Site Security Handbook BOF (SSH)

Reported by Joyce K. Reynolds/ISI and Barbara Fraser/CERT Coordination
Center


Introduction

In July 1991, the IETF published RFC 1244, ``Site Security Handbook.''
This document represented a first attempt at providing Internet users
with guidance on how to deal with security issues in the Internet.
Several years have passed and this document has aged accordingly.  The
purpose of this BOF was to:


   o discuss the information provided in RFC 1244,
   o identify information topics that are missing and needed,
   o identify other documents currently available that are similar, and
   o discuss a charter for the working group.


Discussion

There was a general discussion about the contents of RFC 1244 and a
resulting consensus that it needed to be updated.  Several aspects to
the revision were mentioned:  scope, audience, size and organization of
the information.

Discussion about the scope of the document included a suggestion to
define a suite of documents describing all the security aspects of the
Internet.  A working group resulting from this BOF could address one or
more of those documents.  Concern about the size of RFC 1244 was
mentioned.  Some felt that the new document should strive to fit within
50 pages.  This led to discussions about how we could separate material
so that we could confine ourselves to a product of only 50 pages.  There
was a suggestion to create three documents:


   o Site Security Procedures Handbook
   o Site Security Tools Handbook
   o Site Security for Users


The need for a special short document for end users was discussed.  It
was mentioned that the audience has changed from medium-to-large sites,
to small sites with no dedicated administrators, to people in their
homes.  Looked at another way, with the move to distributed systems,
increasingly, every end user is a system administrator.  After much
discussion, the group moved back to identifying two audiences:
system/network managers, and end users.

The group discussed many areas where updates were needed.  These
included:


   o passwords
   o firewalls
   o incident response
   o general access controls (including anonymous FTP)
   o backups
   o need to address all external access points
   o authentication and other generic security properties
   o cryptography expansion
   o update referenced RFC numbers
   o PEM section
   o information/data
   o threats
   o use of training
   o integrity (especially a discussion about various checksuming
     methods)


Another suggestion was to add a ``pull-out'' section with
fill-in-the-blanks where a site could tailor the pull out for itself.
One example item was the ``single point of contact'' for security
problems.

There were several other documents that were mentioned that could serve
as a beginning point for the revision work, or as references.  These
were:


   o RFC 1636, a report from the IAB security workshop earlier this year
   o The Haller/Atkinson paper on passwords
   o NIST draft ``Introduction to Computer Security'' of June 1994


In addition to discussing content changes, the group also discussed
several organizational approaches for the material that will be
included.  Possibilities mentioned were:


   o Life cycle of procedures (this is generally the current
     organization of RFC 1244):  policy ! procedures ! incident
     handling

   o Where you are in your Internet life:  going to connect to the
     Internet, newly connected, or experienced connectee

   o Management, operational, etc.

   o Self-auditing:  with checklists at the end of each chapter


Other discussion in the group was concerned with whether to embed
information on every topic or to include pointers to the information.
There was support for both ways with a general feeling that readers
don't like to ``follow pointers'' balanced with a desire to keep the
document from becoming too large.

A little discussion focused on how to organize the work.  Ideas
expressed included:


   o Pull out enough material and revise it, keeping it to 50 pages,
     then move to another document

   o Start with the lowest common denominator, the end user, and work up
     to the system/network administrator

   o Start with the system/network administrators since ``that's what we
     are most familiar with, and what will be easiest to write''

   o Define criteria to discriminate between users and system
     administrators

   o Define outline

   o Pick sections and fill in content, then pick what is appropriate
     for users, and what is appropriate for system administrators


By the end of the BOF there was consensus that we define a charter for a
working group.  The working group will create two documents:  one for
users and one for system/network administrators.  The effort to create a
charter will continue on a to-be-created mailing list:  ssh@cert.org.
The old ``ssphwg'' mailing list was found, and one message will be sent
to that list announcing the formation of the new list.  This will alert
some of the original contributors of RFC 1244 to the new effort.