North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: The Awards: Best network service provider security architecture
If you have done a good job negotiating Item 1, item 3 is redundant. On the other hand if you have choosen a crappy backbone in Item 1, using VPN/SSL/whatever to secure your packets won't help delay or nondelivery of packets. On Tue, 21 Jan 2003, Owen DeLong wrote: > I absolutely agree with Item 3. Sure, IP itself doesn't protect against > those things, but if a BN doesn't provide service without delay, > misdelivery, > or nondelivery of otherwise adequately protected information (valid > packets), > then the BN isn't very useful. > > If I met all the other criteria here, but blackholed half the traffic, my > BN wouldn't be very good. > > Owen > > > --On Tuesday, January 21, 2003 15:07 -0500 Sean Donelan <[email protected]> > wrote: > > > > > I've been looking at a lot of different technical security architectures > > for network providers. Obviously many providers keep their security > > secret, so they may or may not have a decent security architecture. > > Nevertheless there is still a lot of good information available from > > government agency networks, academics and vendors. > > > > The best network service provider security architecture document > > > > First Place: Information Assurance Technical Framework > > Second Place: The ESNET unclassified Security Plan > > Third Place: University of Washington Network Security Credo > > > >> From the IATF document http://www.iatf.net/ > > > > 5.1 Availability of Backbone Network > > > > I would disagree about item #3, IP is a datagram service, and does not > > protect against delay or packet drops (see item #1). Otherwise this is a > > decent list of functional security requirements for most Internet > > backbone providers. Its short, but covers the big items. > > > > 1. BNs must provide an agreed level of responsiveness, continuity of > > service and resistance to accidental or intentional corruption of the > > communications service. (The agreement is between the owners of the > > network and the users of the network.) > > > > 2. BNs are not required to provide security services of user data > > (such as confidentiality and integrity)that is the user's > > responsibility. > > > > 3. BNs must protect against the delay, misdelivery, or nondelivery of > > otherwise adequately protected information. > > > > 4. BNs, as a part of the end-to-end information transfer system, must > > provide the service transparently to the user. > > > > 5. As part of the transparency requirement, the BN must operate > > seamlessly with other backbones and local networks. > > > > > > >
|