home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
ietf
/
ssh
/
ssh-minutes-94dec.txt
< prev
next >
Wrap
Text File
|
1995-02-22
|
9KB
|
183 lines
CURRENT_MEETING_REPORT_
Reported by Barbara Fraser/CERT Coordination Center
Minutes of the Site Security Handbook Working Group (SSH)
Agenda
o Discuss and decide which document to develop first
- Site Security Handbook for System and Network Administrators
- Site Security Handbook for Users
o Create editorial board
o Begin development of the first document
Discussion
There was considerable discussion about the two site security documents.
There were mixed feelings about which document to create first, as well
as whether to create the documents in parallel or serially. One point
was made that even though it is incomplete and dated, system and network
administrators have RFC 1244 but users have nothing, hence work should
begin with the users' document. Another point of view was that the
system and network administrators' document would produce information
that could then quickly be adapted to the user. After more discussion,
it was generally decided that they should be created serially because
there are not enough writers to create them in parallel. However, as
material is developed for the first document, pieces will be saved that
are thought to be suitable for the second document.
It was decided that the group would begin with the Site Security
Handbook for System and Network Administrators.
Editorial Board
In order to produce a new document in a reasonably short period of time,
it will be necessary for a number of people to write small sections.
These will then be merged to produce the completed document. It was
acknowledged that significant editorial work will be needed in order to
produce a document that reads as if a single person had written it. The
following people have offered to be on the editorial board: Barbara
Fraser, Gary Malkin, Uri Blumenthal, Jules Aronson, Nevil Brownlee and
Erik Buttman.
Procedure for Creating the Document
The group discussed how they would go about the process of creating a
new document and decided on the following steps:
A. Split up RFC 1244 into pieces and categorize contents
B. Identify list of topics and writing assignments
C. Update reference RFCs (Joyce Reynolds)
D. Create outline
E. Create draft
The purpose of activity ``A'' is to 1) review a chapter of the current
RFC, 2) decide whether it (and its subsections) applies to
system/network administrators or end users, or both, and 3) tag the
pieces with topics. This will make it easy for writers to identify the
pieces that pertain to their areas.
This activity will result in two lists, one for each document. Each
entry in a list should be a ``chapter.section'' followed by the topics
related to it.
The following people volunteered to help:
__________________________________________________________________
|| | ||
|| Introduction |Barbara Fraser ||
||_______________________________________|________________________||
|| | ||
|| Establishing Site Policy |Gary Malkin, ||
|| |Scott Behnke ||
||_______________________________________|________________________||
|| | ||
|| Incident Handling |Klaus-Peter Kossakowski ||
||_______________________________________|________________________||
|| | ||
|| Establishing Procedures to |Nevil Brownlee ||
|| Prevent Security Problems | ||
||_______________________________________|________________________||
|| | ||
|| Types of Security Procedures |Nevil Brownlee ||
||_______________________________________|________________________||
|| | ||
|| Establishing Post-Incident Procedures |Klaus-Peter Kossakowski,||
|| |Gary Malkin ||
||_______________________________________|________________________||
|| | ||
|| Bibliography | Scott Behnke ||
||_______________________________________|________________________||
The group began activity ``B'' by creating a list of topics from the
current document as well as from those mentioned at the BOF held at the
Toronto IETF. This list is a beginning and the group acknowledged that
some additions may be needed as time goes along. The list of starting
topics along with volunteer writers is included below. Occasionally
specific, narrow subjects came up that were not complete sections in and
of themselves. So that they do not get forgotten, they have been
explicitly mentioned below, under one of the topic areas. Topics with
no assigned writer have `???' in the author field.
The writer's job is to take existing RFC 1244 material and modify it to
meet today's needs. This may include adding or deleting, or otherwise
changing the content.
________________________________________________________________________
||_Policy________________________________|Gary_Malkin__________________ ||
||_Passwords_____________________________|Barbara_Fraser________________||
||_Network_Configuration_________________|Cole_Libby____________________||
|| System Configuration |Jules Aronson ||
|| (this topic should include DHCP and | ||
||_backups_as_well_as_other_topics)______|______________________________||
||_Firewalls_____________________________|Cole_Libby____________________||
|| Incident Response |Klaus-Peter Kossakowski, ||
||_______________________________________|Erik_Guttman__________________||
|| Access |Sepi Boroumand, Nevil Brownlee||
|| (this topic should include modems and | ||
|| other external access methods along | ||
||_with_other_topics)____________________|______________________________||
|| Post Incident Processing |??? ||
||_(including_issues_relating_to_backups)|______________________________||
||_Cryptography__________________________|Uri_Blumenthal________________||
|| Available Security Technology |??? ||
||_(applications_-_tools)________________|______________________________||
||_Threats/Risks/Asset_Identification____|???___________________________||
||_Training_*____________________________|______________________________||
||_Protecting_the_Infrastructure_________|Gary_Malkin___________________||
||_______________________________________|______________________________||
* The group will not include training at this point other than a
mention of the need for training in the Introduction. The
relationship between administrators and end users will need to be
described.
Goals and Milestones
By the end of January, the group will have topics from RFC 1244
separated into lists and have a draft outline for the system
administrators' handbook. Two weeks before the April IETF, draft
sections will be completed by the authors and merged into a first
Internet-Draft. At the April IETF, there will be a detailed review of
the draft sections and a review of overall document content (including
identification of holes).
Miscellaneous
The group agreed that they want to create a checklist to accompany the
system administrators' handbook as an appendix.
The group discussed the users' handbook and decided that it must be
short and easy to read. The notion of a pamphlet containing a bulleted
list was discussed.
It was also decided that the group needs to ensure that the document
provides something directed to users who have machines on their desks
that are configured with a network protocol stack. These users need to
be made aware of the additional issues like: running servers, attaching
modems, bringing up SLIP/PPP connections, etc.
Housekeeping
There will be several lists maintained on the archive area: list of
topics for the Site Security Handbook for System and Network
Administrators, list of topics/bullets for the Site Security Handbook
for Users' and writing assignments.
Next IETF
The group plans to schedule two back-to-back sessions to review each
section of the draft document.