Firewall Wizards mailing list archives
Re: Security Policy
From: Bennett Todd <bet () rahul net>
Date: Wed, 22 Oct 1997 04:50:12 -0700
On Mon, Oct 20, 1997 at 03:20:59PM +0200, Wolfgang 'Robyn' Braun wrote:
[...] I get the feeling that something very basic is missing, and last night i found out what it is: A Security Policy! [...] I know what should be allowed across the firewall and i know how to implement it (actually i already did it on my private subnet) - but i really don't know how to write a security policy.
The content of a security policy need be no more than what you say you know --- what should be allowed across the firewall. The security policy serves two purposes: first, and critical for firewall implementation, it documents what the firewall is supposed to accomplish. Second, and critical for firewall _maintenance_, it documents, either explicity in its text, or else implicitly by the negotiation process that created it, the rationale behind the spec --- the justifications in terms of organizational needs and risk exposures and implementation costs. This in turn is the source of authority you must have when people come and ask for services that aren't approved by the protocol, and it further implies the appropriate steps to take to revise the policy. But the security policy really should specify more than just the firewall. Unless you have guards searching everyone who enters and leaves every entrance and exit to your center; unless you have mechanically-tamper-resistant-and-alarmed wiring systems for all in-house telecomms; unless your in-house systems and networks are awesomely tightly secured; unless you are a really hideously paranoid shop --- the firewall is only there to enforce the same rules you want to have everywhere; they are basics like ``don't release company proprietary data to the outside world; don't corrupt or destroy business-critical data; don't import destructive or illegal data from the outside''. The firewall is there mostly because without it, it's usually easy for someone _outside_ the organization to violate your security policy unassisted. You still really want to document the organization's security goals, and make sure people understand them, and make sure your firewall config is consistent with them. If you try to enforce a level of security with the firewall, and that level is seriously inconsistent --- stricter or more relaxed --- than the rest of the organization's security posture, then you are doing something wrong.
Is there some sort of guideline on how to write a security policy?
There are many. The key rfc would be 1244, the Site Security Handbook, by the Site Security Policy Handbook Working Group. -Bennett
Current thread:
- Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
- Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
- Re: Security Policy Bennett Todd (Oct 24)