Reported by Barbara Fraser/CERT Coordination Center
Minutes of the Site Security Handbook Working Group (SSH)
The Site Security Handbook Working Group met twice during this IETF
meeting. The purpose of the two meetings were to review the
Internet-Draft, draft-ietf-ssh-handbook-00.txt, and to address any
missing pieces.
Review of Existing Draft
It was noted that the current draft does not include a table of
contents. This will be addressed in later drafts. There was discussion
on the list prior to the IETF meeting that the title of the document be
the same as that of RFC 1244, Site Security Handbook. It was agreed at
the meeting to do this. The group also agreed to keep the Introductory
chapter very short. It was suggested that a general definition of
computer security/infosec be included in the Introduction, and Jussi
Leiwo agreed to provide some sentences.
Chapter 2 -- Policy
The material in this chapter will be reviewed by Gary Malkin, who will
also check it against the material in RFC 1244 and other sources. It is
most important to make sure readers know they must have a policy.
Chapter 3 -- Security Procedures
It was decided to make this Chapter 4 and place it after the chapter on
architecture. A revised outline is included at the end of these
minutes.
3.1 Authentication: The group wants to shorten the coverage of general
passwords and emphasize use of better authentication techniques. In
particular, cover adapting rules for password selection to the choice of
secret tokens where used (e.g., S/Key, PGP secret key, etc.), and the
protection of such information. We also want to point out the
limitations of password aging and password selection, within the context
of general reusable passwords, since intruders will use it immediately,
if captured, and not wait around until the site may have changed the
password.
3.2 Authorization: Some of the points to be made are that every user's
space should be protected, with open space for shared information --
ensuring that binaries used are those that are expected. Granting users
access into private spaces through subdirectories was a topic that was
mentioned. Also, we need to teach users how to maintain access control
in their areas.
3.3 Access and 3.4 Modems: Nevil Brownlee agreed to write this section
(Joao Nuno Ferreira and Vasily Savin will help with content). The group
spent some time discussing what direction to take. How to handle this
section in relation to the previous section on authorization was also
discussed. It will be sorted out after there is content to look at.
One idea for organization of this section was to look at it in terms of
access to the local infrastructure from public networks as in via
modems, access via the network, and physical access. For points of
entry to/from public telephone, X.25, FAX, need to apply careful
controls. We have a fair amount of information on modems and it remains
to be seen how we will fit everything together here.
3.5 Cryptography: Uri said he would have a section to the list by the
end of July. The group did not discuss this section other than to say
we wanted to include a general description of cryptography for system
administrators and users, and we will only include general comments
about the variability of restrictions in use of cryptography in
countries. We will not attempt to include specific restrictions that
are in place today since we cannot provide a comprehensive set, and they
will date anyway.
3.6 Auditing: There is some duplication of material with that in
Chapter 5. It was mentioned that we want to say that accounting needs
to be secure in the same way that auditing information does. There was
some discussion on the definitions of: logging, accounting, and
auditing within the context of this document. The group decided to
start with the following definitions:
o logging -- Collecting the information
o accounting -- Generating bill/preparing reports from the logged
information
o auditing -- Looking for discrepancies/inconsistencies/violation of
policy, etc.
The group decided that this section should include a discussion of
regular review of logs, of filtering on logs for significant events to
the organization. Sections need to be added on how to use data and when
to use it (active real-time and passive off-line). The group also
discussed what to collect: system integrity data, user activities, and
process accounting.
Chapter 4 -- Architecture
This chapter will be Chapter 3 in the next revision. This area of the
document had no material, and it is still not clear exactly what we want
to include here. For the time being we will continue with the current
outline.
4.1 Objectives: Philip Nesser was not able to attend the meeting but he
should have something soon.
4.2 Service Configuration: There was considerable discussion about what
the differences were between this section and the next section, Network
Configurations. Gary Malkin put up an overhead with the following
divisions, and this served to fuel the follow-on discussion.
o Service configurations
- Anonymous/guest users
- Collocating services
- Denial of service
- Unauth services
- WWW...
- Infrastructure elements
* DNS
* Routing
* E-mail
- Network management
* Monitoring
* Configuration
Discussion also included subjects the group would like to make sure are
covered. For example, concerning internal use, restrict access to
shared resources and make sure you know the extent of the sharing (e.g.,
NFS, FTP archives, internal netnews, tftp files). Another area is
providing services for external users and concern about world writable
areas, guest accounts and dialup. Under guest accounts, limited
capability and duration were mentioned. Additionally, sites need to
actively manage these, including careful management of vendor access,
special function IDs. Shell escapes and denial of service were also
discussed. Tony Hain said he would provide some material on special
function IDs and avoiding shell escapes and other problems in the
restricted environments.
4.4 Firewalls: This was another area that we have no material for yet,
but there is strong consensus that we must provide the section. Some
time was spent talking about an outline of topics for this section:
o What is a firewall and what it is used for
o Pros, cons, and limitations
o Various types of firewalls and for each the pros, cons, and
limitations, administrative requirements, costs, expertise
required, and authentication capability
o Cost benefit analysis
o Separation of tasks inside network -- different departments will
have different needs
o List of services from inside to outside and vice versa
o Include references
Chapter 5 -- Incident Handling
There is a lot of material in this chapter and the authors will work to
compress and organize it to an optimal state. A couple of specific
items to be included were identified: pulling the plug (when to do it,
or deciding to do it), need of an integrity tool/model in order to be
able to find deltas, caution to sites that their tools may be traitors
(including binaries, config files, logs, and libraries), use of CD-ROMS
to protect a toolset.
Chapter 6 -- Maintenance and Evaluation
The group discussed a few things to include here. Risk assessment and
establishing downtime tolerances for various services; hot backups
(e.g., 2nd drives, 2nd systems); integrity checking both for binaries
and libraries; and system recovery (is currently in IH chapter and it's
up in the air where it will settle) including a time schedule for
recovering services.
Next Steps
October 1 Sections to be submitted to the list
November 1 New Internet-Draft
December IETF Final revisions
January 15 Target for submission to the IESG
