North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: The Awards: Best network service provider security architecture
- From: Sean Donelan
- Date: Tue Jan 21 16:57:14 2003
If you have done a good job negotiating Item 1, item 3 is redundant. On
the other hand if you have choosen a crappy backbone in Item 1, using
VPN/SSL/whatever to secure your packets won't help delay or nondelivery
On Tue, 21 Jan 2003, Owen DeLong wrote:
> I absolutely agree with Item 3. Sure, IP itself doesn't protect against
> those things, but if a BN doesn't provide service without delay,
> or nondelivery of otherwise adequately protected information (valid
> then the BN isn't very useful.
> If I met all the other criteria here, but blackholed half the traffic, my
> BN wouldn't be very good.
> --On Tuesday, January 21, 2003 15:07 -0500 Sean Donelan <firstname.lastname@example.org>
> > I've been looking at a lot of different technical security architectures
> > for network providers. Obviously many providers keep their security
> > secret, so they may or may not have a decent security architecture.
> > Nevertheless there is still a lot of good information available from
> > government agency networks, academics and vendors.
> > The best network service provider security architecture document
> > First Place: Information Assurance Technical Framework
> > Second Place: The ESNET unclassified Security Plan
> > Third Place: University of Washington Network Security Credo
> >> From the IATF document http://www.iatf.net/
> > 5.1 Availability of Backbone Network
> > I would disagree about item #3, IP is a datagram service, and does not
> > protect against delay or packet drops (see item #1). Otherwise this is a
> > decent list of functional security requirements for most Internet
> > backbone providers. Its short, but covers the big items.
> > 1. BNs must provide an agreed level of responsiveness, continuity of
> > service and resistance to accidental or intentional corruption of the
> > communications service. (The agreement is between the owners of the
> > network and the users of the network.)
> > 2. BNs are not required to provide security services of user data
> > (such as confidentiality and integrity)that is the user's
> > responsibility.
> > 3. BNs must protect against the delay, misdelivery, or nondelivery of
> > otherwise adequately protected information.
> > 4. BNs, as a part of the end-to-end information transfer system, must
> > provide the service transparently to the user.
> > 5. As part of the transparency requirement, the BN must operate
> > seamlessly with other backbones and local networks.