Site Security Handbook BOF (SSH) Reported by Joyce K. Reynolds/ISI and Barbara Fraser/CERT Coordination Center Introduction In July 1991, the IETF published RFC 1244, ``Site Security Handbook.'' This document represented a first attempt at providing Internet users with guidance on how to deal with security issues in the Internet. Several years have passed and this document has aged accordingly. The purpose of this BOF was to: o discuss the information provided in RFC 1244, o identify information topics that are missing and needed, o identify other documents currently available that are similar, and o discuss a charter for the working group. Discussion There was a general discussion about the contents of RFC 1244 and a resulting consensus that it needed to be updated. Several aspects to the revision were mentioned: scope, audience, size and organization of the information. Discussion about the scope of the document included a suggestion to define a suite of documents describing all the security aspects of the Internet. A working group resulting from this BOF could address one or more of those documents. Concern about the size of RFC 1244 was mentioned. Some felt that the new document should strive to fit within 50 pages. This led to discussions about how we could separate material so that we could confine ourselves to a product of only 50 pages. There was a suggestion to create three documents: o Site Security Procedures Handbook o Site Security Tools Handbook o Site Security for Users The need for a special short document for end users was discussed. It was mentioned that the audience has changed from medium-to-large sites, to small sites with no dedicated administrators, to people in their homes. Looked at another way, with the move to distributed systems, increasingly, every end user is a system administrator. After much discussion, the group moved back to identifying two audiences: system/network managers, and end users. The group discussed many areas where updates were needed. These included: o passwords o firewalls o incident response o general access controls (including anonymous FTP) o backups o need to address all external access points o authentication and other generic security properties o cryptography expansion o update referenced RFC numbers o PEM section o information/data o threats o use of training o integrity (especially a discussion about various checksuming methods) Another suggestion was to add a ``pull-out'' section with fill-in-the-blanks where a site could tailor the pull out for itself. One example item was the ``single point of contact'' for security problems. There were several other documents that were mentioned that could serve as a beginning point for the revision work, or as references. These were: o RFC 1636, a report from the IAB security workshop earlier this year o The Haller/Atkinson paper on passwords o NIST draft ``Introduction to Computer Security'' of June 1994 In addition to discussing content changes, the group also discussed several organizational approaches for the material that will be included. Possibilities mentioned were: o Life cycle of procedures (this is generally the current organization of RFC 1244): policy ! procedures ! incident handling o Where you are in your Internet life: going to connect to the Internet, newly connected, or experienced connectee o Management, operational, etc. o Self-auditing: with checklists at the end of each chapter Other discussion in the group was concerned with whether to embed information on every topic or to include pointers to the information. There was support for both ways with a general feeling that readers don't like to ``follow pointers'' balanced with a desire to keep the document from becoming too large. A little discussion focused on how to organize the work. Ideas expressed included: o Pull out enough material and revise it, keeping it to 50 pages, then move to another document o Start with the lowest common denominator, the end user, and work up to the system/network administrator o Start with the system/network administrators since ``that's what we are most familiar with, and what will be easiest to write'' o Define criteria to discriminate between users and system administrators o Define outline o Pick sections and fill in content, then pick what is appropriate for users, and what is appropriate for system administrators By the end of the BOF there was consensus that we define a charter for a working group. The working group will create two documents: one for users and one for system/network administrators. The effort to create a charter will continue on a to-be-created mailing list: ssh@cert.org. The old ``ssphwg'' mailing list was found, and one message will be sent to that list announcing the formation of the new list. This will alert some of the original contributors of RFC 1244 to the new effort.