kent@BBN.COM (Steve Kent) (06/18/91)
Here is my draft revision of this I-D. As per IAB
instructions I am forwarding it to these lists, even though the next
step in the process lies with the Security AD. Paragraphs which I have
edited are distinguished by being flush left, vs. indented text
throughout the rest of the I-D. I also have a few bracketed <>,
UPPERCASE comments embedde in the text, still to be resolved.
Steve
--------------------------------------------
INTERNET-DRAFT
Guidelines for the Secure Operation of the Internet
Richard Pethia
Steve Crocker
Barbara Fraser
March 18, 1991
Status of the Memo
This draft document will be submitted to the RFC editor as an
informational document. (Editor's comment: This statement may
not be completely appropriate for this document. Guidance from
the IAB is being sought.) Distribution of this memo is unlimited.
Please send comments to spwg@nri.reston.va.us.
PREAMBLE
The purpose of this document is to provide a set of guidelines to aid
in the secure operation of the Internet. During its history, the
Internet has grown significantly and is now quite diverse. Its
participants include government institutions and agencies, academic
and research institutions, commercial network and electronic mail
carriers, non-profit research centers and an increasing array of
industrial players who are primarily users of the technology. Despite
this dramatic growth, the system is still operated on a purely
collaborative basis. Each participating network takes responsibility
for its own operation. Service providers, private network operators,
users and vendors all cooperate to keep the system functioning.
It is important to recognize that the voluntary nature of the Internet
system is both its strength and, perhaps, its most fragile aspect.
Rules of operation, like the rules of etiquette, are voluntary and,
largely, unenforceable, except where they happen to coincide with
national laws violation of which can lead to prosecution. A common
set of rules for the successful and increasingly secure operation of
the Internet can, at best, be voluntary, since the laws of various
countries are not uniform regarding data networking. Indeed, the
guidelines outlined below also can be only voluntary. However, since
joining the Internet is optional, it is also fair to argue that any
Internet rules of behavior are part of the bargain for joining and
that failure to observe, apart from any legal infrastructure
available, are grounds for sanctions.
INTRODUCTION
These guidelines address the entire Internet community,
consisting of users, hosts, local, regional, domestic and
international backbone networks, and vendors who supply operating
systems, routers, network management tools, workstations and other
network components.
Security is understood to include protection of the privacy of
information, protection of information against unauthorized
modification, protection of systems against denial of service, and
protection of systems against unauthorized access.
These guidelines encompass six main points. These points are repeated and
elaborated in the next section. In addition, an annotated bibliography
of computer and network related references has been provided at the
end of this document for use by the reader.
-----------------------------------------------------------------------
SECURITY GUIDELINES
1) Users are individually responsible for understanding and respecting
the security policies of the systems (computers and networks) they
are using. Users are individually accountable for their own behavior.
2) Users have a responsibility to employ available security
mechanisms and procedures for protecting their own data. They
also have a responsibility for assisting in the protection of the
systems they use.
3) Computer and network service providers are responsible
for maintaining the security of the systems they operate.
4) Vendors and system developers are responsible for providing systems
which are sound and which embody adequate security controls.
5) Users, service providers and hardware and software vendors are
expected to cooperate in the provision of security.
6) Technical improvements in Internet security protocols should be
sought on a continuing basis. At the same time, personnel developing
new protocols, hardware or software for the Internet are expected to
include security considerations as part of the design and development
process.
ELABORATION
1) Users are individually responsible for understanding and respecting
the security policies of the systems (computers and networks) they
are using. Users are individually accountable for their own behavior.
Users are responsible for their own behavior. Weaknesses in the
security of a system are not a license to penetrate or abuse a
system. Users are expected to be aware of the security policies
of computers and networks which they access and to adhere to these
policies. One clear consequence of this guideline is that
unauthorized access to a computer or use of a network is explicitly a
violation of Internet rules of conduct, no matter how weak the
protection of those computers or networks.
There is growing international attention to legal prohibition
against unauthorized access to computer systems, and several
countries have recently passed legislation that addresses the area
(e.g. United Kingdom, Australia). In the United States, the
Computer Fraud and Abuse Act of 1986, Title 18 U.S.C. section 1030
makes it a crime, in certain situations, to access a Federal
interest computer (federal government computers, financial
institution computers, and a computer which is one of two or more
computers used in committing the offense, not all of which are
located in the same state) without authorization. Most of the 50
states in the U.S. have similar laws.
Another aspect of this part of the policy is that users are
individually responsible for all use of resources assigned to them,
and hence sharing of accounts and access to resources is strongly
discouraged. However, since access to resources is assigned by
individual sites and network operators, the specific rules governing
sharing of accounts and protection of access is necessarily a local
matter.
2) Users have a responsibility to employ available security
mechanisms and procedures for protecting their own data. They
also have a responsibility for assisting in the protection of the
systems they use.
Users are expected to handle account privileges in a
responsible manner and to follow site procedures for the security of
their data as well as that of the system. For systems which rely
upon password protection, users should select good change passwords
and and periodically change them. Proper use of file protection
mechanisms (e.g., access control lists) so as to define and maintain
appropriate file access control is also part of this responsibility.
3) Computer and network service providers are responsible for
maintaining the security of the systems they operate.
A computer or network service provider may manage resources on
behalf of users within an organization e.g., provision of network and
computer services with a university, or it may provide services to a
larger, external community, e.g., a regional network provider. These
resources may include host computers employed by users, routers,
terminal servers, personal computers or other devices that have
access to the Internet.
Primary responsibility for security necessarily rests with
the owners and operators of the subscriber components of the
Internet, that is, host and local network administratrors. Even the
Internet infrastructure itself, e.g., regional and national level
networks, is neither centrally managed nor operated, and hence there
is no central authority for implementing or managing the security of
the Internet. Moreover, even if there were a central authority for
this infrastructure, security necessarily is the responsibility of
the owners and operators of the systems which are the primary data
storage and processing resources of the Internet, so local control is
essential.
There are tradeoffs between stringent security measures at a
site and ease of use of systems, e.g., stringent security measures
may complicate user to access the Internet. However, if a site
elects to operate an unprotected system to facillitate ease of use by
its constituents, it may expose other Internet subscribers to
increased risk of unauthorized access, by providing a platform from
which attacks may be launched while an attacker's identity is
concealed. Readers are directed to appendix A for a brief,
descriptive list of elements of good security. <REFER TO SITE
SECURITY HANDBOOK INSTEAD, THIS LIST IS PRETTY BRIEF?>
To facilitate the adoption and implementation of good security
practices at the site and network level, the Site Security Policy
Handbook Working Group is developing a handbook with guidance on
all of these matters. Sites and network operators are encouraged to
review this material and use it freely.
<SHOULD THIS RFC WAIT FOR THE SSPHWG RFC?>
4) Vendors and system developers are responsible for providing systems
which are sound and which embody adequate security controls.
A vendor or system developer should evaluate each system in terms
of security controls prior to the introduction of the system into the
Internet community. Each product (whether offered for sale or freely
distributed) should describe the security features it incorporates.
Over time, vendors should submit products for evaluation of security
functionality and assurance, as government or independent commercial
security evaluation facilities come into existance [ISF?].
Vendors and system developers have an obligation to repair
flaws in the security relevant portions of the systems they sell for
use in the Internet. They are expected to cooperate with the
Internet community in establishing mechanisms for the reporting of
security flaws and in making security-related fixes available to the
community in a timely fashion.
5) Users, service providers and hardware and software vendors are
expected to cooperate in the provision of security.
The Internet is a cooperative venture. The culture and
practice in the Internet is to render assistance in security matters
to other sites and networks. Each site is expected to notify other
sites if it detects a penetration in progress at the other sites, and
all sites are expected to help one another respond to security
violations. This assistance may include tracing connections,
tracking violators and assisting law enforcement efforts.
There is a growing appreciation within the Internet community
that security violators should be identified and held accountable.
This means that once a violation has been detected, sites are
encouraged to cooperate in identifying the violator and assisting in
law enforcement efforts. It is recognized that each site must
independently address the trade-off between securing the site as
rapidly as possible and limiting the knowledge of a penetration,
versus leaving their site open and/or exposing the fact that a
penetration has occurred. <ISN'T TRADEOFF BETWEEN CLOSING A HOLE,
INDEPENDENT OF KEEPING QUIET, VS. KEEPING HOLE OPEN TO HELP TRACK
PENETRATOR WHILE KEEPING QUIET? THIS IS NOT A GOOD WAY TO EXPRESS
THAT CONCETP> This policy does not require that a site must expose
either its system or its reputation, but sites are encouraged to
render as much assistance as they can.
6) Technical improvements in Internet security protocols should be
sought on a continuing basis. At the same time, personnel developing
new protocols, hardware or software for the Internet are expected to
include security considerations as part of the design and development
process.
The points discussed above are all administrative in nature,
but technical advances are also important. Existing protocols
and operating systems do not provide the level of security that is
desired and feasible today. Three types of advances are encouraged:
(i) Improvements should be made in the basic security mechanisms
already in place. Password security is generally poor throughout the
Internet and can be improved markedly through the use of tools to
administer password assignment and through the use of better
authentication technology. At the same time, the Internet user
population is expanding to include a larger percentage of technically
unsophisticated users. Security defaults on delivered systems and
the controls for administering security must be geared to this
growing population.
(ii) Security extensions to the protocol suite are needed. Candidate
protocols which should be augmented to improve security include
network management, routing, file transfer, telnet, mail, etc.
(iii) The design and implementation of operating systems should be
improved to place more emphasis on security and pay more attention to
the quality of the implementation of security within systems on the
Internet.
APPENDIX A
Five areas should be addressed in improving local security:
(i) There must be a clear statement of the local security policy, and
this policy must be communicated to the users and other
relevant parties. The policy should be on file and available
<IN NICs?>
to users at all times, and should be communicated to users as
part of providing access to the system.
(ii) Adequate security controls must be implemented. At a minimum,
this means controlling access to systems via passwords -- and
instituting sound password management! -- and configuring the
system to protect itself and the information within it.
(iii) There must be a capability to monitor security compliance and
respond to incidents involving violation of security. Logs of
logins and other security-relevant events are strongly advised,
<LOGIN ATTEMPTS?>
as well as regular audit of these logs. Also recommended is a
capability to trace connections and other events in response to
penetrations. However, it is important for service providers
to have a well thought out and published policy about what
<A HYPHEN OR TWO HERE?>
information they gather, who has access to it and for what
purposes. Maintaining the privacy of network users should be
kept in mind when developing such a policy.
(iv) There must be an established chain of communication and control
to handle security matters. A responsible person should be
identified as the security contact. The means for reaching the
security contact should be made known to all users and should
be registered in public directories, and it should be easy for
<ANOTHER NIC PLUG?>
computer emergency response centers to find contact information
at any time.
The security contact should be familiar with the technology and
configuration of all systems at the site or should be able to
get in touch with those who have this knowledge at any time.
Likewise, the security contact should be pre-authorized to make
a best effort to deal with a security incident, or should be
able to contact those with the authority at any time.
(v) Sites and networks which are notified of security incidents
should respond in a timely and effective manner. In the case
of penetrations or other violations, sites and networks
should allocate resources and capabilities to identify the nature
of the incident and limit the damage. A site or network cannot
be considered to have good security if it does not respond to
incidents in a timely and effective fashion.
If a violator can be identified, appropriate action should be
taken to ensure that no further violations are caused. Exactly
what sanctions should be brought against a violator depend on
the nature of the incident and the site environment. For example,
a university may choose to bring internal disciplinary action
against a student violator.
Similarly, sites and networks should respond when notified of
security flaws in their systems. Sites and networks have the
responsibility to install fixes in their systems as they become
available.
An Annotated Bibliography of
Computer and Network Security Related Documents
<THIS "ANNOTATED" BIBLIOGRAPHY CONTAINS NO ANNOTATION. I SUGGEST
THAT WHOEVER CONTRIBUTED EACH ENTRY SHOULD PROVIDE 1-2 SENTENCES
DESCRIBING THE RELEVANCE OF THE ENTRY TO THIS DOCUMENT.>
Public Laws (PL) and Federal Policies
[1] P.L. 100-235, The Computer
Security Act of 1987, + Jan.
8, 1988.
[2] P.L. 99-474 (H.R. 4718), Computer Fraud
and Abuse Act
of 1986, Oct. 16, 1986.
[3] P.L. 99-508 (H.R. 4952), Electronic
Communications
Privacy Act of 1986, Oct. 21, 1986.
[4] P.L. 99-591, Paperwork
Reduction
Reauthorization Act of
1986, Oct. 30, 1986.
[5] P.L. 93-579, Privacy Act of 1984,
Dec. 31, 1984.
[6] National Security
Decision Directive 145. +
[7] "Security of Federal Automated Information Systems", +
Appendix III of, Management of
Federal Information
Resources, Office of Management and Budget (OMB), Cir-
cular A-130.
[8] Protection of
Government Contractor
Telecommunications,
+ National Communications Security Instruction (NACSI)
6002.
Miscellaneous Documents
[9] "Summary of General Legislation Relating to Privacy and
Computer Security", Appendix 1 of, COMPUTERS and
PRIVACY: How the
Government Obtains,
Verifies, Uses and
Protects Personal
Data, GAO/IMTEC-90-70BR, United
States General Accounting Office, Washington, DC 20548,
pp. 36-40, Aug. 1990.
_________________________
+ Contained in Appendix C of Citation No. 13.
[10] Defending Secrets,
Sharing Data, OTA-CIT-310, Congress
of the United States, Office of Technology Assessment,
Washington, D.C. 20510, Oct. 1987.
[11] Electronic Record
Systems and Individual
Privacy, OTA-
CIT-296, Congress of the United States, Office of Tech-
nology Assessment, Washington, D.C. 20510, June 1986.
[12] Industry Information
Protection, Vol. I, Industry
Information Security Task Force, President's National
Telecommunications Advisory Committee, June 1988.
[13] Industry Information
Protection, Vol. II, Annex C, "IIS
Task Force Supporting Documents", (a compendium of
documents related to computer security policy), Indus-
try Information Security Task Force, President's
National Telecommunications Advisory Committee, June
1988.
[14] Industry Information
Protection, Vol. III, "Annotated
Bibliography", President's National Telecommunications
Advisory Committee, Industry Information Security Task
Force, June 1988.
[15] David A. Curry, Improving the
Security of Your UNIX
System, Report No. ITSTD-721-FR-90-21, SRI Interna-
tional, 333 Ravenswood Av., Menlo Park, CA, 94025-3493,
April 1990.
[16] G. F. Jelen, Information
Security: An Elusive Goal,
Report No. P-85-8, Harvard University, Center for
Information Policy Research, 200 Akin, Cambridge, MA.
02138, June 1985.
<KILL THIS ONE IF YOU CAN'T GET A BETTER CITATION>
[17] Agne Lindberg, Electronic
Documents and Electronic Sig-
natures, (Publisher unknown).
[18] Elain Stout, U.S. Geological
Survey System Security
Plan - FY 1990, U.S. Geological Survey ISD, MS809, Res-
ton, VA, 22092, May 1990.
<PROPOSED NEW ENTRY AND EXAMPLE ANNOTATION>
[19] Secure Systems Study Committee, Computers at Risk: Safe Computing
in the Information Age, Computer Science and Technology Board,
National Research Council, 2101 Constitution Avenue, Washington, DC
20418, December 1990. This report highlights computer and network
security concerns and urges the development of a set of generally
accepcted system security practices. It calls for the establishment
of a non-profit Information Security Foundation to perform evaluation
of computer and network security facilities of commercial products and
conduct research into security technology.craig@sics.se (Craig Partridge) (06/18/91)
Steve:
I've got a comment. I'm deeply distressed by the guidelines
which place responsibilities on the users without placing any responsibilities
on providers to notify users. In my experience, some level of "abuse" is by
users who aren't told what's correct. So I'd change item (3) from
> 3) Computer and network service providers are responsible
> for maintaining the security of the systems they operate.
to
+ 3) Computer and network service providers are responsible
+ for maintaining the security of the systems they operate
+ and for notifying users of their security policies
+ and any changes to their security policies.
Yes I know about the old saw "ignorance of the law is not a defense"
however, we have mechanisms in society at large to make people aware
of the laws they are living under (e.g. driver's tests, civics laws,
newspapers, etc.) -- we should make sure that a similar information
mechanism is available on networks. (I note that Appendix A(i) mentions
this need, but I believe it must be stated more forcefully as an integral
part of the system).
Craig