Security Information

2007 Advanced Technical Security Symposium Security Series Web Seminars Security Awareness Services Blackhole DNS E-mail Virus and Spam Filtering Good Net Neighbor Service - Phase 1 Good Net Neighbor Service - Phase 2 Internet Content Filtering Remote Vulnerability Assessment Service Incident Response Incident Response Online Incident Report Security Tools and Documents Security Tools Security Policies and Presentations Security Contact Information E-mail: security@more.net Phone: 1-800-509-6673 Fax: +1-573-884-7699

MOREnet Security Practices

Document Status

This document describes current MOREnet practices in implementing these existing policies:

• MOREnet Service Policies:
  http://www.more.net/about/servicepolicies/

The current version of this document is maintained at http://www.more.net/security/materials/practices.

Nothing in this document signifies any change in the way MOREnet does business. This practice document simply documents MOREnet Security event handling methodology and implementation as practiced over the last five years.

If you have questions about this MOREnet Security Practices document, its interpretation or enforcement, please e-mail security@more.net.

Philosophy

MOREnet currently manages over 1,100 edge routers at customer sites, and provides security services to each site. MOREnet customer contracts are for bandwidth; there is no funding, staffing or provision for local firewalls, proxy servers, intrusion detection or other traditionally local security measures.

MOREnet uses several tools to provide security services to customers, and support the MOREnet Service Policies. These defensive measures include Access Control Lists and scanning.

Access Control Lists

Access Control Lists (ACLs) are a feature in many router and server operating systems. ACLs can examine each network packet, by source, destination, ports in use and protocol. They are a valid tool for network defense. However, ACLs slow down routing because as they consume processor time. MOREnet does not use ACLs in devices that MOREnet manages for this reason.

MOREnet expressly reserves the right to implement ACLs in any MOREnet managed edge devices during an immediate security event to protect MOREnet, the MOREnet network, other MOREnet customers and outside networks.

Support of Access Control Lists for Customers

MOREnet provides informational support on router ACLs for customers. MOREnet does not provide ACLs for customers to enforce local policies.

Scanning

Scanning refers to a series of messages sent over the Internet, each associated with a "well-known" port number that a computer provides. The response received indicates whether the port is used and frequently returns information on a system's software and version. Scanning involves collection of information that can be viewed by any Internet connection.

MOREnet Security staff may, on reasonable suspicion of a threat to the shared network, defensively scan without notice to make an initial risk assessment and/or confirm a reported potential breach of the MOREnet Service Policies. These scans may be of a single customer machine or an entire customer network, based on the risk to the shared network.

Scope and Duration of Defensive Measures

MOREnet will tailor any defensive measures taken to defend against a specific problem. Reasonable efforts will be made to work with an organization in order to limit impact of any ACL. It should be noted, however, that in networks without IP accountability, any blocking may have a greater impact than a single computer.

MOREnet-employed defensive measures will also be limited in time to that which is reasonably necessary to remove an active threat from the network, but may be extended at MOREnet's discretion when MOREnet Security certifies the customer is making good faith efforts to restore accountability and risk mitigation.

The MOREnet Service Policies state "the Member is responsible for Acceptable Use compliance by its authorized users." MOREnet reserves the right to continue any block where there is a failure to provide accountability, pending review by the MOREnet Executive Director. Networks and devices that are not accountable cannot ensure compliance.

Immediate Security Events Defined

The following are established "immediate security events."

• Attacks in progress
• Denial of service conditions
• Compromise of accountability

This list is not exhaustive. Technologies change and as new exploits are discovered, this list is likely to be modified.

The following events are not "immediate security events."

• Unauthorized port scanning, network scanning, banner grabbing and other forms of reconnaissance. While these activities are commonly viewed as reconnaissance prior to an attack, they gather only publicly visible information. Scans are security events, but not viewed as critical for triage purposes. Scanning in large volume, however, can create denial of service conditions.
• Violations of local policies that are not also violations of MOREnet policies.
• Events that are no longer "immediate" and do not represent an ongoing risk to MOREnet, the MOREnet infrastructure, other MOREnet customers or the Internet at large.

Responsibilities for Network Devices

1. Customers are responsible for making reasonable efforts to ensure that those connected through them comply with the MOREnet Service Polices. Internet-visible networks and devices that do not provide accountability cannot ensure compliance.
2. Customers are responsible for enforcing their own local security and acceptable use policies. MOREnet will assist and cooperate where reasonably possible, but does not do so via access control lists on managed devices.
3. Customers are responsible for ensuring their own compliance with applicable state and federal laws.
4. Customers are responsible for exercising due diligence in operating and maintaining Internet-visible devices connected through MOREnet.
5. Customers are strongly encouraged to defend their own networks and to implement sound security policies, maintenance and change control practices, architecture and enabling technologies (such as firewalls) in defense of their own networks. MOREnet does not have funding or staff to maintain customer internal networks and devices.
6. Where a site has been repeatedly advised of lack of accountability and has failed to make reasonable efforts to provide accountability, future similar violations will be handled as organizational breaches of the MOREnet Service Polices. MOREnet may, at its discretion, continue any reasonably necessary defensive measures pending resolution of that complaint.