Draft Security Policy

[Richard Pethia <rdp@cert.sei.cmu.edu>]

Dear colleagues,

Below is a working draft of a proposed Internet security policy for
your review and comment.  

Following a series of security policy working group (spwg) working
meetings, Steve Crocker and I put together this draft based on our
understanding of the work and inputs of the spwg members.  The spwg
gets the credit for the work, I'll take any blame for misunderstanding
their views.

Please direct your comments, criticisms, or suggestions for change to
me, and use the spwg list as a discussion forum for topics you feel
should be widely discussed.

Thanks in advance for your interest and comments.

Rich Pethia
--------------------   

 
 
                       Internet Security Policy 
 
                            WORKING DRAFT 

			   Richard Pethia
			    Steve Crocker
			   October 9, 1990
 
INTRODUCTION 
 
  This policy addresses the entire Internet community, consisting of
  users, hosts, local, regional, domestic and international backbone
  networks, and vendors who supply operating systems, routers, network
  management tools, workstations and other network components.
 
  Security is understood to include protection of the privacy of 
  information, protection of information against unauthorized 
  modification, protection of systems against denial of service, and 
  protection of systems against unauthorized access or use.  ["access" 
  covers unauthorized database lookup, for example; "use" covers 
  unauthorized logging in to a system.] 
 
This policy has four main points.  These points are repeated and 
elaborated in the next section.  

----------------------------------------------------------------------- 
 
 
THE POLICY 
 
1) Users are individually responsible for understanding and respecting
   the security rules of the systems they are using.  Users are
   individually accountable for their own behavior.
 
2) Site and network service providers are responsible for maintaining
   the security of the systems they operate.  Vendors are responsible
   for providing systems which are sound and have adequate security
   controls. Users are responsible for protecting their own data and
   for assisting in the protection of the systems they use.
 
3) Users, service providers and hardware and software vendors are
   expected to cooperate in the provision of security.
 
4) Technical improvements in Internet security protocols should be
   sought on a continuing basis"

 
ELABORATION 
 
1) Users are individually responsible for understanding and respecting
   the security rules of the systems they are using.  Users are
   individually accountable for their own behavior.
 
   Users are responsible for their own behavior. Weaknesses in the
   security of a system are not a license to penetrate or abuse a
   system.  Users are expected to be aware of the rules and adhere to
   them.  One clear consequence is that breaking into computers is
   explicitly prohibited, no matter how weak the protection is on
   those computers.
 
   Another aspect of this part of the policy is that users are
   individually responsible for all use of resources assigned to them,
   and hence sharing of accounts and access to resources is strongly
   discouraged.  Since access to resources is assigned by individual
   sites and network operators, the specific rules governing sharing
   of accounts and protection of access is necessarily left to them.
 
 
2) Site and network operators are responsible for protecting their
   systems.  Vendors are responsible for providing systems which are
   sound and have adequate security controls.  Users are responsible
   for protecting their own data and for assisting in the protection
   of the systems they use.
 
   Primary responsibility for security necessarily rests with the
   owners and operators of the components of the Internet, viz the
   host operators and network operators.  The Internet itself is
   neither centrally managed nor operated, and hence there is no
   central authority for implementing or managing the security of the
   entire Internet.  Moreover, even if there were a central authority,
   security necessarily is the responsibility of the people owning the
   data and systems involved, so local control is essential.
 
   There are five elements of good local security: 
 
 (i)   There must be a clear statement of the local security policy, and
       this policy must be communicated to the users and other
       relevant parties.  The policy should be on file and available
       to users at all times, and should be communicated to users as
       part of providing access to the system.
 
 (ii)  Adequate security controls must be implemented.  At a minimum,
       this means controlling access to systems via passwords -- and
       instituting sound password management! -- and configuring the
       system to protect itself and the information within it.
 
 (iii) There must be a capability to monitor security compliance and
       respond to incidents involving violation of security.  Logs of
       logins and other security-relevant events are strongly advised,
       as well as regular audit of these logs.  Also recommended is a
       capability to trace connections and other events in response to
       penetrations.
 
 (iv)  There must be an established chain of communication and control
       to handle security matters.  A responsible person should be
       identified as the security contact.  The means for reaching the
       security contact should be made known to all users and should
       be registered in public directories, and it should be easy for
       computer emergency response centers to find contact information
       at any time.
 
 (v)   Sites, networks and vendors which are notified of security
       incidents should respond in a timely and effective manner.  In
       the case of penetrations or other violations, sites, networks
       and vendors should allocate resources and capabilities to
       identify the nature of the incident, identify the violator, and
       limit the damage.  A site, network or vendor cannot be
       considered to have good security if it does not respond to
       incidents in a timely and effective fashion.
 
       Similarly, sites, networks and vendors should respond when
       notified of security flaws in their systems.  Vendors, in
       particular have a positive obligation to repair flaws in the
       security relevant portions of the systems they sell for use in
       the Internet.  Sites and networks have the parallel
       responsibility to install fixes in their systems as they become
       available.
 
  To facilitate the adoption and implementation of good security
  practices at the site and network level, the Site Security Policy
  Handbook Working Group are developing a handbook with guidance on
  all of these matters.  Sites and network operators are encouraged to
  review this material and use it freely.
 
 
3) Users, sites, networks and vendors are expected to provide mutual
   security assistance.
 
   The Internet is a cooperative venture.  The culture and practice in
   the Internet is to render assistance in security matters to other
   sites and networks.  A site is expected to notify other sites if it
   sees a penetration in progress at the other sites, and sites are
   expected to help other sites respond to security violations.  This
   may include tracing connections, tracking violators and assisting
   law enforcement efforts.
 
   There is a growing appreciation within the Internet community that
   security violators should be identified and held accountable.  This
   means that once a violation has been detected, sites are encouraged
   to cooperate in finding the violator and assisting in enforcement
   efforts.  It is recognized that many sites will face a trade-off
   between securing their sites as rapidly as possible and limiting
   the knowledge of a penetration versus leaving their site open
   and/or exposing the fact that a penetration has occurred.  This
   policy does not dictate that a site must expose either its system
   or its reputation if it decides not to, but sites are encouraged to
   render as much assistance as they can.
 
 
 4) Technical improvements in Internet security protocols should be
   sought on a continuing basis"
 
   The points discussed above are all administrative in nature, but
   technical advances are also important.  The existing protocols and
   operating systems do not provide the level of security that is
   desired or that is possible.  Three types of advances are
   encouraged.
 
 (i)   Improvements in the basic security mechanisms already in place.
       Password security is generally poor throughout the Internet and
       can be improved markedly through the use of tools to administer
       password assignment and through the use of better password
       protocols.  At the same time, the user population is expanding
       to include a larger percentage of technically unsophisticated
       users.  The defaults on delivered systems and the controls for
       administering security must be geared to this large and
       generally unsophisticated population.
 
 (ii)  Security extensions to the protocol suite are needed.  Candidate
       protocols which should be augmented to improve security include
       network management, routing, file transfer, telnet, mail, etc.
 
 (iii) Improvements in the design and implementation of operating
       systems to more emphasis on security and more attention to the
       quality of the implementation of security within systems on the
       Internet.
 
 
 
GLOSSARY

<TBD>


REFERENCES

<TBD>



James VanBokkelen wrote a very good memo on Internet security policy.
Many of the points he makes are included above, but his statement is
worth reading separately.  It is included here for reference.  The
intent is to make it a separate RFC and reference it.
 
 
                     The Internet Oral Tradition 
                          James VanBokkelen 
                            April 2, 1990 
 
This is a summary of the 'oral tradition' of the Internet as regards 
the responsibilities of host and network managers, as I understand it. 
 
 
1. Basic responsibilities: 
 
The Internet is a co-operative endeavor, and its usefulness depends 
on reasonable behavior from every user, host and router in the 
Internet.  It follows that people in charge of the components of the 
Internet MUST be aware of their responsibilities and attentive to 
local conditions.  Furthermore, they MUST be accessible via both 
Internet mail and telephone, and responsive to problem reports and 
diagnostic initiatives from other participants. 
 
Even local problems as simple and transient as system crashes or 
power failures may have widespread effects elsewhere in the net. 
Problems which require co-operation between two or more responsible 
individuals to diagnose and correct are relatively common.  Likewise, 
the tools, access and experience needed for efficient analysis may 
not all exist at a single site. 
 
This communal approach to Internet management and maintenance is 
dictated by the present decentralized organizational structure.  The 
structure, in turn, exists because it is inexpensive and responsive 
to diverse local needs.  Furthermore, for the near term, it is our 
only choice; I don't see any prospect of either the government or 
private enterprise building a monolithic, centralized, ubiquitous "Ma 
Datagram" network provider in this century. 
 
 
2. Responsibilities of network managers: 
 
One or more individuals are responsible for every IP net or subnet 
which is connected to the Internet.  Their names, phone numbers and 
postal addresses MUST be supplied to the Internet NIC (or to the 
local or regional transit network's NIC) prior to the network's 
initial connection to the Internet, and updates and corrections MUST 
be provided in a timely manner for as long as the net remains 
connected. 
 
In order to adequately deal with problems that may arise, a network 
manager must have either: 
 
 A. System management access privileges on every host and router
connected 
    to the local network, or: 
 
 B. The authority and access to either power off, re-boot, physically 
    disconnect or disable IP datagram forwarding to any individual host 
    system that may be misbehaving. 
 
For all networks, a network manager capable of exercising this level 
of control MUST be accessible via telephone 8 hours a day, 5 days a 
week.  For nets carrying transit traffic, a network manager SHOULD 
be accessible via telephone 24 hours a day. 
 
 
3. Responsibilities of host system managers: 
 
Some individual must be responsible for every host connected to the 
Internet.  This person MUST have the authority, access and tools 
necessary to configure, operate and control access to the system. 
For important timesharing hosts, primary domain name servers and mail 
relays or gateways, responsible individual(s) SHOULD be accessible 
via telephone 24 hours a day, 7 days a week. 
 
For less-important timesharing hosts or single-user PCs or workstations, 
the responsible individual(s) MUST be prepared for the possibility that 
their network manager may have to intervene in their absence, should 
the resolution of an Internet problem require it. 
 
 
4. Postmaster@foo.bar.baz 
 
Every Internet host that handles mail beyond the local network MUST 
maintain a mailbox named 'postmaster'.  In general, this should not 
simply forward mail elsewhere, but instead be read by a system 
maintainer logged in to the machine.  This mailbox SHOULD be read at 
least 5 days a week, and arrangements MUST be made to handle incoming 
mail in the event of the absence of the normal maintainer. 
 
A machine's 'postmaster' is the normal point of contact for problems 
related to mail delivery.  Because most traffic on the long-haul 
segments of the Internet is in the form of mail messages, a local 
problem can have significant effects elsewhere in the Internet.  Some 
problems may be system-wide, such as disk or file system full, or 
mailer or domain name server hung, crashed or confused.  Others may 
be specific to a particular user or mailing list (incorrect aliasing 
or forwarding, quota exceeded, etc.). 
 
In either case, the maintainer of a remote machine will normally send 
mail about delivery problems to 'postmaster'.  Also, 'postmaster' is 
normally specified in the 'reply-to:' field of locally generated mail 
error messages (unable to deliver due to nonexistent user name, 
unable to forward, malformed header, etc).  If this mailbox isn't 
read in a timely manner, significant quantities of mail may be lost 
or returned to its senders. 
 
 
5. Problems and Resolutions 
 
Advances in network management tools may eventually make it possible 
for a network maintainer to detect and address most problems before 
they affect users, but for the present, day-to-day users of 
networking services represent the front line.  No responsible 
individual should allow their 'dumb-question' filter to become too 
restrictive; reports of the form "I haven't gotten any mumblefrotz 
mail for a week... " or "I could get there this morning, but not 
now..." should always get timely attention. 
 
There are three basic classes of problems that may have network-wide 
scope:  User-related, host-related and network-related. 
 
 A. User-related problems can range from bouncing mail or uncivilized 
    behavior on mailing lists to more serious issues like violation of 
    privacy, break-in attempts or vandalism. 
 
 B. Host-related problems may include mis-configured software, obsolete 
    or buggy software and security holes. 
 
 C. Network-related problems are most frequently related to routing: 
    incorrect connectivity advertisements, routing loops and black holes 
    can all have major impacts.  Mechanisms are usually in place for 
    handling failure of routers or links, but problems short of outright 
    failure can also have severe effects. 
 
Each class of problem has its own characteristics.  User-related 
problems can usually be solved by education, but system managers 
should be aware of applicable federal and state law as well; Privacy 
violations or 'cracking' attempts have always been grounds for 
pulling a user's account, but now they can also result in 
prosecution.  Host-related problems are usually resolvable by 
re-configuration or upgrading the software, but sometimes the 
manufacturer needs to be made aware of a bug, or jawboned into doing 
something about it; Bugs that can't be fixed may be serious enough to 
require partial or total denial of service to the offending system. 
Similar levels of escalation exist for network-related problems, with 
the solution of last resort being ostracism of the offending net. 
 
 
6. The Illusion of Security 
 
Every host and network manager MUST be aware that the Internet as 
presently constituted is NOT secure.  At the protocol level, much 
more effort has been put into interoperability, reliability and 
convenience than has been devoted to security, although this is 
changing.  Recent events have made software developers and vendors 
more sensitive to security, in both configuration and the underlying 
implementation, but it remains to be demonstrated how much long-term 
effect this will have.  Meanwhile, the existing system survives 
through the co-operation of all responsible individuals. 
 
Security is subjective; one site might view as idle curiosity what 
another would see as a hostile probe.  Since ultimately the existence 
of the Internet depends on its usefulness to all members of the 
community, it is important for managers to be willing to accept and 
act on other sites' security issues, warning or denying access to 
offending users.  The offended site, in turn, must be reasonable in 
its demands (someone who set off an alarm while idly seeing if the 
sendmail 'DEBUG' hole was closed on a 'sensitive' host probably 
should be warned, rather than prosecuted). 
 
Because Internet security issues may require that local management 
people either get in touch with any of their users, or deny an 
offending individual or group access to other sites, it is necessary 
that mechanisms exist to allow this.  Accordingly, Internet sites 
SHOULD NOT have 'general use' accounts, or 'open' (without password) 
terminal servers that can access the rest of the Internet.  In turn, 
the 'sensitive' sites MUST be aware that it is impossible in the long 
term to deny Internet access to crackers, disgruntled former 
employees, unscrupulous competitors or agents of other countries. 
Getting an offender flushed is at best a stop-gap, providing a 
breathing space of a day or an hour while the security holes he was 
attacking are closed.