[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SImple Security for small CPE devices
It is a 00 afterall :) But yes, good points and I myself have not
yet commented but will do so as soon as I am out of a severe backlog
on current work.
This document was written to address the thread started on April 16th
by the author on the v6ops wg list entitled 'The argument for writing
a general purpose NAT for IPv6'. I'd probably call this doc more a
'Filtering Behavior for small CPE devices' - since all it deals with
is filtering. Like you, I view security to deal with much more than
just filtering and the title is deceiving.
It is unfortunate that this wg is closing down since I definitely had
hoped that more comprehensive security device profiles would be
defined.....it is unclear where such work would fit now although
perhaps in the OPSAREA wg as Ron mentioned. But authors are needed
and that was the issue with this working group. People were ready
enough to comment but not write documents......
On Jun 19, 2007, at 12:01 PM, David Harrington wrote:
I was rather disappointed this document didn't discuss any OPS area NM
protocols or preferred transport security protocols.
How will the CPE be managed? How will remote and/or local
administration be secured? Is this document only valid for unmanaged
The document mentions the need for local-area network administrators
to detect and prevent intrusions, but there is no mention of any
protocols for administration, or detection or prevention of
unauthorized access attempts? Shouldn't system logging be a minimum
for monitoring for unauthenticated access?
There was no discussion of the protocols used for administration
whether from inside or outside the local area network. Weak
administrative security configurations, such as default
community=public and default admin/root passwords, routinely make the
SANS Top 20 list. FBI/SANS reports claim that approximately 85% of
attacks are from within an organization. If you don't secure your
local administration adequately, local users might choose to modify
the security configuration to better suit their needs, but permit the
injection of attacks into the Internet. Shouldn't standard
administrative protocols and standardized admin security be included
as part of "simple security" for CPEs?
The OPS NM protocols (snmp, netconf, syslog, ipfix, capwap) are
standardizing on SSH or TLS security, in keeping with RFC3535 and
BCP72, but neither TLS nor SSH is mentioned in this document.
Shouldn't they be?
How does this document's focus on "simple" security compare to BCP72,
and the Danvers Doctrine of mandatory-to-implement "strong" security
From: email@example.com [mailto:firstname.lastname@example.org] On
Behalf Of Ron Bonica
Sent: Tuesday, June 19, 2007 1:42 PM
Cc: email@example.com; Ted Seely; Scott O Bradner;
Romascanu, Dan (Dan)
Subject: Re: SImple Security for small CPE devices
This is slightly out of charter for the OPSEC WG, but I wouldn't
seeing it in the OPSAREA WG. Dan, Scott, Ted, what do you think?
George Jones wrote:
This may be of some interest to people here. I know at
least a few people
(Merike) had interest in security of equipment for SOHO way
it was *very* quickly deemd out of scope for OPSEC.