Overview
- Introduction - network security
- IETF: Internet Engineering Task Force
- GRIP WG and its goals
- CSIRT: Computer Security Incident Reporting Teams
- Security Expectations for ISPs
- Conclusion
Network Security Activities
- Active
- Access control: Firewalls, NAT
- Secure transport (PGP, PEM/X.509, IPSEC)
- Virus Protection
- Passive
- Security policy: develpoment and maintenance
- Education: system administrators, users
- Vulerability management
- IP Auditing, intrusion detection
- Responsive
- Detection of, and response to, security incidents
IETF: the Internet Engineering Task Force
- Completely open, based at http://www.ietf.org
- Sets technical standards for the Internet
- Initially published as Internet Drafts,
republished as work proceeds
- Drafts are current for six months, should only be referred to as
``Works in Progress''
- Published as Requests For Comment (RFCs)
- RFCs: Informational, Experimental, Standards Track, BCP
- IAB provides high-level guidance
- Nine Areas, Area Directors form IESG
- Transport, Routing, Applications, ..
- Security
- Operations & Management
- Each Area has 10 ~ 20 Working Groups
- To participate in a WG, join it's mailing list
- WGs are (usually) short-lived
The GRIP Working Group
- Guidelines & Recommendations for Security Incident Processing
- In Operations & Management Area
- Goals
- Guidelines for Response Teams (RFC 2350)
- Guidelines for ISPs (RFC 3013)
- Guidelines for technology producers
- WG started mid-90s, RFCs published '98 and '99
- Currently dormant; need enthusiasts to work on third goal!
Security Incident Response, RFC 2350
- RFC expresses ``General Internet Community's expectations
of CSIRTs''
- Provides
- General discussion of important issues
- Formal Template for describing a CSIRT and its services
- Example of a filled-in template
- Most important aspect is
plan for incidents before they happen!
Vulnerabilities
- Are flaws in system software, which can allow a malicious program
to take over an affected system
- Require system patches
- Sysadmins need to keep up to date with patches - at least with
security patches!
- BugTraq mailing list
What's a `security incident?'
- Security Policy, Acceptable Use Policy
- An incident is anything which breaches these policies
- Most common example is having a system hijacked by an
attacker exploiting a known vulnerability
- Compromised systems
- Dectection
- Eradication
- Recovery
What does a CSIRT do?
- Who may use it - defining `consitituency'
- How to contact a CSIRT
- Policies & Procedures
- Interaction with other CSIRTs
- Disclosure of information -
CSIRTs, Vendors, Law Enforcement, Press, Other
- Submission: incident reporting forms
Expectations of ISPs, RFC 3013
- ``Expectations of'' means ``security-related issues
which ISPs should be aware of''
- Policy
- Notifying vulnerabilities
- Reporting incidents
- Appropriate Use Policy
- Network Infrastructure
- Routing, route filtering
- Ingress/egress address filtering
- Directed broadcasts
- Systems Infrastructure
- No systems on transit networks
- No open mail relays
- Secure message submission
Expectations of Vendors
- Two key issues
- Don't ship systems with security set at minimum levels
- Be responsive to reported vulnerabilities
Summary
- Security is an ongoing - and important - part of running
a network
- Need well-understood Security and Acceptable Use policies
- Need network of sysadmins who will keep up with security patches
- Also need users to recognise security problems,
and report them
- GRIP WG is (or at least was) an Internet forum for
setting community expectations