CURRENT_MEETING_REPORT_

Reported by Barbara Fraser/CERT Coordination Center

Minutes of the Site Security Handbook Working Group (SSH)

The Site Security Handbook Working Group met twice during this IETF. The
primary purpose was to decide on a final document outline and review the
material that had been developed.


I. Status of Writers and Sections

   o Introduction -- Barbara Fraser
     This will be written when there is a draft.

   o Establishing site policy -- Gary Malkin, Scott Behnke
     Gary has reviewed the existing section of RFC 1244 and said it fits
     into this document and is fairly well up-to-date

   o Establish procedures to prevent problems -- Nevil Brownlee
     Nevil was absent at the first meeting but reviewed his material at
     the second session.

   o Types of security procedures -- Peter Kossakowski
     Peter has reviewed Chapters 5 and 6 and rearranged them into one
     eliminating duplication.  He found some gaps and sent the new
     chapter to the list.  Erik Guttman will edit.

   o Bibliography -- Scott Behnke
     Scott was absent.


II. Proposed Outline of Document

A draft outline was shown based on list of topics from San Jose.  After
much discussion, a few changes were made and it was decided that the
following would be our document outline.  Discussion on various topics
is included.


Chapter 1:  Introduction -- Barbara Fraser

Chapter 2:  Site Security Policy -- Gary Malkin

Setting up accounts, keeping information about users, appropriate use,
perhaps under policy as account management; needs to have an agreement
with users.  May want to be flexible and not recommend specific actions.
A policy is also needed to remove users.  It now contains sections on
use of resources, responsibilities of users, and handling sensitive
information.  Monitoring is a policy issue and it and other legal issues
should be mentioned.  Legal advice cannot be given, but readers can be
made aware that there are some areas where they will want to check with
their legal folks on.

   o Account management
      -  Creation
      -  Management
      -  Termination
   o Acceptable Use
   o Remote (network) access
   o Monitoring/legal issues



Chapter 3:  Security Procedures

Procedures might include different types of access, authentication,
backups, cryptography, system and network configurations.  The group
discussed the word ``access'' and potential confusion with physical
access.  The group also talked about dial-in/dial-out (on demand access)
access, modems and terminal servers.  The group wants the document to
cover security problems of modems on desktops and the dangers of SLIP
and PPP access.  The distinction between network (e.g., TELNET) access
and dial-up (modem) access was discussed.  Under the topic of
cryptography, export and usage restrictions, use in storage versus
communications, and authentication versus secrecy are being considered.
IPv6 requires cryptography.  The document may mention sites outside the
US where encryption can be obtained.  Uri commented that RFC 1244 is not
up-to-date.  Encryption algorithms that might be mentioned include DES,
IDEA, and public key.  Home-grown solutions will be warned against.
Uses of cryptography such as protecting data (storage) and
communications should be covered.  An in-depth section on cryptography
is not wanted, and there will be a limit to how deeply to go into some
aspects.  The sensitive areas like monitoring and cryptography will be
identified and the importance of knowing local laws will be stressed.


   o Authentication -- Barbara Fraser
   o Authorization -- Ed Lewis
   o Access -- ??
   o Modems -- Nevil Brownlee
   o Cryptography (uses and methods) -- Uri Blumenthal
   o Auditing -- Ed Lewis
   o Backups -- Joe Metzger



Chapter 4:  Architecture

   o Objectives -- Phillip Nesser
      -  Complete defined security plan
      -  Separation of services
      -  ``Deny all'' vs.  ``Allow all'' philosophies
      -  Identification of real needs for services
   o Service configurations
   o Network configurations -- Cathy Wittbrodt and Gary Malkin
      -  Topology (include router placement)
      -  Infrastructure elements (include DNS, mail hub, information
         servers)
      -  Network management
   o Firewalls -- Jerry Anderson


Chapter 5:  Incident Handling - Peter Kossakowski and Erik Guttman

   o Preparing and planning
   o Notification and Point of Contacts
   o Identifying incidents
   o Handling incidents
   o Aftermath
   o Responsibilities


Chapter 6:  Maintenance and Evaluation -- Ed Lewis

   o Risk assessments
   o Notification of problems/events


Appendix

The challenge here is to provide information that will not be out of
date too soon.


   o Tools and sites
   o Mailing lists and other resources and organizations - Mike Ramsey


III. Review Material and Drafts

Each of the writers who had submitted material addressed the group and
solicited input.  New drafts will be submitted to the list.

All in all, the meetings were very productive and the group plans to
have a draft out by the first week of May.  It will not be complete but
it will incorporate all the work that has been done to this point.  As
the items above indicate, a few able bodied writers are still needed.
The group plans to meet twice in Stockholm.