CURRENT_MEETING_REPORT_ Reported by Barbara Fraser/CERT Coordination Center Minutes of the Site Security Handbook Working Group (SSH) The Site Security Handbook Working Group met twice during this IETF. The primary purpose was to decide on a final document outline and review the material that had been developed. I. Status of Writers and Sections o Introduction -- Barbara Fraser This will be written when there is a draft. o Establishing site policy -- Gary Malkin, Scott Behnke Gary has reviewed the existing section of RFC 1244 and said it fits into this document and is fairly well up-to-date o Establish procedures to prevent problems -- Nevil Brownlee Nevil was absent at the first meeting but reviewed his material at the second session. o Types of security procedures -- Peter Kossakowski Peter has reviewed Chapters 5 and 6 and rearranged them into one eliminating duplication. He found some gaps and sent the new chapter to the list. Erik Guttman will edit. o Bibliography -- Scott Behnke Scott was absent. II. Proposed Outline of Document A draft outline was shown based on list of topics from San Jose. After much discussion, a few changes were made and it was decided that the following would be our document outline. Discussion on various topics is included. Chapter 1: Introduction -- Barbara Fraser Chapter 2: Site Security Policy -- Gary Malkin Setting up accounts, keeping information about users, appropriate use, perhaps under policy as account management; needs to have an agreement with users. May want to be flexible and not recommend specific actions. A policy is also needed to remove users. It now contains sections on use of resources, responsibilities of users, and handling sensitive information. Monitoring is a policy issue and it and other legal issues should be mentioned. Legal advice cannot be given, but readers can be made aware that there are some areas where they will want to check with their legal folks on. o Account management - Creation - Management - Termination o Acceptable Use o Remote (network) access o Monitoring/legal issues Chapter 3: Security Procedures Procedures might include different types of access, authentication, backups, cryptography, system and network configurations. The group discussed the word ``access'' and potential confusion with physical access. The group also talked about dial-in/dial-out (on demand access) access, modems and terminal servers. The group wants the document to cover security problems of modems on desktops and the dangers of SLIP and PPP access. The distinction between network (e.g., TELNET) access and dial-up (modem) access was discussed. Under the topic of cryptography, export and usage restrictions, use in storage versus communications, and authentication versus secrecy are being considered. IPv6 requires cryptography. The document may mention sites outside the US where encryption can be obtained. Uri commented that RFC 1244 is not up-to-date. Encryption algorithms that might be mentioned include DES, IDEA, and public key. Home-grown solutions will be warned against. Uses of cryptography such as protecting data (storage) and communications should be covered. An in-depth section on cryptography is not wanted, and there will be a limit to how deeply to go into some aspects. The sensitive areas like monitoring and cryptography will be identified and the importance of knowing local laws will be stressed. o Authentication -- Barbara Fraser o Authorization -- Ed Lewis o Access -- ?? o Modems -- Nevil Brownlee o Cryptography (uses and methods) -- Uri Blumenthal o Auditing -- Ed Lewis o Backups -- Joe Metzger Chapter 4: Architecture o Objectives -- Phillip Nesser - Complete defined security plan - Separation of services - ``Deny all'' vs. ``Allow all'' philosophies - Identification of real needs for services o Service configurations o Network configurations -- Cathy Wittbrodt and Gary Malkin - Topology (include router placement) - Infrastructure elements (include DNS, mail hub, information servers) - Network management o Firewalls -- Jerry Anderson Chapter 5: Incident Handling - Peter Kossakowski and Erik Guttman o Preparing and planning o Notification and Point of Contacts o Identifying incidents o Handling incidents o Aftermath o Responsibilities Chapter 6: Maintenance and Evaluation -- Ed Lewis o Risk assessments o Notification of problems/events Appendix The challenge here is to provide information that will not be out of date too soon. o Tools and sites o Mailing lists and other resources and organizations - Mike Ramsey III. Review Material and Drafts Each of the writers who had submitted material addressed the group and solicited input. New drafts will be submitted to the list. All in all, the meetings were very productive and the group plans to have a draft out by the first week of May. It will not be complete but it will incorporate all the work that has been done to this point. As the items above indicate, a few able bodied writers are still needed. The group plans to meet twice in Stockholm.