[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: survey of isp security practices
I agree with Randy that user, access control, and key management need
to be included in this discussion.
Assuming RADIUS will "handle it" is insufficient.
What happens when RADIUS authentication is not accessible because of
Is there a fallback to local authentication?
How are the local authentication keys distributed and managed?
RADIUS can provide per-user authorization; what happens when RADIUS is
Is there a fallback to local per-user authorization?
How are the local per-user authorization rules managed (created,
You mention "per-command" access control.
Is per-command the only type of access control desired?
What about access to different subsets of information, such as
writable MIB module data, security configuration data, sensitive
Does RADIUS provide enough info for controlling access to data
subsets, when a user is permitted to modify some things but not
What happens in a local-authorization fallback scenario?
Some protocols provide for encrypted messaging, such as SSH and
Does RADIUS provide authentication for the encryption protocols?
How are the encryption keys managed?
How are the keys managed in a local-authnetication fallback scenario?
Without answering some of these questions, the discussion is really
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com] On
> Behalf Of George Jones
> Sent: Wednesday, November 17, 2004 1:14 PM
> To: Randy Presuhn
> Cc: firstname.lastname@example.org
> Subject: Re: survey of isp security practices
> On Sun, 14 Nov 2004 18:54:58 -0800, Randy Presuhn
> <email@example.com> wrote:
> > Hi -
> > > From: "Merike Kaeo" <firstname.lastname@example.org>
> > > To: <email@example.com>
> > > Sent: Tuesday, November 09, 2004 4:03 AM
> > > Subject: survey of isp security practices
> > ...
> > > 4. Authentication / Authorization
> > > 4.1 Threat Description
> > > 4.2 Best Current Practice
> > > 4.2.1 Device Access
> > > 4.2.2 Routing
> > > 4.2.3 MAC Address
> > ...
> > In this, or the updated structure, any discussion of
> > and authorization would be incomplete if it didn't address user,
> > access control list, and key management.
> The scope here is core network device capabilities.
> I would submit that, given protocols such as RADIUS
> (Diameter, TACACS) that user mangement is largely an external
> issue (it happens on the
> RADIUS server, etc). The important bit is that the device needs to
> be able to talk to the [radius] server, be sure which server
> it's talking to, and be able to get authentication and
> authorization data (per command...your "access control lists
> ?") from the server.