Security Policies for the Internet

Stephen L. Arnold, Ph.D.

President, Arnold Consulting, Inc.

Presented 6 December 1995 at the DECUS U.S. Chapter Symposium in San Francisco, as Session SE020. Last updated 14 December 1995.

Abstract

This is an introductory, management session. The primary audience is managers of technology and technical people. Goals:

• Put the problem in context
• Cover the main terminology
• Suggest approaches for going forward
• Point out the major pitfalls

Reasons to connect (partial list):

• Access public information and code resources
• Communicate with customers, vendors, and partners
• Direct sales
• Marketing
• Internal communications

Dangers of connecting (partial list):

• Cost
• Theft of proprietary data
• Disruption of business
• Public relations problems
• Direct cost of security measures
• Lost productivity to extracurricular use

The pressure from users, top managers, and technical personal to connect to the Internet can be unbearable. You need a policy framework to replace "anything goes".

Steps to Connect to the Internet

1. Convene stakeholders
2. Assess risk probabilities and costs
3. Assess reward probabilities and benefits
4. Draft policies
5. Obtain approval of policies
6. Implement technology and procedures
7. Provide publicity and training on policies and procedures
8. Connect to the Internet

Lead with policy; support with technology!

Repeat this planning and implementation cycle at least annually.

Perhaps the most common pitfall is to begin implementing before policy is clear.

Complete Information Security

Network security is only a part of information security. Other parts include:

• Physical security
• Modem security
• Document and media management; backups
• Waste disposal
• Proprietary information training
• Password management
• Human resources practices

Security policies are not the only policies you need to safely participate in the Internet. You also need policies for:

• Privacy
• Acceptable use
• Confidential information
• Use your of organization's name and marks
• Software licensing

Inappropriate use includes misuse of company property, mischarging resources to the wrong account, misconduct, sexual or other harassment, possesion of pornographic materials, gambling, conspiracy, etc.

Policies Versus Implementation

Do not confuse policies with implementation.

Policies are:

• High level
• Technology-neutral
• Concerned with risks and rewards

A policy might specify "identities of all users accessing our network from the Internet shall be authenticated by a two-factor technique".

Implementation is:

• Detailed
• Technology-specific
• Concerned with protocols and applications

An implementation might specify "users requiring strong authentication shall be issued cryptographic security tokens" and go on to specify the brand of token and security server, all their configuration parameters, and the procedures for issuing tokens and training users.

Policy Contents

Marcus J. Ranum is the former Digital engineer responsible for the original DEC S.E.A.L. and Trusted Information Systems' Gaunlet firewalls and the T.I.S. firewall tools kit. He suggested these contents for Internet security policies to the firewalls mailing list: "

" In an ideal situation the organization in question will have a clear overall policy for proprietary information management. Internet connectivity (or any other form of connectivity!) should fall under that global umbrella, and not be treated as a special case.

" We've all seen people who are terrified of Internet, but who think nothing of dropping a T1 from their network to a quote service or wire service. All too often, I feel policies are too specific, when they should in fact be general and focused on intent rather than details.

" It's my belief that a well-crafted computer security policy will consist of several things:

1. A statement of authority and scope
2. An overview of what the organization's management sees as computing and information resources critical to the survival of the organization
3. A statement of who should read the policy and what steps are taken to make sure it is spread
4. A policy review interval (e.g.; this policy will be reviewed anually)
5. A concise explanation of what are minimal measures that management expects individuals and sub organizations to take to protect the critical resources
6. A description of how to escalate questions relating to the requirements above, what the procedure is for making decisions, and who holds responsibility for them
7. A description of how cases where the policy needs to be changed should be raised and what the procedure is for changing the policy

" In broad terms, a policy is a set of guidelines in which organizational management states the level of protections it EXPECTS to have provided on ALL mission critical computing resources. The rest, then, are implementation details. The requirements should propagate downwards, and information about how the specific implementation details meet the requirements propagates upwards as far as they need to. In general, though, the organization requirements for protection should apply equally to mainframe access, host access, network access, Internet access, dialin access, and access to trusted or untrusted business partners. "

Convening Stakeholders

Your policy task force should include empowered representatives from groups responsible for:

• Human resources
• Legal and regulatory matters
• Information systems
• Public relations
• Security
• Lines of business

Your organization's chief executive officer should understand the importance of the work of the task force and personally charge the task force and ratify its work.

Take technical leadership to devise a balanced plan!

Management Support

Management understanding and support is essential for the success of a secure Internet connection. Management must:

• Have realistic expectations on privacy, security, cost, and the capabilities of the technology.
• Understand the tradeoffs between costly but capable custom solutions and less expensive but limited turn-key products.
• Ratify the policies that trade off the cost of hazards with the cost of prevention.
• Sign off on the the up-front and continuing direct costs of security.
• Lead by example in following security policies.
• Follow through on the implementation of the other parts of the security plan.

The right consultant can sensitively train top management in these issues in ways that might be impossible for in-house staff.

Trade-Offs and Risk Assessment

Management must trade off among:

1. Level of security
2. User convenience
3. Cost

The main tradeoff is between 1 and 2. Use risk assessment to select an optimal solution for your situation.

Risk assessment would be easy if probabilities and costs were known, but they are hard to quantify.

You've lost control of the process when works like "nominal" (risk) and "unacceptable" (hazard) start to be used. Never say "never".

Network or Host Security?

Where will you manage your Internet security?

With Security in Depth, security is managed at every host. While apparently the most desirable approach, it may be unaffordable or impossible to implement.

Some elements of security-in-depth:

• Physical security
• Account management
• Password management

In general, security in depth is incompatible with distributed computing!

In a Border Defense, you maintain security at the (logical) perimeter of your network. The main problem with a border defense is that it can be bypassed. Dangers of using a border defense:

• Other hosts must still be trusted.
• Renegade connections can pop up.
• Remote logins can defeat the strategy.

For a border defense, you must make policy on what is permitted to pass through the network perimeter. Your default policy is called your security "stance". There are two possibilities:

1. Everything that is not expressedly prohibited is permitted.
2. Everything that is not expressedly permitted is prohibited.

Unless circumstances force you into it, never use stance 1!

Permitted Applications

Given your stance, what are the exceptions? These are the rules that must be frequently reviewed in the light of business and technological changes.

For an "everything prohibited by default" border defense, here is a useful policy starting point for many large businesses:

• No IP packets shall be routed between our network and the Internet.
• Mail shall be relayed in both directions. The stated origin of mail shall be trusted only if it is strongly authenticated. Confidential mail shall be strongly authenticated and encrypted.
• Domain name service queries from our network and DNS responses from the Internet shall be relayed. Only authorized perimeter systems on our network shall be visible to Internet domain name service clients. Only authorized systems shall relay queries.
• Terminal (TELNET) sessions originating within our network may be relayed to the Internet.
• File transfer protocol (FTP) sessions originating within our network may be relayed to the Internet.
• World-Wide Web (WWW) sessions originating at clients within our network may be relayed to WWW servers on the Internet.
• Authorized news servers on our network may exchange articles with authorized news servers (feeds) on the Internet. Articles from internal groups shall not be sent to the Internet.

If you adopt policies as restrictive as this set, you will be under pressure to expand the list of permitted applications.

Demand that users obtain individual, commercial accounts from Internet access providers for their non-business use, such as small business activities, personal correspondence, list participation, and Web surfing.

You will eventually be pressured into supporting:

• Inbound TELNET access
  Require strong authentication and prohibit the transmission of multiuse passwords and confidential data.
• Line-of-business applications
  Require company Web servers to be strongly secured and located outside the secure network perimeter.
  Require other line-of-business applications to use firewall relay services and undergo design review by information systems and security groups.

This session discusses only the TCP/IP protocols, the most common protocols used on the Internet. Others are:

• Not suitable for wide area networks,
• Don't scale up well to global networks,
• Are not so widely deployed, or
• Have performance and security characteristics that are not as well understood.

Recommendation: Do not use other protocols through your firewall or over the Internet without adequate in-house expertise. This suggests the policy:

• Only TCP/IP-based applications shall be considered for relaying between our network and the Internet.

Restriction to TCP/IP applications is a good thing. You're designing a firewall, not an access server!

Implementations

Many technical managers are sent shopping for firewalls without defined Internet security policies.

The key quality attribute of an Internet firewall is that it cost-effectively implements your policies, now and in the future.

The cost of a firewall configuration should be evaluated on a life cycle basis, as on-going costs will dwarf initial costs.

Firewalls are usually built from:

• Bastion hosts
• Routers

Bastion host software includes:

• Packet relays
• Circuit relays
• Application relays (proxy servers)
• Support software

Bastion hosts are built to withstand direct exposure on the Internet:

• Strong, trusted operating system
• Source code available for all software
• Expertise in-house on all software
• Minimal code for all services
• No user accounts
• All available security measures enabled
• All available logging enabled
• Strong physical security
• No reusable passwords
• No unneeded files or tools
• Restricted network access
• Modification detection software
• Rigorous change control procedures
• Around-the-clock monitoring
• Around-the-clock access to expert managers

Bastion hosts provide general purpose platforms to run software that can implement any security policy.

Routers

IP routers relay packets between the networks that make up the Internet. Most routers can be configured to provide limited security by dropping ("screening") packets based on source or destination:

• interface,
• IP host address,
• IP network number,
• protocol (TCP or UDP), and/or
• port number

Routers provide platforms to run router vendor software to implement security policies that can be enforced by screening IP packets.

• Screen or forward packets at OSI layer 3
• Controlled by an OSI layer 7 application
• No application awareness
• Screening bridges also used, at OSI layer 2
• Must also be fortified against network vandals

Application relays:

• Also called "proxy servers"
• Terminate TCP connections in OSI layer 7
• Performs application-specific tests

Circuit Relays

• Relay TCP payload between two connections at OSI layer 4
• Controlled by an OSI layer 7 application
• Usually have no application awareness
• Similar function to packet screen permit rules
• Offer multiple layers of protection
• Failure modes are safer than packet filters
• Used to connect well known, well managed hosts
• Example: TIS Firewall Toolkit plug-gw

A bastion host can support application relays, circuit relays, and packet filtering in any combination. Routers can only be packet filters.

Firewall Topologies: Screened Subnet and Bastion Host(s)

The Web version of this presentation does not include figures at this time.

Firewall Topologies: Screened Subnets and Dual-Homed Bastion Host(s)

The Web version of this presentation does not include figures at this time.

Firewall Recommendations

For the strongest firewalls, routers are relegated to guarding bastion hosts agains spoofing attacks.

Multiple bastion hosts can be used for:

• Fault tolerance
• Load sharing
• Separation of servers and users

For operating system, use what you know!

• UNIX or similar (LINUX, BSD OS, etc.)
• OpenVMS
• Windows NT Server?

Key factors for choosing an operating system:

• Vendor support
• Availability of source
• In-house expertise

1. Educate yourself. (See Selected Resources.)
   Read the Site Security Handbook.
   Join the mailing lists.
   Buy and read the books.
   Review the sample policies.
   Configure a packet screen.
   Evaluate packaged solutions or
   Obtain and build the publicly available tools.
2. Educate management and obtain support.
3. Propose alternative policies with probable outcomes.
4. Recommend policy choices and implementation.
5. Obtain an external review from a trusted expert.
6. With expert help, if required, proceed with implementation.

Chapman and Zwicky, "Building Internet Firewalls", O'Reilly and Associates, 1995, ISBN 1-56592-124-0, $29.95. (800) 889 8969, facsimile +1 707 829 0104, order@ora.com, or http://gnn.com/gnn/bus/ora/item/fire.html.

Cheswick and Bellovin, "Firewalls and Internet Security - Repelling the Wily Hacker", Addison Wesley, 1994, ISBN 0-201-63357-4. $26.95. (800) 824 7799, facsimile +1 617 944 7273, or http://www.aw.com/cp/Ches.html.

Curry et al., Site Security Handbook, For Your Information 8 (currently Request for Comments 1244), 1991. ftp://ds.InterNIC.Net/rfc/rfc1244.txt.

Did you ever offer to give a talk and later discover that there is a definitive work that covers the subject better than you ever could? The Site Security Handbook is such a work!

Garfinkel and Spafford, "Practical UNIX Security", O'Reilly and Associates, 1991, ISBN 0-937175-72-2, $29.95. (800) 889 8969, facsimile +1 707 829 0104, order@ora.com, or http://gnn.com/gnn/bus/ora/item/pus.html.

Selected Resources: Mailing Lists

The Internet firewalls mailing list is a forum for firewall administrators and implementors. To subscribe to Firewalls, send "subscribe firewalls" in the body of a message (not on the Subject line) to MajorDomo@GreatCircle.Com. Archives of past Firewalls postings are available for anonymous FTP from ftp.greatcircle.com in pub/firewalls/archive or browse gopher://all.net/11/FireWalls.

A more specialized list is academic-firewalls@net.tamu.edu. Subscribe by sending mail to MajorDomo@net.tamu.edu. It focuses more on university-specific policies than technology.

The Computer Emergency Response Team provides alerts of vunerabilities in both vendor and freely available software and maintains an FTP site: cert@cert.org, facsimile +1 412 268 6989, emergencies +1 412 268 7090.

Selected Resources: Sample Policies

• http://www.eff.org/pub/CAF/policies/
• http://www.vt.edu/policies.html
• http://www.crpht.lu/CNS/html/PubServ/Security/documents.html
• http://isse.gmu.edu/~gmuisi
• http://hightop.nrl.navy.mil
• http://csrc.ncsl.nist.gov

For pointers to more information, browse http://www.access.digex.net/~bdboyle/firewall.vendor.html , maintained by Catherine Fulmer, cfulmer@pnc-pimc.com.

Remember, the quality attribute of a commercial firewall is how well it allows you to implement your policy. You must have a policy before you attempt to evaluate these offerings!

Thank you!

Stephen L. Arnold, Ph.D., President

Arnold Consulting, Inc.
2530 Targhee Street, Madison, Wisconsin 53711-5491
Telephone: +1 608 278 7700
Facsimile: +1 608 278 7701

Stephen.L.Arnold@Arnold.Com
http://WWW.Arnold.Com

Back to the Arnold Consulting Welcome Page