[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SImple Security for small CPE devices

To: "'Ron Bonica'" <rbonica@juniper.net>, <gmj@pobox.com>
Subject: RE: SImple Security for small CPE devices
From: "David Harrington" <ietfdbh@comcast.net>
Date: Tue, 19 Jun 2007 15:01:10 -0400
Cc: <opsec@ops.ietf.org>, "'Ted Seely'" <tseely@sprint.net>, "'Scott O Bradner'" <sob@harvard.edu>, "'Romascanu, Dan \(Dan\)'" <dromasca@avaya.com>
In-reply-to: <46781574.8030004@juniper.net>
References: <c1468ac50706190932y400abbfav16978d2dc630c815@mail.gmail.com> <46781574.8030004@juniper.net>

Hi,

I was rather disappointed this document didn't discuss any OPS area NM
protocols or preferred transport security protocols. 

How will the CPE be managed? How will remote and/or local
administration be secured? Is this document only valid for unmanaged
devices?

The document mentions the need for local-area network administrators
to detect and prevent intrusions, but there is no mention of any
protocols for administration, or detection or prevention of
unauthorized access attempts? Shouldn't system logging be a minimum
for monitoring for unauthenticated access?

There was no discussion of the protocols used for administration
whether from inside or outside the local area network. Weak
administrative security configurations, such as default
community=public and default admin/root passwords, routinely make the
SANS Top 20 list. FBI/SANS reports claim that approximately 85% of
attacks are from within an organization. If you don't secure your
local administration adequately, local users might choose to modify
the security configuration to better suit their needs, but permit the
injection of attacks into the Internet. Shouldn't standard
administrative protocols and standardized admin security be included
as part of "simple security" for CPEs?

The OPS NM protocols (snmp, netconf, syslog, ipfix, capwap) are
standardizing on SSH or TLS security, in keeping with RFC3535 and
BCP72, but neither TLS nor SSH is mentioned in this document.
Shouldn't they be?

How does this document's focus on "simple" security compare to BCP72,
and the Danvers Doctrine of mandatory-to-implement "strong" security
features?

David Harrington
dharrington@huawei.com 
dbharrington@comcast.net
ietfdbh@comcast.net

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On 
> Behalf Of Ron Bonica
> Sent: Tuesday, June 19, 2007 1:42 PM
> To: gmj@pobox.com
> Cc: opsec@ops.ietf.org; Ted Seely; Scott O Bradner; 
> Romascanu, Dan (Dan)
> Subject: Re: SImple Security for small CPE devices
> 
> Folks,
> 
> This is slightly out of charter for the OPSEC WG, but I wouldn't
mind
> seeing it in the OPSAREA WG. Dan, Scott, Ted, what do you think?
> 
>                                       Ron
> 
> George Jones wrote:
> > This may be of some interest to people here.   I know at 
> least a few people
> > (Merike) had interest in security of equipment for SOHO way 
> back when...but
> > it was *very* quickly deemd out of scope for OPSEC.
> > 
> > 
> http://www.ietf.org/internet-drafts/draft-ietf-v6ops-cpe-simpl
> e-security-00.txt
> > 
> > 
> > FYI,
> > ---George Jones
> > 
> 
>

Follow-Ups:
- Re: SImple Security for small CPE devices
  - From: Merike Kaeo <merike@doubleshotsecurity.com>

References:
- SImple Security for small CPE devices
  - From: "George Jones" <eludom@gmail.com>
- Re: SImple Security for small CPE devices
  - From: Ron Bonica <rbonica@juniper.net>

Prev by Date: Re: SImple Security for small CPE devices
Next by Date: Re: SImple Security for small CPE devices
Previous by thread: Re: SImple Security for small CPE devices
Next by thread: Re: SImple Security for small CPE devices
Index(es):
- Date
- Thread