to remotely save a copy > of the system configuration file(s) in a textual format. It MUST > NOT be necessary to use a proprietary program to view the > configuration. The configuration MUST also be viewable as text on > the device itself. Sensitive information such as passwords that > could be used to compromise the security of the device MAY be > excluded from the saved configuration. > > @@@ What relationship between what is running and the textual > @@@ representation is required? For example, there could be > @@@ default config values that are not by default written into > @@@ the config. 2.4.6 attempts to address this: > 2.4.6 Support Remote Configuration Backup > > Requirement. ...The stored configuration MUST > have sufficient information to restore the device to its > operational state at the time the configuration is saved. > Sensitive information such as passwords that could be used to > compromise the security of the device MAY be excluded from the > saved configuration. An earlier draft had a requirement for saving complete configuration info, including "hidden" and default values (e.g. if finger is enabled in one release, but disabled in subsequent releases, the config should show the settings even if they are set to the current default). I was told this was impractical so it was removed. > 2.6.1 Support Rate Limiting > > @@@ I would imagine one would want a mechanism along the lines > @@@ of GTSM here, so that you could protect the limited resource > @@@ (whatever it may be) between the physical interface and the > @@@ processor performing the management function(s). i.e., rate-limiting > @@@ may not be enough to stop an attacker who has deduced where > @@@ the resource limitation (potential DoS) exists. The -00 draft included GTSM, but as it was not standardized, it was moved to the -info draft. See http://www.ietf.org/internet-drafts/draft-jones-opsec-info-00.txt > 2.9.1 Ability to Accurately Count Filter Hits > > @@@ s/Accurately// > @@@ i.e., as opposed to inaccurately count, I suppose Yes. The adverb was placed there deliberately as a result of experience using filter counters that were not accurate. > 2.9.6 Filter Counters Must Be Accurate > > @@@ Again, as opposed to "inaccurate" filter counts? Yes. > 2.11.3 Ability to Log Locally > > Requirement. > > It SHOULD be possible to log locally on the device itself. > > Justification. Local logging is important for viewing information > when connected to the device. It provides some backup of log data > in case remote logging fails. It provides a way to view logs > relevant to one device without having to sort through a possibly > large set of logs from other devices. > > Examples. One example of local logging would be a memory buffer that > receives copies of messages sent to the remote log server. > Another example might be a local syslog server (assuming the > device is capable of running syslog and has some local storage). > > Warnings. Storage on the device may be limited. High volumes of > logging may quickly fill available storage, in which case there > are two options: new logs overwrite old logs (possibly via the use > of a circular memory buffer or log file rotation), or logging > stops. > > @@@ also, it should be possible to log to a local device (say > @@@ the console) This req had that sort of logging in view, as well as the possibility of logging to local disk Let me know if there is wording that could make it more clear > without hanging the box. What ? You want boxes to not crash ? Picky, picky :-) The following two: > 2.14 Security Features Must Not Cause Operational Problems > 2.15 Security Features Should Have Minimal Performance Impact are intended to be catch-alls. > 2.11.4 Ability to Maintain Accurate System Time > > @@@ again, it looks like the requirement is for resolution rather > @@@ than accuracy. i.e., "high resolution inaccurate system > @@ time"? Both are important to security. Could be split as separate reqs with different justification, but I think they are linked closely enough that it makes sense to leave them together. > 2.11.7 Logs Must Be Timestamped > > Requirement. The device MUST time-stamp all log messages. The > time-stamp MUST be accurate to within a second or less. The > time-stamp MUST include a timezone. > > @@@ and maybe it should be possible to turn timestamping off? Why ? > 2.12.13 Default Privilege Level Must Be 'None' > > Requirement. The default privilege level MUST NOT allow any access to > management or configuration functions. > > @@@ MUST seems too strong here. SHOULD would be more appropriate. Changed. > 2.14 Security Features Must Not Cause Operational Problems > > Requirement. The use of security features specified by the > requirements in this document MUST NOT cause severe operational > problems. > > Justification. Security features which cause operational problems may > leave the operator with no mechanism for enforcing appropriate > policy. > > Examples. Some examples of severe operational problems include: > > * crashes the device > > * makes the device unmanageable > > * causes the loss of data > > * consumes excessive resources (CPU, memory, bandwidth) > > Warnings. None. > > @@@ this is like saying "The device MUST NOT have bugs". I don't > @@@ see what this one gains us Actually, there was one in there that said basically "vendor shall fix well known vulnerabilities in a timely fashion", but the devil was in the definitions, so it got moved to -info. And, yes, not crashing seems obvious. Not slowing to a crawl or freezing when logging is enabled seems obvious. But I've seen enough of this in live, released, operational systems that I think it needs to be made explicit. > 4.1 Identify Origin of IP Stack > > > @@@ I'm not sure about this one. At some point in the (near) future > @@@ there will likely be so many IP stacks that this won't be > @@@ useful. In addition, what are the commercial concerns that > @@@ this forces a vendor to disclose (I'm not sure about the > @@@ implications, which is why I ask)? > > 4.2 Identify Origin of Operating System > > Requirement. The vendor MUST disclose the origin or basis of the > operating system (OS). > > Justification. This information is required to better understand the > security vulnerabilities that may be inherent to the OS based on > its origin. > > Examples. "The operating system is based on Linux kernel 2.4.18." > > Warnings. None. > > @@@ ditto section 4.1 These are there to aid in testing and certification. Knowing that a system is based on a BSD core, I can more effectively use my testing time by hitting it with know BSD exploits rather than wasting time with Windows exploits. It allows focused testing. If you're still vulnerable to old, well-know exploits, it will reduce my confidence in the product. If you pass, it shows due diligence. If you're not going to do such testing, I can see that these might not be important to you. I see that they may be hard business issues. Both dropped a SHOULD. Customers who have a stronger requirement can "negotiate" this back up to a "MUST" when talking to a vendor. Thanks, ---George Jones _______________________________________________ routing-discussion mailing list routing-discussion@ietf.org https://www1.ietf.org/mailman/listinfo/routing-discussion
- Re: Last Call: draft-jones-opsec "Operational Sec… George M Jones
- Re: Last Call: draft-jones-opsec "Operational Sec… David Meyer
- Re: Last Call: draft-jones-opsec "Operational Sec… George M Jones
- Re: Last Call: draft-jones-opsec "Operational Sec… David Meyer