Network Security: IETF and the GRIP WG

Nevil Brownlee, (CAIDA / The University of Auckland)

UA Guest Lecture, 30 May 2001


  1. Overview

    • Introduction - network security
    • IETF: Internet Engineering Task Force
    • GRIP WG and its goals
    • CSIRT: Computer Security Incident Reporting Teams
    • Security Expectations for ISPs
    • Conclusion

  2. Network Security Activities

    • Active
      • Access control: Firewalls, NAT
      • Secure transport (PGP, PEM/X.509, IPSEC)
      • Virus Protection

    • Passive
      • Security policy: develpoment and maintenance
      • Education: system administrators, users
      • Vulerability management
      • IP Auditing, intrusion detection

    • Responsive
      • Detection of, and response to, security incidents


  3. IETF: the Internet Engineering Task Force

    • Completely open, based at http://www.ietf.org
    • Sets technical standards for the Internet
      • Initially published as Internet Drafts, republished as work proceeds
      • Drafts are current for six months, should only be referred to as ``Works in Progress''
      • Published as Requests For Comment (RFCs)
      • RFCs: Informational, Experimental, Standards Track, BCP

    • IAB provides high-level guidance
    • Nine Areas, Area Directors form IESG
      • Transport, Routing, Applications, ..
      • Security
      • Operations & Management

    • Each Area has 10 ~ 20 Working Groups
      • To participate in a WG, join it's mailing list
      • WGs are (usually) short-lived

  4. The GRIP Working Group

    • Guidelines & Recommendations for Security Incident Processing
    • In Operations & Management Area
    • Goals
      • Guidelines for Response Teams (RFC 2350)
      • Guidelines for ISPs (RFC 3013)
      • Guidelines for technology producers

    • WG started mid-90s, RFCs published '98 and '99
    • Currently dormant; need enthusiasts to work on third goal!

  5. Security Incident Response, RFC 2350

    • RFC expresses ``General Internet Community's expectations of CSIRTs''
    • Provides
      • General discussion of important issues
      • Formal Template for describing a CSIRT and its services
      • Example of a filled-in template

    • Most important aspect is plan for incidents before they happen!

  6. Vulnerabilities

    • Are flaws in system software, which can allow a malicious program to take over an affected system
    • Require system patches
    • Sysadmins need to keep up to date with patches - at least with security patches!
    • BugTraq mailing list

  7. What's a `security incident?'

    • Security Policy, Acceptable Use Policy
    • An incident is anything which breaches these policies
    • Most common example is having a system hijacked by an attacker exploiting a known vulnerability
    • Compromised systems
      • Dectection
      • Eradication
      • Recovery

  8. What does a CSIRT do?

    • Who may use it - defining `consitituency'
    • How to contact a CSIRT
      • Secure communications

    • Policies & Procedures
      • Interaction with other CSIRTs
      • Disclosure of information -
        CSIRTs, Vendors, Law Enforcement, Press, Other
      • Submission: incident reporting forms

  9. Expectations of ISPs, RFC 3013

    • ``Expectations of'' means ``security-related issues which ISPs should be aware of''
    • Policy
      • Notifying vulnerabilities
      • Reporting incidents
      • Appropriate Use Policy

    • Network Infrastructure
      • Routing, route filtering
      • Ingress/egress address filtering
      • Directed broadcasts

    • Systems Infrastructure
      • No systems on transit networks
      • No open mail relays
      • Secure message submission

  10. Expectations of Vendors

    • Two key issues
      • Don't ship systems with security set at minimum levels
      • Be responsive to reported vulnerabilities


  11. Summary

    • Security is an ongoing - and important - part of running a network
    • Need well-understood Security and Acceptable Use policies
    • Need network of sysadmins who will keep up with security patches
    • Also need users to recognise security problems, and report them
    • GRIP WG is (or at least was) an Internet forum for setting community expectations

  12. Nevil Brownlee (nevil@caida.org)
    Last updated: 28 May 2001