home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
ietf
/
ssh
/
ssh-minutes-95apr.txt
< prev
next >
Wrap
Text File
|
1995-05-26
|
5KB
|
153 lines
CURRENT_MEETING_REPORT_
Reported by Barbara Fraser/CERT Coordination Center
Minutes of the Site Security Handbook Working Group (SSH)
The Site Security Handbook Working Group met twice during this IETF. The
primary purpose was to decide on a final document outline and review the
material that had been developed.
I. Status of Writers and Sections
o Introduction -- Barbara Fraser
This will be written when there is a draft.
o Establishing site policy -- Gary Malkin, Scott Behnke
Gary has reviewed the existing section of RFC 1244 and said it fits
into this document and is fairly well up-to-date
o Establish procedures to prevent problems -- Nevil Brownlee
Nevil was absent at the first meeting but reviewed his material at
the second session.
o Types of security procedures -- Peter Kossakowski
Peter has reviewed Chapters 5 and 6 and rearranged them into one
eliminating duplication. He found some gaps and sent the new
chapter to the list. Erik Guttman will edit.
o Bibliography -- Scott Behnke
Scott was absent.
II. Proposed Outline of Document
A draft outline was shown based on list of topics from San Jose. After
much discussion, a few changes were made and it was decided that the
following would be our document outline. Discussion on various topics
is included.
Chapter 1: Introduction -- Barbara Fraser
Chapter 2: Site Security Policy -- Gary Malkin
Setting up accounts, keeping information about users, appropriate use,
perhaps under policy as account management; needs to have an agreement
with users. May want to be flexible and not recommend specific actions.
A policy is also needed to remove users. It now contains sections on
use of resources, responsibilities of users, and handling sensitive
information. Monitoring is a policy issue and it and other legal issues
should be mentioned. Legal advice cannot be given, but readers can be
made aware that there are some areas where they will want to check with
their legal folks on.
o Account management
- Creation
- Management
- Termination
o Acceptable Use
o Remote (network) access
o Monitoring/legal issues
Chapter 3: Security Procedures
Procedures might include different types of access, authentication,
backups, cryptography, system and network configurations. The group
discussed the word ``access'' and potential confusion with physical
access. The group also talked about dial-in/dial-out (on demand access)
access, modems and terminal servers. The group wants the document to
cover security problems of modems on desktops and the dangers of SLIP
and PPP access. The distinction between network (e.g., TELNET) access
and dial-up (modem) access was discussed. Under the topic of
cryptography, export and usage restrictions, use in storage versus
communications, and authentication versus secrecy are being considered.
IPv6 requires cryptography. The document may mention sites outside the
US where encryption can be obtained. Uri commented that RFC 1244 is not
up-to-date. Encryption algorithms that might be mentioned include DES,
IDEA, and public key. Home-grown solutions will be warned against.
Uses of cryptography such as protecting data (storage) and
communications should be covered. An in-depth section on cryptography
is not wanted, and there will be a limit to how deeply to go into some
aspects. The sensitive areas like monitoring and cryptography will be
identified and the importance of knowing local laws will be stressed.
o Authentication -- Barbara Fraser
o Authorization -- Ed Lewis
o Access -- ??
o Modems -- Nevil Brownlee
o Cryptography (uses and methods) -- Uri Blumenthal
o Auditing -- Ed Lewis
o Backups -- Joe Metzger
Chapter 4: Architecture
o Objectives -- Phillip Nesser
- Complete defined security plan
- Separation of services
- ``Deny all'' vs. ``Allow all'' philosophies
- Identification of real needs for services
o Service configurations
o Network configurations -- Cathy Wittbrodt and Gary Malkin
- Topology (include router placement)
- Infrastructure elements (include DNS, mail hub, information
servers)
- Network management
o Firewalls -- Jerry Anderson
Chapter 5: Incident Handling - Peter Kossakowski and Erik Guttman
o Preparing and planning
o Notification and Point of Contacts
o Identifying incidents
o Handling incidents
o Aftermath
o Responsibilities
Chapter 6: Maintenance and Evaluation -- Ed Lewis
o Risk assessments
o Notification of problems/events
Appendix
The challenge here is to provide information that will not be out of
date too soon.
o Tools and sites
o Mailing lists and other resources and organizations - Mike Ramsey
III. Review Material and Drafts
Each of the writers who had submitted material addressed the group and
solicited input. New drafts will be submitted to the list.
All in all, the meetings were very productive and the group plans to
have a draft out by the first week of May. It will not be complete but
it will incorporate all the work that has been done to this point. As
the items above indicate, a few able bodied writers are still needed.
The group plans to meet twice in Stockholm.