CURRENT_MEETING_REPORT_ Reported by Barbara Fraser/CERT Coordination Center Minutes of the Site Security Handbook Working Group (SSH) Agenda o Discuss and decide which document to develop first - Site Security Handbook for System and Network Administrators - Site Security Handbook for Users o Create editorial board o Begin development of the first document Discussion There was considerable discussion about the two site security documents. There were mixed feelings about which document to create first, as well as whether to create the documents in parallel or serially. One point was made that even though it is incomplete and dated, system and network administrators have RFC 1244 but users have nothing, hence work should begin with the users' document. Another point of view was that the system and network administrators' document would produce information that could then quickly be adapted to the user. After more discussion, it was generally decided that they should be created serially because there are not enough writers to create them in parallel. However, as material is developed for the first document, pieces will be saved that are thought to be suitable for the second document. It was decided that the group would begin with the Site Security Handbook for System and Network Administrators. Editorial Board In order to produce a new document in a reasonably short period of time, it will be necessary for a number of people to write small sections. These will then be merged to produce the completed document. It was acknowledged that significant editorial work will be needed in order to produce a document that reads as if a single person had written it. The following people have offered to be on the editorial board: Barbara Fraser, Gary Malkin, Uri Blumenthal, Jules Aronson, Nevil Brownlee and Erik Buttman. Procedure for Creating the Document The group discussed how they would go about the process of creating a new document and decided on the following steps: A. Split up RFC 1244 into pieces and categorize contents B. Identify list of topics and writing assignments C. Update reference RFCs (Joyce Reynolds) D. Create outline E. Create draft The purpose of activity ``A'' is to 1) review a chapter of the current RFC, 2) decide whether it (and its subsections) applies to system/network administrators or end users, or both, and 3) tag the pieces with topics. This will make it easy for writers to identify the pieces that pertain to their areas. This activity will result in two lists, one for each document. Each entry in a list should be a ``chapter.section'' followed by the topics related to it. The following people volunteered to help: __________________________________________________________________ || | || || Introduction |Barbara Fraser || ||_______________________________________|________________________|| || | || || Establishing Site Policy |Gary Malkin, || || |Scott Behnke || ||_______________________________________|________________________|| || | || || Incident Handling |Klaus-Peter Kossakowski || ||_______________________________________|________________________|| || | || || Establishing Procedures to |Nevil Brownlee || || Prevent Security Problems | || ||_______________________________________|________________________|| || | || || Types of Security Procedures |Nevil Brownlee || ||_______________________________________|________________________|| || | || || Establishing Post-Incident Procedures |Klaus-Peter Kossakowski,|| || |Gary Malkin || ||_______________________________________|________________________|| || | || || Bibliography | Scott Behnke || ||_______________________________________|________________________|| The group began activity ``B'' by creating a list of topics from the current document as well as from those mentioned at the BOF held at the Toronto IETF. This list is a beginning and the group acknowledged that some additions may be needed as time goes along. The list of starting topics along with volunteer writers is included below. Occasionally specific, narrow subjects came up that were not complete sections in and of themselves. So that they do not get forgotten, they have been explicitly mentioned below, under one of the topic areas. Topics with no assigned writer have `???' in the author field. The writer's job is to take existing RFC 1244 material and modify it to meet today's needs. This may include adding or deleting, or otherwise changing the content. ________________________________________________________________________ ||_Policy________________________________|Gary_Malkin__________________ || ||_Passwords_____________________________|Barbara_Fraser________________|| ||_Network_Configuration_________________|Cole_Libby____________________|| || System Configuration |Jules Aronson || || (this topic should include DHCP and | || ||_backups_as_well_as_other_topics)______|______________________________|| ||_Firewalls_____________________________|Cole_Libby____________________|| || Incident Response |Klaus-Peter Kossakowski, || ||_______________________________________|Erik_Guttman__________________|| || Access |Sepi Boroumand, Nevil Brownlee|| || (this topic should include modems and | || || other external access methods along | || ||_with_other_topics)____________________|______________________________|| || Post Incident Processing |??? || ||_(including_issues_relating_to_backups)|______________________________|| ||_Cryptography__________________________|Uri_Blumenthal________________|| || Available Security Technology |??? || ||_(applications_-_tools)________________|______________________________|| ||_Threats/Risks/Asset_Identification____|???___________________________|| ||_Training_*____________________________|______________________________|| ||_Protecting_the_Infrastructure_________|Gary_Malkin___________________|| ||_______________________________________|______________________________|| * The group will not include training at this point other than a mention of the need for training in the Introduction. The relationship between administrators and end users will need to be described. Goals and Milestones By the end of January, the group will have topics from RFC 1244 separated into lists and have a draft outline for the system administrators' handbook. Two weeks before the April IETF, draft sections will be completed by the authors and merged into a first Internet-Draft. At the April IETF, there will be a detailed review of the draft sections and a review of overall document content (including identification of holes). Miscellaneous The group agreed that they want to create a checklist to accompany the system administrators' handbook as an appendix. The group discussed the users' handbook and decided that it must be short and easy to read. The notion of a pamphlet containing a bulleted list was discussed. It was also decided that the group needs to ensure that the document provides something directed to users who have machines on their desks that are configured with a network protocol stack. These users need to be made aware of the additional issues like: running servers, attaching modems, bringing up SLIP/PPP connections, etc. Housekeeping There will be several lists maintained on the archive area: list of topics for the Site Security Handbook for System and Network Administrators, list of topics/bullets for the Site Security Handbook for Users' and writing assignments. Next IETF The group plans to schedule two back-to-back sessions to review each section of the draft document.