[cgl_discussion] Latest draft on security requirements

Stephen Hemminger shemminger at osdl.org
Tue Nov 12 14:01:00 PST 2002 

On Tue, 2002-11-12 at 13:50, Mika Kukkonen wrote:
> On ti, 2002-11-12 at 12:12, Stephen Hemminger wrote:
> (...)
> > A couple of questions:
> > a) What if any of this is unique to carrier grade systems? Isn't most of
> > this a generic "hostile environment" server requirement. What makes
> > Ericsson any more or less demanding than Ebay or Yahoo?
> 
> If Yahoo or Ebay becomes compromised, they will probably lose some
> significant amount of money. If telecom network gets compromised and
> the fault can be pointed to TEM's unsecure implementation, the TEM
> in question will lose significant amount of money _and_ can expect a
> "visit" from local authorities ... See the difference?

That is the point of the threat model.

> Or to say it shortly, security requirements for telecom systems
> are defined and written by goverment agencies, not by paid-by-hour
> consultants.

But do the CGL requirements meet the required international standards?
and are these standards likely to be applied to commercial systems?

Probably yes to both.

> > b) What is the "Thread Model" for carrier grade systems?  A threat model
> > is a business level description which describes what the risk and
> > exposure is and allows sizing the expense of fixing it.  
> 
> So you are asking us to write a sizable document about threat models?
> Let me make a counter-proposal: you write a document describing the
> threat models of DCL systems, and we CGL people will be happy to point
> out the differences of our respective models :-)
> 
> > Lots of the solutions described may be expensive to implement and not
> > match real threats. Other ones like signed binaries are easily overcome
> > without a trusted computing base in the kernel.
> 
> Read the document. It describes four levels of security, from "no
> security" to "paranoid". There is probably a need for all four levels
> in carrier grade environment, and the solutions used will vary
> accordingly.
>

The problem is that it just isn't paranoid enough; knowing the security
folks in DRM environments, this just doesn't go far enough.  Really
think that without TCA platform support the rest of the infrastructure
becomes a Maginot line of security (ie. looks big and tall but the army
of hackers just march around it).

More information about the cgl_discussion mailing list