colin
/
well-known-security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
well-known-security/safelist.md

2.7 KiB
Raw Blame History

Refined General Structure

Hierarchical Approach

  1. Manufacturer Level:

    • Contains general policies and information applicable to all devices from that manufacturer.
    • Includes a safelist-ips.json and security-contact.json relevant to the entire range of products.

  2. Device-Specific Level:

    • Provides detailed, device-specific instructions and information.
    • Contains its own safelist-ips.json, security-contact.json, and firewall-profile.json.
    • Device-specific information overrides manufacturer-level information when present.

Example Structure

/.well-known/device-instructions
    /{manufacturer}
        /safelist-ips.json             # Manufacturer-level IP safelist
        /security-contact.json          # Manufacturer-level security contact
        /{device-model}
            /instructions.json          # Specific device instructions
            /firewall-profile.json      # Device-specific firewall profile
            /safelist-ips.json         # Device-specific IP safelist
            /security-contact.json      # Device-specific security contact

Precedence Rules

  • Device-Specific Over Manufacturer-Level: Routers and other network management tools should prioritize device-specific instructions and settings. If a device-specific safelist-ips.json or security-contact.json exists, it should override the manufacturer-level files.

Goals for Hierarchical Safelist and Contacts

  • Flexibility and Specificity: Allow for both broad policies applicable across all devices and specific configurations tailored to individual models.
  • Clarity in Implementation: Ensure that device-specific precedence over manufacturer-level information is clear and easy to implement in network management systems.
  • Enhanced Security and Compatibility: Provide more precise security and operational guidelines, enhancing each device's security posture and operating compatibility.

Additional Considerations

  • Documentation and Communication: Document the hierarchy and precedence rules, ensuring manufacturers and network administrators understand how to implement and interpret these files.
  • Update Mechanisms: Establish efficient processes for updating manufacturer-level and device-specific files to keep them current and relevant.
  • Testing and Validation: Rigorously test the hierarchical structure to ensure routers and network tools correctly apply the precedence rules in various scenarios.

With this refined structure, you can create a robust framework for disseminating device and manufacturer-specific firewall profiles, IP safelists, and security contacts, greatly enhancing networked devices' security and operational efficiency.