CURRENT MEETING REPORT


Reported by Barbara Fraser, CERT Coordination Center and Phil
Nesser, Nesser & Nesser Consulting

Minutes of the Security Site Handbook Working Group (SSH)

The Site Security Handbook Working Group met once during this IETF.
The purpose of the meeting was to review the current draft document,
and resolve any missing pieces.


Agenda

o  Find Volunteer Note Taker
o  Phil Nesser kindly volunteered and did a magnificent job!

o  Review Draft
o  Error/Corrections
o  Missing Pieces

o  Develop Draft Outline for the User's Site Security Handbook


I.  Review Draft

Barbara had a list of items that the group discussed.

o  Check contents of 1.1 & 1.2

These are introductory sections that were pulled from the original
RFC1244.  The general consensus was that they are fine.  The group
did decide to define the term "administrators" and use it to refer to
"system and network administrators" throughout the text of the
book.

o  Pointer to RFC by Haller & Atkinson on Internet Authentication.

We found it: RFC 1704.

o  Need pointer to RFC or draft on SSH (secure shell).

There was general agreement that we needed to include this in the
list of tools in the appendix.  There's a current draft, but unless/until
it is accepted, we won't include a reference to the document.

o  Should we provide pointers to the original locations for the tools
section?

The group would really like to provide pointers to the original
locations for the tools.  This may be difficult for some, but we'll start
with the list that the DFN-CERT has created.  As far as general
purpose sites, the group decided to leave the list as it currently
stands: CERT, DFN-CERT, and COAST.

o  References and Bibliography

We need to update this section from rfc1244 to include any valuable
new material that has been published within the last 5 years.  The
group identified the following list and suggested that we continue to
solicit input from the mailing list.  We will need to complete the
citation for each of the following as well as ensure we've got the
correct spelling, title, etc.:
o  Cheswick & Bellovin: Firewalls & Internet Security
o  Chapman & Zwicky: Firewalls in a Nutshell
o  NIST publication on Firewalls & Security (David Chadwick
will review NIST items):
o  Kaufman, Perlman, et al: Book on Network Security
o  Garfinkel: PGP Book
o  RFC 1760: One Time Password
o  Peter Klaus's FAQ's
o  Dan Farmer & Venema's unpublished info
o  Garfinkel & Spafford: Practical Unix Security (New
version due out after the first of the year.  BYF to get info)

o  Cloud information submission (Public Operators Network Services)

We had some material submitted for inclusion that Barbara wasn't
sure where to place within the document.  After some discussion, we
decided to insert it right after the current material on modems.
Hans Kronk agreed to review the submission to see how it fits in.
The topic of public networks (e.g., AOL, Compuserve, MSN, etc.)
came up and Neville suggested that we include some words about
these within the "Access Section" and will work on it.  Also, it was
suggested that we also need to expand the access section to include
physical access.  Neville will work on this as well.

o  Chapter 2

o  Should "AUP" be included in 2.1.2 (Gary will add it)

o  2.1.3 Lists the people who should be included in the definition
of a security policy. The question was raised as to whether it
should also include "Audit Personel"?  It was decided that we
wouldn't include it in the list, but we would include a sentence
stating that it might be appropriate for audit personnel to be
included in some organizations.  After lots of debate it was
decided to remove "local & national" from the 5th item in this
list (on response teams)

o  In 2.1.3 enumerations regarding the components of a good
security policy, there was discussion concerning the addition of
a few items.

o  Should we add paragraphs about configuration of machines?
We decided to hold this until configuration section was
completed.

o  Should we add paragraphs about users need to access other
users accounts?  We decided to add a sentence along the lines of
"What circumstances are acceptable for one user needs to access
another users privleges".  The concern here was that of
avoiding "garbage truck syndrome" where all the knowledge
is held by a single individual.  The group decided to add a
bullet about redundant informaton.

o  Chapter 3

This chapter is on architecture and it was noted that we needed
to make 3.1 & 3.2 act harmoniously together.  These are the
sections on objectives and network/service configurations.  It was
decided that we'll move the information in 3.1.2.x into 3.2 (Gary
Malkin will do this as author of 3.2).  We also discussion a section
on "typical concerns and weaknesses of existing services" but
decided to go with the move to 3.2.  Additionally, as we discuss
each service, we'll include why they should be on separate
servers.

It ws decided that we need an introduction to the Architecture
Chapter.  BYF will write it.

o  We are still missing section 3.3 Firewalls-This section will
discuss what a firewall can and cannot do for you; a balanced
look at the pros and cons of firewalls.  Phil Nesser and Lorna
Leong volunteered to write this section.

o  Chapter 4

We need an introductory section between 4 and 4.1: BYF will write
it.  This section needs to guide the reader through the contents of
the chapter and suggest that the subject of cryptography runs
throughout the chapter and that a basic understanding of
cyptography will enhance the value of this chapter to the
reader.  We will include the general information written by Uri
Blumenthal in an appendix and provide a pointer to it at this
point in the document.  Other text from Uri will be incorporated
into the respective sections now that we've restructured this
chapter.

Other comments regarding this chapter include:
o  4.1.2  Kerberos:  Larry Gerhardstein will do it
o  Section 4.1.5 Digital Signatures:  Russ Mundy will take it
o  Insert a new "4.2 Confidentiality":  Russ Mundy will take it
o  Insert a new "4.3 Integrety" which will include both data,
backup & system:  Russ Mundy will take it
o  Move "Modem" section under "Access"
o  Move Crypto section to Appendices
o  Change "Backups" to "Securing Backups":  Russ Mundy will
take it
o  Split backups to talk about encryption type of securing your
data and then talk about physical security of the backups into
the physical access section. Also include in this section some
discussion that backup tapes may have bad information on
them.

With all the changes, the following is the new outline for
chapter 4:
o  4.1 Authentication
o  4.2 Confidentiality
o  4.3 Integrety
o  4.4 Authorization
o  4.5 Access
o  Modems
o  4.6 Auditing
o  4.7 Securing Backups
o  Offsite
o  Long Term Storage

o  Chapter 5

This chapter is a very comprehensive treatment of incident
response. The problem is that it is half the entire book.  While
the group would like to see it trimmed down, they also didn't
want to lose any of the valuable content. With that in mind:
o  Erik Guttman will try to condense but not remove content.
o Make sure the chapter contains some information about secure
communications when handling an incident

o  Chapter 6

o  Compliance Management needs to be addressed
o  Will be done by: Shane Davis <[email protected]>
o  Gary will add a bullet in the Policy Section between 2.2.6 &
2.2.7
o  Change title from "Maintenance & Evaluation" to "Ongoing
Activities"
o Need to point out that the policy is ongoing and changing and
needs to be periodically reevaluated
o  Need to put a section on Risk Management to the front.
o  Chapter 6 STILL NEEDS A WRITER!!


o  References and Appendices: Barbara & Gary will work on them

o  Gary Malkin volunteers to create an index of the whole
document when it is finished.


II.  Users' document

By the time we completed the review of the draft, we no longer had
time to work on the outline for the users' document.  Gary Malkin
volunteered to post a strawman to the list, and we agreed to discuss it in
that forum.  The group reminded itself of earlier conversations on the
users' document:

o  More like a checklist of things you need to do e.g., You should know
about your companies security policy
o  Written in first person, directly to the user


III. Administrivia

The current draft will be submitted as an Internet-Draft right after this
IETF.

New text is due by January 31, 1996.  Barbara will get a new draft
submitted by mid-February to allow for ample review time prior to the
next IETF.  We hope to have a final draft at that time with only
editorial changes needed before submission to the area director.

The group plans to meet twice in Los Angeles, once to finish this
document and a second to work on the user's document.

Important Groups we don't conflict with: USWG, GRIP, CIDRD, PIER,
and various security groups.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.