CURRENT MEETING REPORT Reported by Barbara Fraser, CERT Coordination Center and Phil Nesser, Nesser & Nesser Consulting Minutes of the Security Site Handbook Working Group (SSH) The Site Security Handbook Working Group met once during this IETF. The purpose of the meeting was to review the current draft document, and resolve any missing pieces. Agenda o Find Volunteer Note Taker o Phil Nesser kindly volunteered and did a magnificent job! o Review Draft o Error/Corrections o Missing Pieces o Develop Draft Outline for the User's Site Security Handbook I. Review Draft Barbara had a list of items that the group discussed. o Check contents of 1.1 & 1.2 These are introductory sections that were pulled from the original RFC1244. The general consensus was that they are fine. The group did decide to define the term "administrators" and use it to refer to "system and network administrators" throughout the text of the book. o Pointer to RFC by Haller & Atkinson on Internet Authentication. We found it: RFC 1704. o Need pointer to RFC or draft on SSH (secure shell). There was general agreement that we needed to include this in the list of tools in the appendix. There's a current draft, but unless/until it is accepted, we won't include a reference to the document. o Should we provide pointers to the original locations for the tools section? The group would really like to provide pointers to the original locations for the tools. This may be difficult for some, but we'll start with the list that the DFN-CERT has created. As far as general purpose sites, the group decided to leave the list as it currently stands: CERT, DFN-CERT, and COAST. o References and Bibliography We need to update this section from rfc1244 to include any valuable new material that has been published within the last 5 years. The group identified the following list and suggested that we continue to solicit input from the mailing list. We will need to complete the citation for each of the following as well as ensure we've got the correct spelling, title, etc.: o Cheswick & Bellovin: Firewalls & Internet Security o Chapman & Zwicky: Firewalls in a Nutshell o NIST publication on Firewalls & Security (David Chadwick will review NIST items): o Kaufman, Perlman, et al: Book on Network Security o Garfinkel: PGP Book o RFC 1760: One Time Password o Peter Klaus's FAQ's o Dan Farmer & Venema's unpublished info o Garfinkel & Spafford: Practical Unix Security (New version due out after the first of the year. BYF to get info) o Cloud information submission (Public Operators Network Services) We had some material submitted for inclusion that Barbara wasn't sure where to place within the document. After some discussion, we decided to insert it right after the current material on modems. Hans Kronk agreed to review the submission to see how it fits in. The topic of public networks (e.g., AOL, Compuserve, MSN, etc.) came up and Neville suggested that we include some words about these within the "Access Section" and will work on it. Also, it was suggested that we also need to expand the access section to include physical access. Neville will work on this as well. o Chapter 2 o Should "AUP" be included in 2.1.2 (Gary will add it) o 2.1.3 Lists the people who should be included in the definition of a security policy. The question was raised as to whether it should also include "Audit Personel"? It was decided that we wouldn't include it in the list, but we would include a sentence stating that it might be appropriate for audit personnel to be included in some organizations. After lots of debate it was decided to remove "local & national" from the 5th item in this list (on response teams) o In 2.1.3 enumerations regarding the components of a good security policy, there was discussion concerning the addition of a few items. o Should we add paragraphs about configuration of machines? We decided to hold this until configuration section was completed. o Should we add paragraphs about users need to access other users accounts? We decided to add a sentence along the lines of "What circumstances are acceptable for one user needs to access another users privleges". The concern here was that of avoiding "garbage truck syndrome" where all the knowledge is held by a single individual. The group decided to add a bullet about redundant informaton. o Chapter 3 This chapter is on architecture and it was noted that we needed to make 3.1 & 3.2 act harmoniously together. These are the sections on objectives and network/service configurations. It was decided that we'll move the information in 3.1.2.x into 3.2 (Gary Malkin will do this as author of 3.2). We also discussion a section on "typical concerns and weaknesses of existing services" but decided to go with the move to 3.2. Additionally, as we discuss each service, we'll include why they should be on separate servers. It ws decided that we need an introduction to the Architecture Chapter. BYF will write it. o We are still missing section 3.3 Firewalls-This section will discuss what a firewall can and cannot do for you; a balanced look at the pros and cons of firewalls. Phil Nesser and Lorna Leong volunteered to write this section. o Chapter 4 We need an introductory section between 4 and 4.1: BYF will write it. This section needs to guide the reader through the contents of the chapter and suggest that the subject of cryptography runs throughout the chapter and that a basic understanding of cyptography will enhance the value of this chapter to the reader. We will include the general information written by Uri Blumenthal in an appendix and provide a pointer to it at this point in the document. Other text from Uri will be incorporated into the respective sections now that we've restructured this chapter. Other comments regarding this chapter include: o 4.1.2 Kerberos: Larry Gerhardstein will do it o Section 4.1.5 Digital Signatures: Russ Mundy will take it o Insert a new "4.2 Confidentiality": Russ Mundy will take it o Insert a new "4.3 Integrety" which will include both data, backup & system: Russ Mundy will take it o Move "Modem" section under "Access" o Move Crypto section to Appendices o Change "Backups" to "Securing Backups": Russ Mundy will take it o Split backups to talk about encryption type of securing your data and then talk about physical security of the backups into the physical access section. Also include in this section some discussion that backup tapes may have bad information on them. With all the changes, the following is the new outline for chapter 4: o 4.1 Authentication o 4.2 Confidentiality o 4.3 Integrety o 4.4 Authorization o 4.5 Access o Modems o 4.6 Auditing o 4.7 Securing Backups o Offsite o Long Term Storage o Chapter 5 This chapter is a very comprehensive treatment of incident response. The problem is that it is half the entire book. While the group would like to see it trimmed down, they also didn't want to lose any of the valuable content. With that in mind: o Erik Guttman will try to condense but not remove content. o Make sure the chapter contains some information about secure communications when handling an incident o Chapter 6 o Compliance Management needs to be addressed o Will be done by: Shane Davis o Gary will add a bullet in the Policy Section between 2.2.6 & 2.2.7 o Change title from "Maintenance & Evaluation" to "Ongoing Activities" o Need to point out that the policy is ongoing and changing and needs to be periodically reevaluated o Need to put a section on Risk Management to the front. o Chapter 6 STILL NEEDS A WRITER!! o References and Appendices: Barbara & Gary will work on them o Gary Malkin volunteers to create an index of the whole document when it is finished. II. Users' document By the time we completed the review of the draft, we no longer had time to work on the outline for the users' document. Gary Malkin volunteered to post a strawman to the list, and we agreed to discuss it in that forum. The group reminded itself of earlier conversations on the users' document: o More like a checklist of things you need to do e.g., You should know about your companies security policy o Written in first person, directly to the user III. Administrivia The current draft will be submitted as an Internet-Draft right after this IETF. New text is due by January 31, 1996. Barbara will get a new draft submitted by mid-February to allow for ample review time prior to the next IETF. We hope to have a final draft at that time with only editorial changes needed before submission to the area director. The group plans to meet twice in Los Angeles, once to finish this document and a second to work on the user's document. Important Groups we don't conflict with: USWG, GRIP, CIDRD, PIER, and various security groups.