To: spwg@nri.reston.va.us, ssphwg@nri.reston.va.us, psrg-interest@venera.isi.edu, saag@TIS.COM Subject: Draft Security Policy Date: Wed, 17 Oct 90 12:23:06 EDT From: Richard Pethia Dear colleagues, Below is a working draft of a proposed Internet security policy for your review and comment. Following a series of security policy working group (spwg) working meetings, Steve Crocker and I put together this draft based on our understanding of the work and inputs of the spwg members. The spwg gets the credit for the work, I'll take any blame for misunderstanding their views. Please direct your comments, criticisms, or suggestions for change to me, and use the spwg list as a discussion forum for topics you feel should be widely discussed. Thanks in advance for your interest and comments. Rich Pethia -------------------- Internet Security Policy WORKING DRAFT Richard Pethia Steve Crocker October 9, 1990 INTRODUCTION This policy addresses the entire Internet community, consisting of users, hosts, local, regional, domestic and international backbone networks, and vendors who supply operating systems, routers, network management tools, workstations and other network components. Security is understood to include protection of the privacy of information, protection of information against unauthorized modification, protection of systems against denial of service, and protection of systems against unauthorized access or use. ["access" covers unauthorized database lookup, for example; "use" covers unauthorized logging in to a system.] This policy has four main points. These points are repeated and elaborated in the next section. ----------------------------------------------------------------------- THE POLICY 1) Users are individually responsible for understanding and respecting the security rules of the systems they are using. Users are individually accountable for their own behavior. 2) Site and network service providers are responsible for maintaining the security of the systems they operate. Vendors are responsible for providing systems which are sound and have adequate security controls. Users are responsible for protecting their own data and for assisting in the protection of the systems they use. 3) Users, service providers and hardware and software vendors are expected to cooperate in the provision of security. 4) Technical improvements in Internet security protocols should be sought on a continuing basis" ELABORATION 1) Users are individually responsible for understanding and respecting the security rules of the systems they are using. Users are individually accountable for their own behavior. Users are responsible for their own behavior. Weaknesses in the security of a system are not a license to penetrate or abuse a system. Users are expected to be aware of the rules and adhere to them. One clear consequence is that breaking into computers is explicitly prohibited, no matter how weak the protection is on those computers. Another aspect of this part of the policy is that users are individually responsible for all use of resources assigned to them, and hence sharing of accounts and access to resources is strongly discouraged. Since access to resources is assigned by individual sites and network operators, the specific rules governing sharing of accounts and protection of access is necessarily left to them. 2) Site and network operators are responsible for protecting their systems. Vendors are responsible for providing systems which are sound and have adequate security controls. Users are responsible for protecting their own data and for assisting in the protection of the systems they use. Primary responsibility for security necessarily rests with the owners and operators of the components of the Internet, viz the host operators and network operators. The Internet itself is neither centrally managed nor operated, and hence there is no central authority for implementing or managing the security of the entire Internet. Moreover, even if there were a central authority, security necessarily is the responsibility of the people owning the data and systems involved, so local control is essential. There are five elements of good local security: (i) There must be a clear statement of the local security policy, and this policy must be communicated to the users and other relevant parties. The policy should be on file and available to users at all times, and should be communicated to users as part of providing access to the system. (ii) Adequate security controls must be implemented. At a minimum, this means controlling access to systems via passwords -- and instituting sound password management! -- and configuring the system to protect itself and the information within it. (iii) There must be a capability to monitor security compliance and respond to incidents involving violation of security. Logs of logins and other security-relevant events are strongly advised, as well as regular audit of these logs. Also recommended is a capability to trace connections and other events in response to penetrations. (iv) There must be an established chain of communication and control to handle security matters. A responsible person should be identified as the security contact. The means for reaching the security contact should be made known to all users and should be registered in public directories, and it should be easy for computer emergency response centers to find contact information at any time. (v) Sites, networks and vendors which are notified of security incidents should respond in a timely and effective manner. In the case of penetrations or other violations, sites, networks and vendors should allocate resources and capabilities to identify the nature of the incident, identify the violator, and limit the damage. A site, network or vendor cannot be considered to have good security if it does not respond to incidents in a timely and effective fashion. Similarly, sites, networks and vendors should respond when notified of security flaws in their systems. Vendors, in particular have a positive obligation to repair flaws in the security relevant portions of the systems they sell for use in the Internet. Sites and networks have the parallel responsibility to install fixes in their systems as they become available. To facilitate the adoption and implementation of good security practices at the site and network level, the Site Security Policy Handbook Working Group are developing a handbook with guidance on all of these matters. Sites and network operators are encouraged to review this material and use it freely. 3) Users, sites, networks and vendors are expected to provide mutual security assistance. The Internet is a cooperative venture. The culture and practice in the Internet is to render assistance in security matters to other sites and networks. A site is expected to notify other sites if it sees a penetration in progress at the other sites, and sites are expected to help other sites respond to security violations. This may include tracing connections, tracking violators and assisting law enforcement efforts. There is a growing appreciation within the Internet community that security violators should be identified and held accountable. This means that once a violation has been detected, sites are encouraged to cooperate in finding the violator and assisting in enforcement efforts. It is recognized that many sites will face a trade-off between securing their sites as rapidly as possible and limiting the knowledge of a penetration versus leaving their site open and/or exposing the fact that a penetration has occurred. This policy does not dictate that a site must expose either its system or its reputation if it decides not to, but sites are encouraged to render as much assistance as they can. 4) Technical improvements in Internet security protocols should be sought on a continuing basis" The points discussed above are all administrative in nature, but technical advances are also important. The existing protocols and operating systems do not provide the level of security that is desired or that is possible. Three types of advances are encouraged. (i) Improvements in the basic security mechanisms already in place. Password security is generally poor throughout the Internet and can be improved markedly through the use of tools to administer password assignment and through the use of better password protocols. At the same time, the user population is expanding to include a larger percentage of technically unsophisticated users. The defaults on delivered systems and the controls for administering security must be geared to this large and generally unsophisticated population. (ii) Security extensions to the protocol suite are needed. Candidate protocols which should be augmented to improve security include network management, routing, file transfer, telnet, mail, etc. (iii) Improvements in the design and implementation of operating systems to more emphasis on security and more attention to the quality of the implementation of security within systems on the Internet. GLOSSARY REFERENCES James VanBokkelen wrote a very good memo on Internet security policy. Many of the points he makes are included above, but his statement is worth reading separately. It is included here for reference. The intent is to make it a separate RFC and reference it. The Internet Oral Tradition James VanBokkelen April 2, 1990 This is a summary of the 'oral tradition' of the Internet as regards the responsibilities of host and network managers, as I understand it. 1. Basic responsibilities: The Internet is a co-operative endeavor, and its usefulness depends on reasonable behavior from every user, host and router in the Internet. It follows that people in charge of the components of the Internet MUST be aware of their responsibilities and attentive to local conditions. Furthermore, they MUST be accessible via both Internet mail and telephone, and responsive to problem reports and diagnostic initiatives from other participants. Even local problems as simple and transient as system crashes or power failures may have widespread effects elsewhere in the net. Problems which require co-operation between two or more responsible individuals to diagnose and correct are relatively common. Likewise, the tools, access and experience needed for efficient analysis may not all exist at a single site. This communal approach to Internet management and maintenance is dictated by the present decentralized organizational structure. The structure, in turn, exists because it is inexpensive and responsive to diverse local needs. Furthermore, for the near term, it is our only choice; I don't see any prospect of either the government or private enterprise building a monolithic, centralized, ubiquitous "Ma Datagram" network provider in this century. 2. Responsibilities of network managers: One or more individuals are responsible for every IP net or subnet which is connected to the Internet. Their names, phone numbers and postal addresses MUST be supplied to the Internet NIC (or to the local or regional transit network's NIC) prior to the network's initial connection to the Internet, and updates and corrections MUST be provided in a timely manner for as long as the net remains connected. In order to adequately deal with problems that may arise, a network manager must have either: A. System management access privileges on every host and router connected to the local network, or: B. The authority and access to either power off, re-boot, physically disconnect or disable IP datagram forwarding to any individual host system that may be misbehaving. For all networks, a network manager capable of exercising this level of control MUST be accessible via telephone 8 hours a day, 5 days a week. For nets carrying transit traffic, a network manager SHOULD be accessible via telephone 24 hours a day. 3. Responsibilities of host system managers: Some individual must be responsible for every host connected to the Internet. This person MUST have the authority, access and tools necessary to configure, operate and control access to the system. For important timesharing hosts, primary domain name servers and mail relays or gateways, responsible individual(s) SHOULD be accessible via telephone 24 hours a day, 7 days a week. For less-important timesharing hosts or single-user PCs or workstations, the responsible individual(s) MUST be prepared for the possibility that their network manager may have to intervene in their absence, should the resolution of an Internet problem require it. 4. Postmaster@foo.bar.baz Every Internet host that handles mail beyond the local network MUST maintain a mailbox named 'postmaster'. In general, this should not simply forward mail elsewhere, but instead be read by a system maintainer logged in to the machine. This mailbox SHOULD be read at least 5 days a week, and arrangements MUST be made to handle incoming mail in the event of the absence of the normal maintainer. A machine's 'postmaster' is the normal point of contact for problems related to mail delivery. Because most traffic on the long-haul segments of the Internet is in the form of mail messages, a local problem can have significant effects elsewhere in the Internet. Some problems may be system-wide, such as disk or file system full, or mailer or domain name server hung, crashed or confused. Others may be specific to a particular user or mailing list (incorrect aliasing or forwarding, quota exceeded, etc.). In either case, the maintainer of a remote machine will normally send mail about delivery problems to 'postmaster'. Also, 'postmaster' is normally specified in the 'reply-to:' field of locally generated mail error messages (unable to deliver due to nonexistent user name, unable to forward, malformed header, etc). If this mailbox isn't read in a timely manner, significant quantities of mail may be lost or returned to its senders. 5. Problems and Resolutions Advances in network management tools may eventually make it possible for a network maintainer to detect and address most problems before they affect users, but for the present, day-to-day users of networking services represent the front line. No responsible individual should allow their 'dumb-question' filter to become too restrictive; reports of the form "I haven't gotten any mumblefrotz mail for a week... " or "I could get there this morning, but not now..." should always get timely attention. There are three basic classes of problems that may have network-wide scope: User-related, host-related and network-related. A. User-related problems can range from bouncing mail or uncivilized behavior on mailing lists to more serious issues like violation of privacy, break-in attempts or vandalism. B. Host-related problems may include mis-configured software, obsolete or buggy software and security holes. C. Network-related problems are most frequently related to routing: incorrect connectivity advertisements, routing loops and black holes can all have major impacts. Mechanisms are usually in place for handling failure of routers or links, but problems short of outright failure can also have severe effects. Each class of problem has its own characteristics. User-related problems can usually be solved by education, but system managers should be aware of applicable federal and state law as well; Privacy violations or 'cracking' attempts have always been grounds for pulling a user's account, but now they can also result in prosecution. Host-related problems are usually resolvable by re-configuration or upgrading the software, but sometimes the manufacturer needs to be made aware of a bug, or jawboned into doing something about it; Bugs that can't be fixed may be serious enough to require partial or total denial of service to the offending system. Similar levels of escalation exist for network-related problems, with the solution of last resort being ostracism of the offending net. 6. The Illusion of Security Every host and network manager MUST be aware that the Internet as presently constituted is NOT secure. At the protocol level, much more effort has been put into interoperability, reliability and convenience than has been devoted to security, although this is changing. Recent events have made software developers and vendors more sensitive to security, in both configuration and the underlying implementation, but it remains to be demonstrated how much long-term effect this will have. Meanwhile, the existing system survives through the co-operation of all responsible individuals. Security is subjective; one site might view as idle curiosity what another would see as a hostile probe. Since ultimately the existence of the Internet depends on its usefulness to all members of the community, it is important for managers to be willing to accept and act on other sites' security issues, warning or denying access to offending users. The offended site, in turn, must be reasonable in its demands (someone who set off an alarm while idly seeing if the sendmail 'DEBUG' hole was closed on a 'sensitive' host probably should be warned, rather than prosecuted). Because Internet security issues may require that local management people either get in touch with any of their users, or deny an offending individual or group access to other sites, it is necessary that mechanisms exist to allow this. Accordingly, Internet sites SHOULD NOT have 'general use' accounts, or 'open' (without password) terminal servers that can access the rest of the Internet. In turn, the 'sensitive' sites MUST be aware that it is impossible in the long term to deny Internet access to crackers, disgruntled former employees, unscrupulous competitors or agents of other countries. Getting an offender flushed is at best a stop-gap, providing a breathing space of a day or an hour while the security holes he was attacking are closed.