OPSEC Working Group G. Jones Internet-Draft The MITRE Corporation Intended status: Informational August 28, 2006 Expires: March 1, 2007 Guide to Writing Security Capability Profiles draft-jones-opsec-profile-guide-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 1, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Jones Expires March 1, 2007 [Page 1] Internet-Draft OpSec Profiles August 2006 Abstract This document provides guidelines for creating security capability profiles. A profile is a list of features that are required to operate a device in a a secure manner in a specific environment. It is anticipated that what is required in a profile will vary over time and, across different classes of devices (e.g. a network edge device may need to filter customer traffic whereas core network devices may not), and in different organizations. This document does not define a profile or specify requirements, but rather gives guidance for their creation. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 3. Non-Normative References . . . . . . . . . . . . . . . . . . . 5 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 6 Appendix B. Sample Profile . . . . . . . . . . . . . . . . . . . . 7 B.1. Required Capabilities for Edge Routers . . . . . . . . . . 7 B.1.1. Packet Filtering Profile . . . . . . . . . . . . . . . 7 B.1.2. Logging . . . . . . . . . . . . . . . . . . . . . . . . 7 B.2. Recommended Capabilities . . . . . . . . . . . . . . . . . 7 B.2.1. Packet Filtering Profile . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 Intellectual Property and Copyright Statements . . . . . . . . . . 9 Jones Expires March 1, 2007 [Page 2] Internet-Draft OpSec Profiles August 2006 1. Introduction [RFC3871] defined a list of operational security requirements for the infrastructure of large IP networks (composed of routers and switches) with a goal to provide network operators a clear, concise way of communicating their security requirements to equipment vendors. Additionally, [I-D.ietf-opsec-current-practices] documented current network operator practices in protecting their networks. The IETF OPSEC working group refined the items identified in those two documents to produce a series of documents describing security capabilities needed to support those practices . These documents include o traffic filtering [I-D.ietf-opsec-filter-caps], o route-filtering [I-D.zhao-opsec-routing-capabilities], o logging [I-D.cain-logging-caps],, o miscellaneous capabilities [I-D.ietf-opsec-misc-cap], o and operation security [I-D.lewis-infrastructure-security]. One of the intended uses of these capability documents is the creation of profiles. Profiles are lists of capabilities that apply to certain classes of equipment (network edge, network core, enterprise network, etc). A profile may also be used as a list of requirements for equipment selection and in defining operational policies and procedures. The determination of which capabilities are requirements is a local decision driven by policy and operational need. In addition, the needed capabilities is likely to change over time as operational requirements and security threats change. It is likely that there are or will be other sources of capabilities that could be cited in developing a profile. For example, [draft-security-efforts] could be used to identify industry-specific standards or regulations that a specific network would need to support. Jones Expires March 1, 2007 [Page 3] Internet-Draft OpSec Profiles August 2006 2. Security Considerations Security is the entire focus of this document. This document describes an activity to define a set of device capabilities to operate a network securely. Since there is no universal definition of "securely", it is possible that novice profile crafters will inadvertently omit an operationally useful capability in their profile. Profile writes are encouraged to share their output with the broader Internet community to learn from others' experiences. The use of other IETF RFCs that define secure operation like [I-D.lewis-infrastructure-security] and [RFC2827] by profile authors is heavily encouraged so as to not miss critical or useful capabilities. Jones Expires March 1, 2007 [Page 4] Internet-Draft OpSec Profiles August 2006 3. Non-Normative References [I-D.cain-logging-caps] Cain, P., "Logging Capabilities for IP Network Infrastructure", draft-cain-logging-caps-00 (work in progress), July 2006. [I-D.ietf-opsec-current-practices] Kaeo, M., "Operational Security Current Practices", draft-ietf-opsec-current-practices-06 (work in progress), July 2006. [I-D.ietf-opsec-filter-caps] Jones, G. and C. Morrow, "Filtering and Rate Limiting Capabilities for IP Network Infrastructure", draft-ietf-opsec-filter-caps-02 (work in progress), July 2006. [I-D.ietf-opsec-misc-cap] Callon, R. and G. Jones, "Miscellaneous Capabilities for IP Network Infrastructure", draft-ietf-opsec-misc-cap-00 (work in progress), February 2006. [I-D.lewis-infrastructure-security] Lewis, D., "Service Provider Infrastructure Security", draft-lewis-infrastructure-security-00 (work in progress), June 2006. [I-D.zhao-opsec-routing-capabilities] Ye, Z., "Routing Control Plane Security Capabilities", draft-zhao-opsec-routing-capabilities-01 (work in progress), May 2006. [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. [RFC3871] Jones, G., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, September 2004. Jones Expires March 1, 2007 [Page 5] Internet-Draft OpSec Profiles August 2006 Appendix A. Acknowledgments The author gratefully acknowledges the contributions of: o Pat Cain who agitated for creation of this document and provided feedback on the pre -00 draft. o The MITRE Corporation for supporting development of this document. NOTE: The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. Jones Expires March 1, 2007 [Page 6] Internet-Draft OpSec Profiles August 2006 Appendix B. Sample Profile This sectoin gives a smaple of a profile: B.1. Required Capabilities for Edge Routers o Name: Edge Router Profile o Description: This profile defines the capabilities necessary for a network edge device o Context: Large NSP/ISP network providing transit services. The following are requirements (MUST) for edge routers: B.1.1. Packet Filtering Profile o Select by Protocol, [I-D.ietf-opsec-filter-caps] Section 3.5 o Select by Addresses, [I-D.ietf-opsec-filter-caps] Section 3.6 o Select by Protocol Header Fields, [I-D.ietf-opsec-filter-caps] Section 3.7 B.1.2. Logging o Logs Sent To Remote Servers, [I-D.cain-logging-caps] Section 2.2 o Ability to Select Reliable Delivery, [I-D.cain-logging-caps] Section 2.3 o Ability to Remotely Log Securely, [I-D.cain-logging-caps] Section 2.4 o Ability to Log Locally, [I-D.cain-logging-caps] Section 2.5 B.2. Recommended Capabilities The following are desired capabilities (SHOULD) for edge routers: B.2.1. Packet Filtering Profile o Minimal Performance Degradation, [I-D.ietf-opsec-filter-caps] Section 6 Jones Expires March 1, 2007 [Page 7] Internet-Draft OpSec Profiles August 2006 Author's Address George M. Jones The MITRE Corporation 7515 Colshire Drive, M/S WEST McLean, Virginia 22102-7508 U.S.A. Phone: +1 703 488 9740 Email: gmjones@mitre.org Jones Expires March 1, 2007 [Page 8] Internet-Draft OpSec Profiles August 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Jones Expires March 1, 2007 [Page 9]