Re: SImple Security for small CPE devices

[Merike Kaeo <merike@doubleshotsecurity.com>]

It is a 00 afterall :)   But yes, good points and I myself have not  
yet commented but will do so as soon as I am out of a severe backlog  
on current work.

This document was written to address the thread started on April 16th  
by the author on the v6ops wg list entitled 'The argument for writing  
a general purpose NAT for IPv6'.  I'd probably call this doc more a  
'Filtering Behavior for small CPE devices' - since all it deals with  
is filtering.  Like you, I view security to deal with much more than  
just filtering and the title is deceiving.

It is unfortunate that this wg is closing down since I definitely had  
hoped that more comprehensive security device profiles would be  
defined.....it is unclear where such work would fit now although  
perhaps in the OPSAREA wg as Ron mentioned.  But authors are needed  
and that was the issue with this working group.  People were ready  
enough to comment but not write documents......

- merike

On Jun 19, 2007, at 12:01 PM, David Harrington wrote:

> Hi,
>
> I was rather disappointed this document didn't discuss any OPS area NM
> protocols or preferred transport security protocols.
>
> How will the CPE be managed? How will remote and/or local
> administration be secured? Is this document only valid for unmanaged
> devices?
>
> The document mentions the need for local-area network administrators
> to detect and prevent intrusions, but there is no mention of any
> protocols for administration, or detection or prevention of
> unauthorized access attempts? Shouldn't system logging be a minimum
> for monitoring for unauthenticated access?
>
> There was no discussion of the protocols used for administration
> whether from inside or outside the local area network. Weak
> administrative security configurations, such as default
> community=public and default admin/root passwords, routinely make the
> SANS Top 20 list. FBI/SANS reports claim that approximately 85% of
> attacks are from within an organization. If you don't secure your
> local administration adequately, local users might choose to modify
> the security configuration to better suit their needs, but permit the
> injection of attacks into the Internet. Shouldn't standard
> administrative protocols and standardized admin security be included
> as part of "simple security" for CPEs?
>
> The OPS NM protocols (snmp, netconf, syslog, ipfix, capwap) are
> standardizing on SSH or TLS security, in keeping with RFC3535 and
> BCP72, but neither TLS nor SSH is mentioned in this document.
> Shouldn't they be?
>
> How does this document's focus on "simple" security compare to BCP72,
> and the Danvers Doctrine of mandatory-to-implement "strong" security
> features?
>
> David Harrington
> dharrington@huawei.com
> dbharrington@comcast.net
> ietfdbh@comcast.net
>
>
> > -----Original Message-----
> > From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On
> > Behalf Of Ron Bonica
> > Sent: Tuesday, June 19, 2007 1:42 PM
> > To: gmj@pobox.com
> > Cc: opsec@ops.ietf.org; Ted Seely; Scott O Bradner;
> > Romascanu, Dan (Dan)
> > Subject: Re: SImple Security for small CPE devices
> >
> > Folks,
> >
> > This is slightly out of charter for the OPSEC WG, but I wouldn't
> mind
> > seeing it in the OPSAREA WG. Dan, Scott, Ted, what do you think?
> >
> >                                       Ron
> >
> > George Jones wrote:
> > > This may be of some interest to people here.   I know at
> > least a few people
> > > (Merike) had interest in security of equipment for SOHO way
> > back when...but
> > > it was *very* quickly deemd out of scope for OPSEC.
> > http://www.ietf.org/internet-drafts/draft-ietf-v6ops-cpe-simpl
> > e-security-00.txt
> > > FYI,
> > > ---George Jones