WIMS> Some WIMS security requirements

WIMS> Some WIMS security requirements

McDonald, Ira imcdonald at sharplabs.com
Sat Feb 5 17:03:08 EST 2005 

Hi,                                           Saturday (5 February 2005)

Here's a rough draft of some WIMS security requirements, with a brief
rationale for each requirement.

In the past, we had decided that WIMS must create and maintain users,
groups, accounts, roles, etc. (at least to the extent of the End User,
Operator, Administrator roles used in IPP/1.1 security requirements).
That is clearly out-of-scope for basic WIMS v1.0.

The following minimum WIMS security requirements are in-scope:

(1) WIMS Agents and WIMS Managers MUST NOT transfer any information
    extra-enterprise (e.g., across the public Internet) without strong
    mutual authentication of the source and target of every WIMS message
    (either by message-level security or session-level security).

(2) WIMS Agents and WIMS Managers SHOULD NOT transfer any information
    extra-enterprise (e.g., across the public Internet) without strong
    encryption of the entire information content of every WIMS message
    (either by message-level security or session-level security).

(3) WIMS Agents and WIMS Managers MUST NOT transfer any configuration
    information intra-enterprise without strong mutual authentication
    of the source and target of every WIMS configuration message
    (either by message-level security or session-level security).

(4) WIMS Agents and WIMS Managers SHOULD NOT transfer any monitoring
    information intra-enterprise without strong mutual authentication
    of the source and target of every WIMS monitoring message
    (either by message-level security or session-level security).


Rationale for each requirement above:

(1) IP source address spoofing and IP target address interception and
    redirection are trivially easy, with freely available hacker tools,
    so HTTP without TLS or SMTP without SMIME/PGP are unacceptable for
    extra-enterprise communications.

(2) WIMS monitoring information transferred in cleartext over the public
    Internet exposes considerable detail about the customer's network
    that is useful to attackers.

(3) SNMPv1/v2 are NOT currently used for intra-enterprise configuration
    because of the significant threat of network corruption - all
    responsible security professionals recommend the restriction of
    intra-enterprise configuration to protocols with strong mutual
    authentication.

(4) The transfer of intra-enterprise accounting information without
    strong mutual authentication makes verifiable billing impossible.

Comments?

Cheers,
- Ira


Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com

More information about the Wims mailing list