[secdir] Secdir review of draft-ietf-intarea-server-logging-recommendations-03

<kathleen.moriarty@emc.com> Mon, 14 March 2011 23:28 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD66A3A6D2E; Mon, 14 Mar 2011 16:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSIG2oT7uAvS; Mon, 14 Mar 2011 16:28:33 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id C4F793A6BA1; Mon, 14 Mar 2011 16:28:32 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p2ENTqQW023279 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Mar 2011 19:29:52 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.222.226]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Mon, 14 Mar 2011 19:29:40 -0400
Received: from mxhub06.corp.emc.com (mxhub06.corp.emc.com [128.221.46.114]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p2ENTajW021399; Mon, 14 Mar 2011 19:29:36 -0400
Received: from mx06a.corp.emc.com ([169.254.1.171]) by mxhub06.corp.emc.com ([128.221.46.114]) with mapi; Mon, 14 Mar 2011 19:29:36 -0400
From: kathleen.moriarty@emc.com
To: adurand@juniper.net, igor@yahoo-inc.com, donn@fb.com, Scott.Sheppard@att.com
Date: Mon, 14 Mar 2011 19:29:34 -0400
Thread-Topic: Secdir review of draft-ietf-intarea-server-logging-recommendations-03
Thread-Index: Acvin61M1zcGWjzaRNK+x7zSSR0zkQ==
Message-ID: <AE31510960917D478171C79369B660FA0DB7BC8D12@MX06A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Tue, 15 Mar 2011 08:10:08 -0700
Cc: draft-ietf-intarea-server-logging-recommendations@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: [secdir] Secdir review of draft-ietf-intarea-server-logging-recommendations-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 23:28:35 -0000

I reviewed this document (draft-ietf-intarea-server-logging-recommendations-03) as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The document looks pretty good from a security standpoint, but I would recommend adding a few other items to be considered out-of-scope or additional security considerations would be necessary.  Since the document already mentions that record retention is out-of-scope, I think it would be useful to add that server security and transport security is important for the protection of logs for Internet facing systems.    After stating that it is an important consideration, then state something to the effect of the service provider must consider the risks, including the data and services on the server to determine the appropriate measures.

The protection of logs is critical in incident investigations.  If logs are tampered with, evidence could be destroyed.

I did see a few grammar nits as well.  The Gen-Art review should cover that.  If you want me to take a look at it after these adjustments have been made, I would be happy to assist.

Best regards,
Kathleen