CURRENT_MEETING_REPORT_ Reported by Barbara Fraser/CERT Coordination Center Minutes of the Site Security Handbook Working Group (SSH) The Site Security Handbook Working Group met twice during this IETF meeting. The purpose of the two meetings were to review the Internet-Draft, draft-ietf-ssh-handbook-00.txt, and to address any missing pieces. Review of Existing Draft It was noted that the current draft does not include a table of contents. This will be addressed in later drafts. There was discussion on the list prior to the IETF meeting that the title of the document be the same as that of RFC 1244, Site Security Handbook. It was agreed at the meeting to do this. The group also agreed to keep the Introductory chapter very short. It was suggested that a general definition of computer security/infosec be included in the Introduction, and Jussi Leiwo agreed to provide some sentences. Chapter 2 -- Policy The material in this chapter will be reviewed by Gary Malkin, who will also check it against the material in RFC 1244 and other sources. It is most important to make sure readers know they must have a policy. Chapter 3 -- Security Procedures It was decided to make this Chapter 4 and place it after the chapter on architecture. A revised outline is included at the end of these minutes. 3.1 Authentication: The group wants to shorten the coverage of general passwords and emphasize use of better authentication techniques. In particular, cover adapting rules for password selection to the choice of secret tokens where used (e.g., S/Key, PGP secret key, etc.), and the protection of such information. We also want to point out the limitations of password aging and password selection, within the context of general reusable passwords, since intruders will use it immediately, if captured, and not wait around until the site may have changed the password. 3.2 Authorization: Some of the points to be made are that every user's space should be protected, with open space for shared information -- ensuring that binaries used are those that are expected. Granting users access into private spaces through subdirectories was a topic that was mentioned. Also, we need to teach users how to maintain access control in their areas. 3.3 Access and 3.4 Modems: Nevil Brownlee agreed to write this section (Joao Nuno Ferreira and Vasily Savin will help with content). The group spent some time discussing what direction to take. How to handle this section in relation to the previous section on authorization was also discussed. It will be sorted out after there is content to look at. One idea for organization of this section was to look at it in terms of access to the local infrastructure from public networks as in via modems, access via the network, and physical access. For points of entry to/from public telephone, X.25, FAX, need to apply careful controls. We have a fair amount of information on modems and it remains to be seen how we will fit everything together here. 3.5 Cryptography: Uri said he would have a section to the list by the end of July. The group did not discuss this section other than to say we wanted to include a general description of cryptography for system administrators and users, and we will only include general comments about the variability of restrictions in use of cryptography in countries. We will not attempt to include specific restrictions that are in place today since we cannot provide a comprehensive set, and they will date anyway. 3.6 Auditing: There is some duplication of material with that in Chapter 5. It was mentioned that we want to say that accounting needs to be secure in the same way that auditing information does. There was some discussion on the definitions of: logging, accounting, and auditing within the context of this document. The group decided to start with the following definitions: o logging -- Collecting the information o accounting -- Generating bill/preparing reports from the logged information o auditing -- Looking for discrepancies/inconsistencies/violation of policy, etc. The group decided that this section should include a discussion of regular review of logs, of filtering on logs for significant events to the organization. Sections need to be added on how to use data and when to use it (active real-time and passive off-line). The group also discussed what to collect: system integrity data, user activities, and process accounting. Chapter 4 -- Architecture This chapter will be Chapter 3 in the next revision. This area of the document had no material, and it is still not clear exactly what we want to include here. For the time being we will continue with the current outline. 4.1 Objectives: Philip Nesser was not able to attend the meeting but he should have something soon. 4.2 Service Configuration: There was considerable discussion about what the differences were between this section and the next section, Network Configurations. Gary Malkin put up an overhead with the following divisions, and this served to fuel the follow-on discussion. o Service configurations - Anonymous/guest users - Collocating services - Denial of service - Unauth services - WWW... o Network configurations - Topology * Subnet isolation * Externally accessible subnets * Stub vs. transit - Infrastructure elements * DNS * Routing * E-mail - Network management * Monitoring * Configuration Discussion also included subjects the group would like to make sure are covered. For example, concerning internal use, restrict access to shared resources and make sure you know the extent of the sharing (e.g., NFS, FTP archives, internal netnews, tftp files). Another area is providing services for external users and concern about world writable areas, guest accounts and dialup. Under guest accounts, limited capability and duration were mentioned. Additionally, sites need to actively manage these, including careful management of vendor access, special function IDs. Shell escapes and denial of service were also discussed. Tony Hain said he would provide some material on special function IDs and avoiding shell escapes and other problems in the restricted environments. 4.4 Firewalls: This was another area that we have no material for yet, but there is strong consensus that we must provide the section. Some time was spent talking about an outline of topics for this section: o What is a firewall and what it is used for o Pros, cons, and limitations o Various types of firewalls and for each the pros, cons, and limitations, administrative requirements, costs, expertise required, and authentication capability o Cost benefit analysis o Separation of tasks inside network -- different departments will have different needs o List of services from inside to outside and vice versa o Include references Chapter 5 -- Incident Handling There is a lot of material in this chapter and the authors will work to compress and organize it to an optimal state. A couple of specific items to be included were identified: pulling the plug (when to do it, or deciding to do it), need of an integrity tool/model in order to be able to find deltas, caution to sites that their tools may be traitors (including binaries, config files, logs, and libraries), use of CD-ROMS to protect a toolset. Chapter 6 -- Maintenance and Evaluation The group discussed a few things to include here. Risk assessment and establishing downtime tolerances for various services; hot backups (e.g., 2nd drives, 2nd systems); integrity checking both for binaries and libraries; and system recovery (is currently in IH chapter and it's up in the air where it will settle) including a time schedule for recovering services. Next Steps October 1 Sections to be submitted to the list November 1 New Internet-Draft December IETF Final revisions January 15 Target for submission to the IESG