[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

technology producer doc outline



I had the action item but we can all thank Peter Kossakowski for pulling
this outline together. Peter has also collected all the snippets of
discussions we've had on this topic and will send around pointers.

Barbara

Internet Technology Producers Guide
***********************************
To Good Security Practice
*************************



The title and the following structure were developed during the 33rd IETF in
Stockholm, Sweden, and later amended during the 35th IETF in Los Angeles,
CA. It
will help us as a basis for future work. For more background please refer
to the GRIP minutes of the 33rd IETF / 35th IETF available by WWW from:

 http://www.cert.dfn.de/eng/resource/ietf/grip/grip9507.html
 http://www.cert.dfn.de/eng/resource/ietf/grip/grip9604.html

as there is more relevant information as shown in the structure.

0. Introduction
+++++++++++++++

 o purpose
 o statement of intended audience
 o basic definitions
    o vendor - entities that produce technology and are responsible for the
      technical content.
    o security bug
 o relationship to other documents
    o site security handbook (SSH)
    o IRT document (GRIP)

A. Packaging and Distribution
+++++++++++++++++++++++++++++

 o digital signatures/checksums must be available for every product
 o must have out of band verification mechanism for the signatures
 o demonstration software shouldn't require system privileges to run or there
   should be strong warnings to the site to test on a test network

B. Default Configurations
+++++++++++++++++++++++++

 o want products "secure by default" (e.g., no trust by default)
 o devices (e.g., ttys, ptys) should not be set as secure by default
 o no open accounts
 o good directory an file permission settings
 o good umask
 o minimum network services on by default
 o writable/default community strings a problem
 o locking screen savers
 o concern about default configurations of servers (e.g., ftpd open to guest)
 o concern about exported file system defaults in file sharing setups

C. Installation
+++++++++++++++

 o don't rely on default paths

D. Normal Use
+++++++++++++

 o "no further changes" mode after installation is complete
 o need to address levels of access (e.g., normal use should not provide
full access to
   all resources)

E. Response to Security Problems
++++++++++++++++++++++++++++++++

 o make security patches available to anyone for lifetime of the product
(as defined
   by the vendor of the product)
 o describe procedures for handling security problem reports
 o acknowledgement of publicly discussed problems

F. Support for old versions and duration of support
+++++++++++++++++++++++++++++++++++++++++++++++++++

 o describe the lifetime of a product at the time a site is considering
purchasing it.
   (e.g., x number of years, or "this rev. supported until 2 major
revisions are
   subsequently released").

G. Documentation
++++++++++++++++

 o documentation separate from installation media (sometimes you can't get
to the
   documentation until the system has been installed!)
 o provide one-stop shopping for security information including overview and
   checklists.

H. Other things
+++++++++++++++

 o trust models for files vs. trust model for net
 o network services should require authentication
 o documents with executable content should not be on - don't want surprises.