Subject: N-1-4-040.33.3 Security is YOUR responsibility by Jeffrey I. Schiller As the manager of a University network, I have occasioned upon other network managers who have requested that I implement controls to limit access from my students to their network. Although on the surface this may seem like a reasonable request, let's look a little deeper. The other network manager is assuming that by placing limitations on my users, I would increase her security. Is this true? Well perhaps it is. However is the increase in security significant? The answer to this question has to be no. The Internet by its very nature is an anarchistic entity. There exists no central management authority and certainly no common operating policy. In such an environment, the network manager who attempts to protect her systems by requesting (requiring?) other network managers to take action, will have a never ending job of contacting and convincing other managers. In fact, so many new networks are being connected to the Internet every day that our paranoid network manager would be busy for the rest of her life! The first step to securing your environment, is to secure YOUR environment against outside intrusion. This isn't to say that others have no responsibility. However the security of your network is primarily your responsibility! One of the first, and perhaps most important, steps to securing your network is developing a local security policy. The purpose of the policy is to clearly present to network administrators and users, what their responsibilities are. It should define what type of behavior is acceptable and what isn't. For example a local site policy may require that passwords on systems at the site be constructed of words not locatable in a dictionary. On a policy level, the site security policy may establish various procedural as well as technical requirements on systems that handle certain types of information. For example in the U.S., Universities are required by law to handle certain student information in a secure fashion to ensure student privacy. Another important component of a security policy is a code of ethics and behavior. Although I said earlier that you are responsible for your own security, which implies that others are responsible for theirs, all sites bear a responsibility toward each other. Your users should not attempt to "break in" to other sites. Your security policy should make this clear! A security policy is also an important way for network operators to inform their users of what security measures are in place. This is important in order to set appropriate expectations on the part of the users toward the network operators. RFC1281, Guidelines for the Secure Operation of the Internet, sets out a series of six main guidelines. They are (in summary): (1) Users are individually responsible for respecting the security policy of the systems they use. (2) Users are responsible for protecting their own data. (3) Network Operators (and other related service providers) are responsible for the security of the systems they operate. (4) Vendors and developers are responsible for providing technically sound systems which embody adequate security controls. (5) Network users and operators are responsible for cooperating with each other to provide security. (6) Protocol designers should keep security in mind and strive for continued improvement. Keep in mind that the above points are not an enforceable security policy for the entire Internet. They are strictly voluntary. I encourage you to read the original RFC1281 for the exact wording of these points as well as insightful explanations and background material. RFC1244, the Site Security Policy Handbook, is also an invaluable resource to aid you in the development of not only security policies, but in the technical areas of providing good security on the network as well.