[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Logging capabiltiies document

To: "patrick cain" <pcain@coopercain.com>
Subject: Re: Initial Logging capabiltiies document
From: "George Jones" <eludom@gmail.com>
Date: Tue, 11 Jul 2006 17:48:05 -0400
Cc: opsec@ops.ietf.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IQ2O4uDq6HvC/VXrTzWdMze76SZp+mmz/ccWVCZdZb5z97j1uh9axVZn3oDwAlLsfuR6aZwnBWSNBgQ4zr4zz7ek+7QSleKfbEoxmn0el0f+TTtPFFbaZFi/BAHxHHWzyfC7ITOMPGEWGvrt2aNI5cVYLi1Vxcj0JZrk7vsqHkk=
In-reply-to: <021a01c6a4f7$34423770$c70cdb84@familyroom>
References: <c1468ac50607101002i68d54517h60857e1302075221@mail.gmail.com> <021a01c6a4f7$34423770$c70cdb84@familyroom>
Reply-to: gmj@pobox.com

On 7/11/06, patrick cain <pcain@coopercain.com> wrote:

George,

Thanks for the comments. I'll incorporate most of them into a new version.

But you say

"
3.  Functional Capabilities of Log Storage Systems

gmj> I would argue that these are out of scope.
"

I disagree. Generation of a log message is nice, but there are many
instances where that message is lost to history because the receiving log
collector was down, broke, ignored, full, etc.  And never noticed or acted
upon. This is bad.

Since we are giving capabilities for "securing layer 2 and 3 devices", and
log storage is called out in the CURPRAC, it seemed to make sense that the
system engineer not forget that there are two parts of the logging problem.
Note that the three capabilities are only for "log storage" devices, which
should keep the router vendors happy.Scope


From the charter:

The working group will list capabilities appropriate for
devices use in:

* Internet Service Provider (ISP) Networks
* Enterprise Networks

The following areas are excluded from the charter at this time:

* Wireless devices
* Small-Office-Home-Office (SOHO) devices
* Security devices (firewalls, Intrusion Detection Systems,
Authentication Servers)
* Hosts

From the framework:

Abstract

  This document outlines work to be done and documents to be produced
  by the Operational Security Capabilities (OPSEC) Working Group.  The
  goal of the working group is to codify knowledge gained through
  operational experience about feature sets that are needed to securely

  deploy and operate managed network elements providing transit
  services at the data link and IP layers.


1.5.  Scope

  The working group will produce a list of capabilities appropriate
  for:

  o  Internet Service Provider (ISP) Networks

  o  Enterprise Networks

  The following are explicitly out of scope:

>>>>>>>  o  general purpose hosts that do not transit traffic including
>>>>>>>     infrastructure hosts such as name/time/log/AAA servers, etc.,

I agree that both sides of the coin (sending and recieving/storing) matter,
but we drew the line at things that transit packets to keep the scope
managable.

If you want to change the charter or framework document, talk to the
WG chair....wait....

----George

References:
- Re: Initial Logging capabiltiies document
  - From: "George Jones" <eludom@gmail.com>
- RE: Initial Logging capabiltiies document
  - From: "patrick cain" <pcain@coopercain.com>

Prev by Date: RE: Comments on draft-ietf-opsec-current-practices-05.txt
Next by Date: RE: Comments on draft-ietf-opsec-current-practices-05.txt
Previous by thread: RE: Initial Logging capabiltiies document
Next by thread: Comments on draft-ietf-opsec-current-practices-05.txt
Index(es):
- Date
- Thread