Operational Security Capabilities for IP Network Infrastructure (opsec) ----------------------------------------------------------------------- Charter Last Modified: 2005-11-11 Current Status: Active Working Group Chair(s): Ross Callon Patrick Cain Operations and Management Area Director(s): Dan Romascanu David Kessens Operations and Management Area Advisor: David Kessens Technical Advisor(s): George Jones Mailing Lists: General Discussion:opsec@ops.ietf.org To Subscribe: opsec-request@ops.ietf.org In Body: In Body: subscribe Archive: http://ops.ietf.org/lists/opsec/ Description of Working Group: Goals The goal of the Operational Security Working Group is to codify knowledge gained through operational experience about feature sets that are needed to securely deploy and operate managed network elements providing transit services at the data link and IP layers. It is anticipated that the codification of this knowledge will be an aid to vendors in producing more securable network elements, and an aid to operators in increasing security by deploying and configuring more secure network elements. Scope The working group will list capabilities appropriate for devices use in: * Internet Service Provider (ISP) Networks * Enterprise Networks The following areas are excluded from the charter at this time: * Wireless devices * Small-Office-Home-Office (SOHO) devices * Security devices (firewalls, Intrusion Detection Systems, Authentication Servers) * Hosts Methods Framework Document A framework document will be produced describing the scope, format, intended use and documents to be produced. Current Practices Document A single document will be produced that attempts to capture current practices related to secure operation. This will be primarily based on operational experience. Each entry will list: * threats addressed, * current practices for addressing the threat, * protocols, tools and technologies extant at the time of writing that are used to address the threat. Individual Capability Documents A series of documents will be produced covering various groupings of security management capabilities needed to operate network elements in a secure fashion. The capabilities will be described in terms that allow implementations to change over time and will attempt to avoid requiring any particular implementation. The capabilities documents will cite the Current Practices document where possible for justification. Profile Documents Profiles documents will be produced, which cite the capabilities relevant to different operating environments. Operator Outreach Much of the operational security knowledge that needs to be codified resides with operators. In order to access their knowledge and reach the working group goal, informal BoFs will be held at relevant operator fora. RFC3871 will be used as a jumping off point. Goals and Milestones: Done Complete Charter Done First draft of Framework Document as Internet Draft Done First draft of Standards Survey Document as Internet Draft Done First draft of Packet Filtering Capabilities Oct 2004 First draft of Event Logging Capabilities Done First draft of Network Operator Current Security Practices Done First draft of In-Band management capabilities Done First draft of Out-of-Band management capabilities Jan 2005 First draft of Configuration and Management Interface Capabilities Feb 2005 First draft of Authentication, Authorization, and Accounting (AAA) Capabilities Feb 2005 First draft of Documentation and Assurance capabilities Done First draft of Miscellaneous capabilities Mar 2005 First draft of Deliberations Summary document Mar 2005 Submit Framework to IESG Mar 2005 Submit Standards Survey to IESG May 2005 Submit Network Operator Current Security Practices to IESG May 2005 First draft of ISP Operational Security Capabilities Profile May 2005 First draft of Enterprise Operational Security Capabilities Profile Jun 2005 Submit Packet Filtering capabilities to IESG Jun 2005 Submit Event Logging Capabilities document to IESG Jul 2005 Submit In-Band management capabilities to IESG Jul 2005 Submit Out-of-Band management capabilities to IESG Aug 2005 Submit Configuration and Management Interface Capabilities to IESG Aug 2005 Submit Authentication, Authorization and Accounting (AAA) capabilities document to IESG Sep 2005 Submit Documentation and Assurance capabilities to IESG Sep 2005 Submit Miscellaneous capabilities document to IESG Dec 2005 Submit ISP Operational Security Capabilities Profile to IESG Dec 2005 Submit Large Enterprise Operational Security Capabilities Profile to IESG Dec 2005 Submit OPSEC Deliberation Summary document to IESG Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jan 2005 Jul 2006 Framework for Operational Security Capabilities for IP Network Infrastructure Jan 2005 Jun 2006 Security Best Practices Efforts and Documents Feb 2005 Aug 2006 Operational Security Current Practices Oct 2005 Sep 2006 Filtering and Rate Limiting Capabilities for IP Network Infrastructure Request For Comments: None to date.