Internet DRAFT - draft-jones-opsec-profile-guide
draft-jones-opsec-profile-guide
OPSEC Working Group G. Jones
Internet-Draft The MITRE Corporation
Intended status: Informational August 28, 2006
Expires: March 1, 2007
Guide to Writing Security Capability Profiles
draft-jones-opsec-profile-guide-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 1, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Jones Expires March 1, 2007 [Page 1]
Internet-Draft OpSec Profiles August 2006
Abstract
This document provides guidelines for creating security capability
profiles. A profile is a list of features that are required to
operate a device in a a secure manner in a specific environment.
It is anticipated that what is required in a profile will vary over
time and, across different classes of devices (e.g. a network edge
device may need to filter customer traffic whereas core network
devices may not), and in different organizations. This document does
not define a profile or specify requirements, but rather gives
guidance for their creation.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
3. Non-Normative References . . . . . . . . . . . . . . . . . . . 5
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 6
Appendix B. Sample Profile . . . . . . . . . . . . . . . . . . . . 7
B.1. Required Capabilities for Edge Routers . . . . . . . . . . 7
B.1.1. Packet Filtering Profile . . . . . . . . . . . . . . . 7
B.1.2. Logging . . . . . . . . . . . . . . . . . . . . . . . . 7
B.2. Recommended Capabilities . . . . . . . . . . . . . . . . . 7
B.2.1. Packet Filtering Profile . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Jones Expires March 1, 2007 [Page 2]
Internet-Draft OpSec Profiles August 2006
1. Introduction
[RFC3871] defined a list of operational security requirements for the
infrastructure of large IP networks (composed of routers and
switches) with a goal to provide network operators a clear, concise
way of communicating their security requirements to equipment
vendors. Additionally, [I-D.ietf-opsec-current-practices] documented
current network operator practices in protecting their networks.
The IETF OPSEC working group refined the items identified in those
two documents to produce a series of documents describing security
capabilities needed to support those practices .
These documents include
o traffic filtering [I-D.ietf-opsec-filter-caps],
o route-filtering [I-D.zhao-opsec-routing-capabilities],
o logging [I-D.cain-logging-caps],,
o miscellaneous capabilities [I-D.ietf-opsec-misc-cap],
o and operation security [I-D.lewis-infrastructure-security].
One of the intended uses of these capability documents is the
creation of profiles. Profiles are lists of capabilities that apply
to certain classes of equipment (network edge, network core,
enterprise network, etc). A profile may also be used as a list of
requirements for equipment selection and in defining operational
policies and procedures.
The determination of which capabilities are requirements is a local
decision driven by policy and operational need. In addition, the
needed capabilities is likely to change over time as operational
requirements and security threats change.
It is likely that there are or will be other sources of capabilities
that could be cited in developing a profile. For example,
[draft-security-efforts] could be used to identify industry-specific
standards or regulations that a specific network would need to
support.
Jones Expires March 1, 2007 [Page 3]
Internet-Draft OpSec Profiles August 2006
2. Security Considerations
Security is the entire focus of this document.
This document describes an activity to define a set of device
capabilities to operate a network securely. Since there is no
universal definition of "securely", it is possible that novice
profile crafters will inadvertently omit an operationally useful
capability in their profile. Profile writes are encouraged to share
their output with the broader Internet community to learn from
others' experiences.
The use of other IETF RFCs that define secure operation like
[I-D.lewis-infrastructure-security] and [RFC2827] by profile authors
is heavily encouraged so as to not miss critical or useful
capabilities.
Jones Expires March 1, 2007 [Page 4]
Internet-Draft OpSec Profiles August 2006
3. Non-Normative References
[I-D.cain-logging-caps]
Cain, P., "Logging Capabilities for IP Network
Infrastructure", draft-cain-logging-caps-00 (work in
progress), July 2006.
[I-D.ietf-opsec-current-practices]
Kaeo, M., "Operational Security Current Practices",
draft-ietf-opsec-current-practices-06 (work in progress),
July 2006.
[I-D.ietf-opsec-filter-caps]
Jones, G. and C. Morrow, "Filtering and Rate Limiting
Capabilities for IP Network Infrastructure",
draft-ietf-opsec-filter-caps-02 (work in progress),
July 2006.
[I-D.ietf-opsec-misc-cap]
Callon, R. and G. Jones, "Miscellaneous Capabilities for
IP Network Infrastructure", draft-ietf-opsec-misc-cap-00
(work in progress), February 2006.
[I-D.lewis-infrastructure-security]
Lewis, D., "Service Provider Infrastructure Security",
draft-lewis-infrastructure-security-00 (work in progress),
June 2006.
[I-D.zhao-opsec-routing-capabilities]
Ye, Z., "Routing Control Plane Security Capabilities",
draft-zhao-opsec-routing-capabilities-01 (work in
progress), May 2006.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3871] Jones, G., "Operational Security Requirements for Large
Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, September 2004.
Jones Expires March 1, 2007 [Page 5]
Internet-Draft OpSec Profiles August 2006
Appendix A. Acknowledgments
The author gratefully acknowledges the contributions of:
o Pat Cain who agitated for creation of this document and provided
feedback on the pre -00 draft.
o The MITRE Corporation for supporting development of this document.
NOTE: The author's affiliation with The MITRE Corporation is
provided for identification purposes only, and is not intended to
convey or imply MITRE's concurrence with, or support for, the
positions, opinions or viewpoints expressed by the author.
Jones Expires March 1, 2007 [Page 6]
Internet-Draft OpSec Profiles August 2006
Appendix B. Sample Profile
This sectoin gives a smaple of a profile:
B.1. Required Capabilities for Edge Routers
o Name: Edge Router Profile
o Description: This profile defines the capabilities necessary for a
network edge device
o Context: Large NSP/ISP network providing transit services.
The following are requirements (MUST) for edge routers:
B.1.1. Packet Filtering Profile
o Select by Protocol, [I-D.ietf-opsec-filter-caps] Section 3.5
o Select by Addresses, [I-D.ietf-opsec-filter-caps] Section 3.6
o Select by Protocol Header Fields, [I-D.ietf-opsec-filter-caps]
Section 3.7
B.1.2. Logging
o Logs Sent To Remote Servers, [I-D.cain-logging-caps] Section 2.2
o Ability to Select Reliable Delivery, [I-D.cain-logging-caps]
Section 2.3
o Ability to Remotely Log Securely, [I-D.cain-logging-caps] Section
2.4
o Ability to Log Locally, [I-D.cain-logging-caps] Section 2.5
B.2. Recommended Capabilities
The following are desired capabilities (SHOULD) for edge routers:
B.2.1. Packet Filtering Profile
o Minimal Performance Degradation, [I-D.ietf-opsec-filter-caps]
Section 6
Jones Expires March 1, 2007 [Page 7]
Internet-Draft OpSec Profiles August 2006
Author's Address
George M. Jones
The MITRE Corporation
7515 Colshire Drive, M/S WEST
McLean, Virginia 22102-7508
U.S.A.
Phone: +1 703 488 9740
Email: gmjones@mitre.org
Jones Expires March 1, 2007 [Page 8]
Internet-Draft OpSec Profiles August 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Jones Expires March 1, 2007 [Page 9]