Internet DRAFT - draft-jones-opsec-profile-guide

draft-jones-opsec-profile-guide






OPSEC Working Group                                             G. Jones
Internet-Draft                                     The MITRE Corporation
Intended status: Informational                           August 28, 2006
Expires: March 1, 2007


             Guide to Writing Security Capability Profiles
                   draft-jones-opsec-profile-guide-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 1, 2007.

Copyright Notice

   Copyright (C) The Internet Society (2006).














Jones                     Expires March 1, 2007                 [Page 1]

Internet-Draft               OpSec Profiles                  August 2006


Abstract

   This document provides guidelines for creating security capability
   profiles.  A profile is a list of features that are required to
   operate a device in a a secure manner in a specific environment.

   It is anticipated that what is required in a profile will vary over
   time and, across different classes of devices (e.g. a network edge
   device may need to filter customer traffic whereas core network
   devices may not), and in different organizations.  This document does
   not define a profile or specify requirements, but rather gives
   guidance for their creation.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   3.  Non-Normative References  . . . . . . . . . . . . . . . . . . . 5
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . 6
   Appendix B.  Sample Profile . . . . . . . . . . . . . . . . . . . . 7
     B.1.  Required Capabilities for Edge Routers  . . . . . . . . . . 7
       B.1.1.  Packet Filtering Profile  . . . . . . . . . . . . . . . 7
       B.1.2.  Logging . . . . . . . . . . . . . . . . . . . . . . . . 7
     B.2.  Recommended Capabilities  . . . . . . . . . . . . . . . . . 7
       B.2.1.  Packet Filtering Profile  . . . . . . . . . . . . . . . 7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
   Intellectual Property and Copyright Statements  . . . . . . . . . . 9























Jones                     Expires March 1, 2007                 [Page 2]

Internet-Draft               OpSec Profiles                  August 2006


1.  Introduction

   [RFC3871] defined a list of operational security requirements for the
   infrastructure of large IP networks (composed of routers and
   switches) with a goal to provide network operators a clear, concise
   way of communicating their security requirements to equipment
   vendors.  Additionally, [I-D.ietf-opsec-current-practices] documented
   current network operator practices in protecting their networks.

   The IETF OPSEC working group refined the items identified in those
   two documents to produce a series of documents describing security
   capabilities needed to support those practices .

   These documents include

   o  traffic filtering [I-D.ietf-opsec-filter-caps],

   o  route-filtering [I-D.zhao-opsec-routing-capabilities],

   o  logging [I-D.cain-logging-caps],,

   o  miscellaneous capabilities [I-D.ietf-opsec-misc-cap],

   o  and operation security [I-D.lewis-infrastructure-security].

   One of the intended uses of these capability documents is the
   creation of profiles.  Profiles are lists of capabilities that apply
   to certain classes of equipment (network edge, network core,
   enterprise network, etc).  A profile may also be used as a list of
   requirements for equipment selection and in defining operational
   policies and procedures.

   The determination of which capabilities are requirements is a local
   decision driven by policy and operational need.  In addition, the
   needed capabilities is likely to change over time as operational
   requirements and security threats change.

   It is likely that there are or will be other sources of capabilities
   that could be cited in developing a profile.  For example,
   [draft-security-efforts] could be used to identify industry-specific
   standards or regulations that a specific network would need to
   support.









Jones                     Expires March 1, 2007                 [Page 3]

Internet-Draft               OpSec Profiles                  August 2006


2.  Security Considerations

   Security is the entire focus of this document.

   This document describes an activity to define a set of device
   capabilities to operate a network securely.  Since there is no
   universal definition of "securely", it is possible that novice
   profile crafters will inadvertently omit an operationally useful
   capability in their profile.  Profile writes are encouraged to share
   their output with the broader Internet community to learn from
   others' experiences.

   The use of other IETF RFCs that define secure operation like
   [I-D.lewis-infrastructure-security] and [RFC2827] by profile authors
   is heavily encouraged so as to not miss critical or useful
   capabilities.



































Jones                     Expires March 1, 2007                 [Page 4]

Internet-Draft               OpSec Profiles                  August 2006


3.  Non-Normative References

   [I-D.cain-logging-caps]
              Cain, P., "Logging Capabilities for IP Network
              Infrastructure", draft-cain-logging-caps-00 (work in
              progress), July 2006.

   [I-D.ietf-opsec-current-practices]
              Kaeo, M., "Operational Security Current Practices",
              draft-ietf-opsec-current-practices-06 (work in progress),
              July 2006.

   [I-D.ietf-opsec-filter-caps]
              Jones, G. and C. Morrow, "Filtering and Rate Limiting
              Capabilities for IP Network Infrastructure",
              draft-ietf-opsec-filter-caps-02 (work in progress),
              July 2006.

   [I-D.ietf-opsec-misc-cap]
              Callon, R. and G. Jones, "Miscellaneous Capabilities for
              IP Network Infrastructure", draft-ietf-opsec-misc-cap-00
              (work in progress), February 2006.

   [I-D.lewis-infrastructure-security]
              Lewis, D., "Service Provider Infrastructure Security",
              draft-lewis-infrastructure-security-00 (work in progress),
              June 2006.

   [I-D.zhao-opsec-routing-capabilities]
              Ye, Z., "Routing Control Plane Security Capabilities",
              draft-zhao-opsec-routing-capabilities-01 (work in
              progress), May 2006.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, May 2000.

   [RFC3871]  Jones, G., "Operational Security Requirements for Large
              Internet Service Provider (ISP) IP Network
              Infrastructure", RFC 3871, September 2004.











Jones                     Expires March 1, 2007                 [Page 5]

Internet-Draft               OpSec Profiles                  August 2006


Appendix A.  Acknowledgments

   The author gratefully acknowledges the contributions of:

   o  Pat Cain who agitated for creation of this document and provided
      feedback on the pre -00 draft.

   o  The MITRE Corporation for supporting development of this document.
      NOTE: The author's affiliation with The MITRE Corporation is
      provided for identification purposes only, and is not intended to
      convey or imply MITRE's concurrence with, or support for, the
      positions, opinions or viewpoints expressed by the author.







































Jones                     Expires March 1, 2007                 [Page 6]

Internet-Draft               OpSec Profiles                  August 2006


Appendix B.  Sample Profile

   This sectoin gives a smaple of a profile:

B.1.  Required Capabilities for Edge Routers

   o  Name: Edge Router Profile

   o  Description: This profile defines the capabilities necessary for a
      network edge device

   o  Context: Large NSP/ISP network providing transit services.

   The following are requirements (MUST) for edge routers:

B.1.1.  Packet Filtering Profile

   o  Select by Protocol, [I-D.ietf-opsec-filter-caps] Section 3.5

   o  Select by Addresses, [I-D.ietf-opsec-filter-caps] Section 3.6

   o  Select by Protocol Header Fields, [I-D.ietf-opsec-filter-caps]
      Section 3.7

B.1.2.  Logging

   o  Logs Sent To Remote Servers, [I-D.cain-logging-caps] Section 2.2

   o  Ability to Select Reliable Delivery, [I-D.cain-logging-caps]
      Section 2.3

   o  Ability to Remotely Log Securely, [I-D.cain-logging-caps] Section
      2.4

   o  Ability to Log Locally, [I-D.cain-logging-caps] Section 2.5

B.2.  Recommended Capabilities

   The following are desired capabilities (SHOULD) for edge routers:

B.2.1.  Packet Filtering Profile

   o  Minimal Performance Degradation, [I-D.ietf-opsec-filter-caps]
      Section 6







Jones                     Expires March 1, 2007                 [Page 7]

Internet-Draft               OpSec Profiles                  August 2006


Author's Address

   George M. Jones
   The MITRE Corporation
   7515 Colshire Drive, M/S WEST
   McLean, Virginia  22102-7508
   U.S.A.

   Phone: +1 703 488 9740
   Email: gmjones@mitre.org









































Jones                     Expires March 1, 2007                 [Page 8]

Internet-Draft               OpSec Profiles                  August 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Jones                     Expires March 1, 2007                 [Page 9]