draft-ietf-opsec-efforts-13.txt   draft-ietf-opsec-efforts-14.txt 
Network Working Group C. Lonvick Network Working Group C. Lonvick
Internet-Draft D. Spak Internet-Draft D. Spak
Intended status: Informational Cisco Systems Intended status: Informational Cisco Systems
Expires: May 15, 2011 November 11, 2010 Expires: August 11, 2011 February 7, 2011
Security Best Practices Efforts and Documents Security Best Practices Efforts and Documents
draft-ietf-opsec-efforts-13.txt draft-ietf-opsec-efforts-14.txt
Abstract Abstract
This document provides a snapshot of the current efforts to define or This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing apply security requirements in various Standards Developing
Organizations (SDO). Organizations (SDO).
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 15, 2011. This Internet-Draft will expire on August 11, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7
3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8
3.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8
3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8
3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8
3.4. Microsoft Solutions for Security Glossary . . . . . . . . 8 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9
3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9
3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9
4. Standards Developing Organizations . . . . . . . . . . . . . . 10 3.7. NIST - Glossary of Key Information Security Terms . . . . 9
4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 4. Standards Developing Organizations . . . . . . . . . . . . . . 11
4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11
4.3. ANSI - The American National Standards Institute . . . . . 10 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 10 4.3. ANSI - The American National Standards Institute . . . . . 11
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11
4.4. ATIS - Alliance for Telecommunications Industry 4.4. ATIS - Alliance for Telecommunications Industry
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4.1. ATIS NIPP - Network Interface, Power, and 4.4.1. ATIS NIPP - Network Interface, Power, and
Protection Committee, formerly T1E1 . . . . . . . . . 11 Protection Committee, formerly T1E1 . . . . . . . . . 12
4.4.2. ATIS NPRQ - Network Performance, Reliability, and 4.4.2. ATIS NPRQ - Network Performance, Reliability, and
Quality of Service Committee, formerly T1A1 . . . . . 11 Quality of Service Committee, formerly T1A1 . . . . . 12
4.4.3. ATIS OBF - Ordering and Billing Forum, formerly 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly
regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 11 regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 12
4.4.4. ATIS OPTXS - Optical Transport and Synchronization 4.4.4. ATIS OPTXS - Optical Transport and Synchronization
Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 Committee, formerly T1X1 . . . . . . . . . . . . . . . 13
4.4.5. ATIS TMOC - Telecom Management and Operations 4.4.5. ATIS TMOC - Telecom Management and Operations
Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 12 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13
4.4.6. ATIS WTSC - Wireless Technologies and Systems 4.4.6. ATIS WTSC - Wireless Technologies and Systems
Committee, formerly T1P1 . . . . . . . . . . . . . . . 12 Committee, formerly T1P1 . . . . . . . . . . . . . . . 13
4.4.7. ATIS PTSC - Packet Technologies and Systems 4.4.7. ATIS PTSC - Packet Technologies and Systems
Committee, formerly T1S1 . . . . . . . . . . . . . . . 12 Committee, formerly T1S1 . . . . . . . . . . . . . . . 13
4.4.8. ATIS Protocol Interworking Committee, regarding 4.4.8. ATIS Protocol Interworking Committee, regarding
T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14
4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14
4.7. ETSI - The European Telecommunications Standard 4.7. ETSI - The European Telecommunications Standard
Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14
4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14
4.9. IEEE - The Institute of Electrical and Electronics 4.9. IEEE - The Institute of Electrical and Electronics
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 14
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 15
4.11. INCITS - InterNational Committee for Information 4.11. INCITS - InterNational Committee for Information
Technology Standards . . . . . . . . . . . . . . . . . . . 14 Technology Standards . . . . . . . . . . . . . . . . . . . 15
4.11.1. INCITS Technical Committee T11 - Fibre Channel 4.11.1. INCITS Technical Committee T11 - Fibre Channel
Interfaces . . . . . . . . . . . . . . . . . . . . . . 14 Interfaces . . . . . . . . . . . . . . . . . . . . . . 15
4.12. ISO - The International Organization for 4.12. ISO - The International Organization for
Standardization . . . . . . . . . . . . . . . . . . . . . 14 Standardization . . . . . . . . . . . . . . . . . . . . . 15
4.13. ITU - International Telecommunication Union . . . . . . . 15 4.13. ITU - International Telecommunication Union . . . . . . . 16
4.13.1. ITU Telecommunication Standardization Sector - 4.13.1. ITU Telecommunication Standardization Sector -
ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 16
4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 15 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16
4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 15 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16
4.14. OASIS - Organization for the Advancement of 4.14. OASIS - Organization for the Advancement of
Structured Information Standards . . . . . . . . . . . . . 15 Structured Information Standards . . . . . . . . . . . . . 16
4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 17
4.16. NRIC - The Network Reliability and Interoperability 4.16. NRIC - The Network Reliability and Interoperability
Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 Council . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.17. National Security Telecommunications Advisory 4.17. National Security Telecommunications Advisory
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 16 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17
4.18. TIA - The Telecommunications Industry Association . . . . 16 4.18. TIA - The Telecommunications Industry Association . . . . 17
4.19. TTA - Telecommunications Technology Association . . . . . 17 4.19. TTA - Telecommunications Technology Association . . . . . 18
4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 17 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 18
4.21. Web Services Interoperability Organization (WS-I) . . . . 17 4.21. Web Services Interoperability Organization (WS-I) . . . . 18
5. Security Best Practices Efforts and Documents . . . . . . . . 18 5. Security Best Practices Efforts and Documents . . . . . . . . 19
5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 19
5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 19
5.3. American National Standard T1.276-2003 - Baseline 5.3. American National Standard T1.276-2003 - Baseline
Security Requirements for the Management Plane . . . . . . 18 Security Requirements for the Management Plane . . . . . . 19
5.4. DMTF - Security Protection and Management (SPAM) 5.4. DMTF - Security Protection and Management (SPAM)
Working Group . . . . . . . . . . . . . . . . . . . . . . 19 Working Group . . . . . . . . . . . . . . . . . . . . . . 20
5.5. DMTF - User and Security Working Group . . . . . . . . . . 19 5.5. DMTF - User and Security Working Group . . . . . . . . . . 20
5.6. ATIS Work-Plan to Achieve Interoperable, 5.6. ATIS Work-Plan to Achieve Interoperable,
Implementable, End-To-End Standards and Solutions . . . . 19 Implementable, End-To-End Standards and Solutions . . . . 20
5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 19 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20
5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 21
5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 21
5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 22
5.11. Information System Security Assurance Architecture . . . . 21 5.11. Information System Security Assurance Architecture . . . . 22
5.12. Operational Security Requirements for IP Network 5.12. Operational Security Requirements for IP Network
Infrastructure : Advanced Requirements . . . . . . . . . . 21 Infrastructure : Advanced Requirements . . . . . . . . . . 22
5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 23
5.14. ISO Guidelines for the Management of IT Security - 5.14. ISO Guidelines for the Management of IT Security -
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 24
5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 23 5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24
5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 25
5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 24 5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25
5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 24 5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25
5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 26
5.21. Catalogue of ITU-T Recommendations related to 5.21. Catalogue of ITU-T Recommendations related to
Communications System Security . . . . . . . . . . . . . . 25 Communications System Security . . . . . . . . . . . . . . 26
5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 25 5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26
5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 27
5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 27
5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 26 5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 27
5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 27 5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 28
5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 27 5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 28
5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 29
5.30. NIST Special Publications (800 Series) . . . . . . . . . . 28 5.30. NIST Special Publications (800 Series) . . . . . . . . . . 29
5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 28 5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 29
5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 28 5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 29
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 5.33. SANS Information Security Reading Room . . . . . . . . . . 30
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 6. Security Considerations . . . . . . . . . . . . . . . . . . . 31
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
The Internet is being recognized as a critical infrastructure similar The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even standards with hopes of retaining an acceptable level, or even
skipping to change at page 7, line 5 skipping to change at page 6, line 7
document could be a useful reference in producing the documents document could be a useful reference in producing the documents
described in the Working Group Charter. The authors have agreed to described in the Working Group Charter. The authors have agreed to
keep this document current and request that those who read it will keep this document current and request that those who read it will
submit corrections or comments. submit corrections or comments.
Comments on this document may be addressed to the OpSec Working Group Comments on this document may be addressed to the OpSec Working Group
or directly to the authors. or directly to the authors.
opsec@ops.ietf.org opsec@ops.ietf.org
This document will be updated in sections. The most recently updated
part of this document is Section 3.
2. Format of this Document 2. Format of this Document
The body of this document has three sections. The body of this document has three sections.
The first part of the body of this document, Section 3, contains a The first part of the body of this document, Section 3, contains a
listing of online glossaries relating to networking and security. It listing of online glossaries relating to networking and security. It
is very important that the definitions of words relating to security is very important that the definitions of words relating to security
and security events be consistent. Inconsistencies between the and security events be consistent. Inconsistencies between the
useage of words on standards is unacceptable as it would prevent a useage of words on standards is unacceptable as it would prevent a
reader of two standards to appropriately relate their reader of two standards to appropriately relate their
skipping to change at page 8, line 10 skipping to change at page 8, line 10
The third part, Section 5, lists the documents which have been found The third part, Section 5, lists the documents which have been found
to offer good practices or recommendations for securing networks and to offer good practices or recommendations for securing networks and
networking devices. networking devices.
3. Online Security Glossaries 3. Online Security Glossaries
This section contains references to glossaries of network and This section contains references to glossaries of network and
computer security terms computer security terms
3.1. ATIS Telecom Glossary 2000 3.1. ATIS Telecom Glossary 2007
http://www.atis.org/tg2k/ http://www.atis.org/tg2k/
Under an approved T1 standards project (T1A1-20), an existing 5800- This Glossary began as a 5800-entry, search-enabled hypertext
entry, search-enabled hypertext telecommunications glossary titled telecommunications glossary titled Federal Standard 1037C, Glossary
Federal Standard 1037C, Glossary of Telecommunication Terms was of Telecommunication Terms . Federal Standard 1037C was updated and
updated and matured into this glossary, T1.523-2001, Telecom Glossary matured into an American National Standard (ANS): T1.523-2001,
2000. This updated glossary was posted on the Web as an American Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523-
National Standard (ANS). 2001 has been revised and redesignated under the ATIS procedures for
ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007.
Date published: 2007
3.2. Internet Security Glossary - RFC 4949 3.2. Internet Security Glossary - RFC 4949
http://www.ietf.org/rfc/rfc4949.txt http://www.ietf.org/rfc/rfc4949.txt
This document was originally created as RFC 2828 in May 2000. It was This document was originally created as RFC 2828 in May 2000. It was
revised as RFC 4949 and the document defines itself to be, "an revised as RFC 4949 and the document defines itself to be, "an
internally consistent, complementary set of abbreviations, internally consistent, complementary set of abbreviations,
definitions, explanations, and recommendations for use of terminology definitions, explanations, and recommendations for use of terminology
related to information system security." related to information system security."
Date published: August 2007
3.3. Compendium of Approved ITU-T Security Definitions 3.3. Compendium of Approved ITU-T Security Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html http://www.itu.int/itudoc/itu-t/com17/activity/add002.html
Addendum to the Compendium of the Approved ITU-T Security-related Addendum to the Compendium of the Approved ITU-T Security-related
Definitions Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html
These extensive materials were created from approved ITU-T These extensive materials were created from approved ITU-T
Recommendations with a view toward establishing a common Recommendations with a view toward establishing a common
understanding and use of security terms within ITU-T. understanding and use of security terms within ITU-T. The original
Compendium was compiled by SG 17, Lead Study Group on Communication
Systems Security (LSG-CSS).
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html
3.4. Microsoft Solutions for Security Glossary Date published: 2003
3.4. Microsoft Malware Protection Center
http://www.microsoft.com/security/glossary.mspx http://www.microsoft.com/security/glossary.mspx
The Microsoft Solutions for Security Glossary was created to explain The Microsoft Malware Protection Center, Threat Research and Response
the concepts, technologies, and products associated with computer Glossary was created to explain the concepts, technologies, and
security. This glossary contains several definitions specific to products associated with computer security.
Microsoft proprietary technologies and product solutions.
Date published: indeterminate
3.5. SANS Glossary of Security Terms 3.5. SANS Glossary of Security Terms
http://www.sans.org/resources/glossary.php http://www.sans.org/resources/glossary.php
The SANS Institute (SysAdmin, Audit, Network, Security) was created The SANS Institute (SysAdmin, Audit, Network, Security) was created
in 1989 as, "a cooperative research and education organization." in 1989 as, "a cooperative research and education organization."
Updated in May 2003, SANS cites the NSA for their help in creating This glossary was pdated in May 2003. The SANS Institute is also
the online glossary of security terms. The SANS Institute is also
home to many other resources including the SANS Intrusion Detection home to many other resources including the SANS Intrusion Detection
FAQ and the SANS/FBI Top 20 Vulnerabilities List. FAQ and the SANS/FBI Top 20 Vulnerabilities List.
Date published: indeterminate
3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler
http://www.garlic.com/~lynn/secure.htm http://www.garlic.com/~lynn/secure.htm
Anne and Lynn Wheeler maintain a security taxonomy and glossary with Anne and Lynn Wheeler maintain a security taxonomy and glossary with
terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1,
FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/
SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53,
800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA
Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504,
RFC2647, RFC2828, TCSEC, TDI, and TNI. RFC2647, RFC2828, TCSEC, TDI, and TNI.
Date updated: October 2010
3.7. NIST - Glossary of Key Information Security Terms
http://csrc.nist.gov/publications/nistir/
NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf
This glossary of basic security terms has been extracted from NIST
Federal Information Processing Standards (FIPS) and the Special
Publication (SP) 800 series. The terms included are not all
inclusive of terms found in these publications, but are a subset of
basic terms that are most frequently used. The purpose of this
glossary is to provide a central resource of definitions most
commonly used in NIST security publications.
Date published: April 2006
4. Standards Developing Organizations 4. Standards Developing Organizations
This section of this document lists the SDOs, or organizations that This section of this document lists the SDOs, or organizations that
appear to be developing security related standards. These SDOs are appear to be developing security related standards. These SDOs are
listed in alphabetical order. listed in alphabetical order.
Note: The authors would appreciate corrections and additions. This Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC. note will be removed before publication as an RFC.
4.1. 3GPP - Third Generation Partnership Project 4.1. 3GPP - Third Generation Partnership Project
skipping to change at page 29, line 5 skipping to change at page 30, line 5
ITL Bulletins are published by NIST's Information Technology ITL Bulletins are published by NIST's Information Technology
Laboratory, with most bulletins written by the Computer Security Laboratory, with most bulletins written by the Computer Security
Division. These bulletins are published on the average of six times Division. These bulletins are published on the average of six times
a year. Each bulletin presents an in-depth discussion of a single a year. Each bulletin presents an in-depth discussion of a single
topic of significant interest to the information systems community. topic of significant interest to the information systems community.
Not all of ITL Bulletins that are published relate to computer / Not all of ITL Bulletins that are published relate to computer /
network security. Only the computer security ITL Bulletins are found network security. Only the computer security ITL Bulletins are found
here. here.
5.33. SANS Information Security Reading Room
http://www.sans.org/reading_room/
Featuring over 1,885 original computer security white papers in 75
different categories.
Most of the computer security white papers in the Reading Room have
been written by students seeking GIAC certification to fulfill part
of their certification requirements and are provided by SANS as a
resource to benefit the security community at large. SANS attempts
to ensure the accuracy of information, but papers are published "as
is". Errors or inconsistencies may exist or may be introduced over
time as material becomes dated.
6. Security Considerations 6. Security Considerations
This document describes efforts to standardize security practices and This document describes efforts to standardize security practices and
documents. As such this document offers no security guidance documents. As such this document offers no security guidance
whatsoever. whatsoever.
Readers of this document should be aware of the date of publication Readers of this document should be aware of the date of publication
of this document. It is feared that they may assume that the of this document. It is feared that they may assume that the
efforts, on-line material, and documents are current whereas they may efforts, on-line material, and documents are current whereas they may
not be. Please consider this when reading this document. not be. Please consider this when reading this document.
skipping to change at page 31, line 13 skipping to change at page 33, line 13
IANA to do anything. IANA to do anything.
8. Acknowledgments 8. Acknowledgments
The following people have contributed to this document. Listing The following people have contributed to this document. Listing
their names here does not mean that they endorse the document, but their names here does not mean that they endorse the document, but
that they have contributed to its substance. that they have contributed to its substance.
David Black, Mark Ellison, George Jones, Keith McCloghrie, John David Black, Mark Ellison, George Jones, Keith McCloghrie, John
McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce
Moon. Moon, Stephen Kent, Steve Wolff.
9. Changes from Prior Drafts 9. Changes from Prior Drafts
-00 : Initial draft published as draft-lonvick-sec-efforts-01.txt -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt
-01 : Security Glossaries: -01 : Security Glossaries:
Added ATIS Telecom Glossary 2000, Critical Infrastructure Added ATIS Telecom Glossary 2000, Critical Infrastructure
Glossary of Terms and Acronyms, Microsoft Solutions for Glossary of Terms and Acronyms, Microsoft Solutions for
Security Glossary, and USC InfoSec Glossary. Security Glossary, and USC InfoSec Glossary.
skipping to change at page 34, line 20 skipping to change at page 36, line 20
-10 : Tenth revision of the WG ID. -10 : Tenth revision of the WG ID.
Added references to NIST documents, recommended by Steve Wolff. Added references to NIST documents, recommended by Steve Wolff.
Updated the date. Updated the date.
-11 : Eleventh revision of the WG ID. -11 : Eleventh revision of the WG ID.
Updated the date. Updated the date.
-12 : Eleventh revision of the WG ID. -12 : Twelfth revision of the WG ID.
Updated the date. Updated the date.
-13 : Nothing new. -13 : Nothing new.
Updated the date. Updated the date.
-14 : Fourteenth revision of the WG ID.
Updated the date and reviewed the accuracy of Section 3.
Updated the section on Compendium of Approved ITU-T Security
Definitions
Updated the section on the Microsoft glossary.
Updated the section on the SANS glossary.
Added the NIST Security glossary.
Added dates to all glossaries - where I could find them.
Added the SANS Reading Room material to Section 5.
Note: This section will be removed before publication as an RFC. Note: This section will be removed before publication as an RFC.
Authors' Addresses Authors' Addresses
Chris Lonvick Chris Lonvick
Cisco Systems Cisco Systems
12515 Research Blvd. 12515 Research Blvd.
Austin, Texas 78759 Austin, Texas 78759
US US
 End of changes. 47 change blocks. 
99 lines changed or deleted 165 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/