rfc2196.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 1,329 行 · 第 1/5 页

Network Working Group                                      B. Fraser
Request for Comments: 2196                                    Editor
FYI: 8                                                       SEI/CMU
Obsoletes: 1244                                       September 1997
Category: Informational


                         Site Security Handbook


Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This handbook is a guide to developing computer security policies and
   procedures for sites that have systems on the Internet.  The purpose
   of this handbook is to provide practical guidance to administrators
   trying to secure their information and services.  The subjects
   covered include policy content and formation, a broad range of
   technical system and network security topics, and security incident
   response.


Table of Contents

1.   Introduction....................................................  2
1.1  Purpose of this Work............................................  3
1.2  Audience........................................................  3
1.3  Definitions.....................................................  3
1.4  Related Work....................................................  4
1.5  Basic Approach..................................................  4
1.6  Risk Assessment.................................................  5
2.   Security Policies...............................................  6
2.1  What is a Security Policy and Why Have One?.....................  6
2.2  What Makes a Good Security Policy?..............................  9
2.3  Keeping the Policy Flexible..................................... 11
3.   Architecture.................................................... 11
3.1  Objectives...................................................... 11
3.2  Network and Service Configuration............................... 14
3.3  Firewalls....................................................... 20
4.   Security Services and Procedures................................ 24
4.1  Authentication.................................................. 24
4.2  Confidentiality................................................. 28
4.3  Integrity....................................................... 28



Fraser, Ed.                Informational                        [Page 1]

RFC 2196              Site Security Handbook              September 1997


4.4  Authorization................................................... 29
4.5  Access.......................................................... 30
4.6  Auditing........................................................ 34
4.7  Securing Backups................................................ 37
5.   Security Incident Handling...................................... 37
5.1  Preparing and Planning for Incident Handling.................... 39
5.2  Notification and Points of Contact.............................. 42
5.3  Identifying an Incident......................................... 50
5.4  Handling an Incident............................................ 52
5.5  Aftermath of an Incident........................................ 58
5.6  Responsibilities................................................ 59
6.   Ongoing Activities.............................................. 60
7.   Tools and Locations............................................. 60
8.   Mailing Lists and Other Resources............................... 62
9.   References...................................................... 64

1.  Introduction

   This document provides guidance to system and network administrators
   on how to address security issues within the Internet community.  It
   builds on the foundation provided in RFC 1244 and is the collective
   work of a number of contributing authors. Those authors include:
   Jules P. Aronson (aronson@nlm.nih.gov), Nevil Brownlee
   (n.brownlee@auckland.ac.nz), Frank Byrum (byrum@norfolk.infi.net),
   Joao Nuno Ferreira (ferreira@rccn.net), Barbara Fraser
   (byf@cert.org), Steve Glass (glass@ftp.com), Erik Guttman
   (erik.guttman@eng.sun.com), Tom Killalea (tomk@nwnet.net), Klaus-
   Peter Kossakowski (kossakowski@cert.dfn.de), Lorna Leone
   (lorna@staff.singnet.com.sg), Edward.P.Lewis
   (Edward.P.Lewis.1@gsfc.nasa.gov), Gary Malkin (gmalkin@xylogics.com),
   Russ Mundy (mundy@tis.com), Philip J. Nesser
   (pjnesser@martigny.ai.mit.edu), and Michael S. Ramsey
   (msr@interpath.net).

   In addition to the principle writers, a number of reviewers provided
   valuable comments. Those reviewers include: Eric Luiijf
   (luiijf@fel.tno.nl), Marijke Kaat (marijke.kaat@sec.nl), Ray Plzak
   (plzak@nic.mil) and Han Pronk (h.m.pronk@vka.nl).

   A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook,
   CICnet, for their vision, leadership, and effort in the creation of
   the first version of this handbook. It is the working group's sincere
   hope that this version will be as helpful to the community as the
   earlier one was.







Fraser, Ed.                Informational                        [Page 2]

RFC 2196              Site Security Handbook              September 1997


1.1  Purpose of This Work

   This handbook is a guide to setting computer security policies and
   procedures for sites that have systems on the Internet (however, the
   information provided should also be useful to sites not yet connected
   to the Internet).  This guide lists issues and factors that a site
   must consider when setting their own policies.  It makes a number of
   recommendations and provides discussions of relevant areas.

   This guide is only a framework for setting security policies and
   procedures.  In order to have an effective set of policies and
   procedures, a site will have to make many decisions, gain agreement,
   and then communicate and implement these policies.

1.2  Audience

   The audience for this document are system and network administrators,
   and decision makers (typically "middle management") at sites.  For
   brevity, we will use the term "administrator" throughout this
   document to refer to system and network administrators.

   This document is not directed at programmers or those trying to
   create secure programs or systems.  The focus of this document is on
   the policies and procedures that need to be in place to support the
   technical security features that a site may be implementing.

   The primary audience for this work are sites that are members of the
   Internet community.  However, this document should be useful to any
   site that allows communication with other sites.  As a general guide
   to security policies, this document may also be useful to sites with
   isolated systems.

1.3  Definitions

   For the purposes of this guide, a "site" is any organization that
   owns computers or network-related resources. These resources may
   include host computers that users use, routers, terminal servers, PCs
   or other devices that have access to the Internet.  A site may be an
   end user of Internet services or a service provider such as a mid-
   level network.  However, most of the focus of this guide is on those
   end users of Internet services.  We assume that the site has the
   ability to set policies and procedures for itself with the
   concurrence and support from those who actually own the resources. It
   will be assumed that sites that are parts of larger organizations
   will know when they need to consult, collaborate, or take
   recommendations from, the larger entity.





Fraser, Ed.                Informational                        [Page 3]

RFC 2196              Site Security Handbook              September 1997


   The "Internet" is a collection of thousands of networks linked by a
   common set of technical protocols which make it possible for users of
   any one of the networks to communicate with, or use the services
   located on, any of the other networks (FYI4, RFC 1594).

   The term "administrator" is used to cover all those people who are
   responsible for the day-to-day operation of system and network
   resources.  This may be a number of individuals or an organization.

   The term "security administrator" is used to cover all those people
   who are responsible for the security of information and information
   technology.  At some sites this function may be combined with
   administrator (above); at others, this will be a separate position.

   The term "decision maker" refers to those people at a site who set or
   approve policy.  These are often (but not always) the people who own
   the resources.

1.4  Related Work

   The Site Security Handbook Working Group is working on a User's Guide
   to Internet Security. It will provide practical guidance to end users
   to help them protect their information and the resources they use.

1.5  Basic Approach

   This guide is written to provide basic guidance in developing a
   security plan for your site.  One generally accepted approach to
   follow is suggested by Fites, et. al. [Fites 1989] and includes the
   following steps:

   (1)  Identify what you are trying to protect.
   (2)  Determine what you are trying to protect it from.
   (3)  Determine how likely the threats are.
   (4)  Implement measures which will protect your assets in a cost-
        effective manner.
   (5)  Review the process continuously and make improvements each time
        a weakness is found.

   Most of this document is focused on item 4 above, but the other steps
   cannot be avoided if an effective plan is to be established at your
   site.  One old truism in security is that the cost of protecting
   yourself against a threat should be less than the cost of recovering
   if the threat were to strike you.  Cost in this context should be
   remembered to include losses expressed in real currency, reputation,
   trustworthiness, and other less obvious measures.  Without reasonable
   knowledge of what you are protecting and what the likely threats are,
   following this rule could be difficult.



Fraser, Ed.                Informational                        [Page 4]

RFC 2196              Site Security Handbook              September 1997


1.6  Risk Assessment

1.6.1  General Discussion

   One of the most important reasons for creating a computer security
   policy is to ensure that efforts spent on security yield cost
   effective benefits.  Although this may seem obvious, it is possible
   to be mislead about where the effort is needed.  As an example, there
   is a great deal of publicity about intruders on computers systems;
   yet most surveys of computer security show that, for most
   organizations, the actual loss from "insiders" is much greater.

   Risk analysis involves determining what you need to protect, what you
   need to protect it from, and how to protect it.  It is the process of
   examining all of your risks, then ranking those risks by level of
   severity.  This process involves making cost-effective decisions on
   what you want to protect.  As mentioned above, you should probably
   not spend more to protect something than it is actually worth.

   A full treatment of risk analysis is outside the scope of this
   document.  [Fites 1989] and [Pfleeger 1989] provide introductions to
   this topic.  However, there are two elements of a risk analysis that
   will be briefly covered in the next two sections:

   (1) Identifying the assets
   (2) Identifying the threats

   For each asset, the basic goals of security are availability,
   confidentiality, and integrity.  Each threat should be examined with
   an eye to how the threat could affect these areas.

1.6.2  Identifying the Assets

   One step in a risk analysis is to identify all the things that need
   to be protected.  Some things are obvious, like valuable proprietary
   information, intellectual property, and all the various pieces of