Re: Security Policy

[Fred Donck <f.c.w.donck () siep shell com>]

Wolfi,

In ch.6 of the SAGE booklet nr.2, 'A Guide to Developing Computer Policy
Documents', some useful resources are provided:

-----< Quote from the booklet >-------------

Archives and Direcories
-----------------------

COAST Security archive: archive of security related information which
include links to documents about policies, laws etc.
http:///www.cs.purdue.edu/coast/archive

IETF Internet Drafts: recent relevant works-in-progress here include an
update to the Site Security Handbook and a catalog of Internet training
material. http://www.internic.net/ds/dsintdrafts.html

SAGE Policy Archive: policy documents created using this guide I'm quoting
from. http://www.usenix.org/sage/hypertext/policies

State of Oregon vs. Randall Schwartz. Documentation on this case is
maintained by the Friends of Randal Schwartz. http://www.lightlink.com/fors

Articles, Papers & Books
------------------------

D.B. Chapman & E. D Zwicky, Building Internet Firewalls, O'Reilly &
Associates, Inc. 1995, pp. 377-392.

S. Hambridge & J.C> Sedayo, "Horses and Barn Doors: Evolution of Corporate
Guidelines for Internet Usage," USENIX LISA VII, 1993.
ftp://coast.cs.purdue.edu/pub/doc/institutional_policies/horses.ps.Z

S.E. Hanson, Legal issues: A Site Manager's Nightmare, Stanford University,
1993.
ftp://coast.cs.purdue.edu/pub/doc/law+ethics/legal_issues_site_managers_nightmare.txt.Z

P. Holbrook, J. Reynolds, RFC1244: Site Security Handbook, Internet IETF,
1991. ftp://ds.internic.net/rfc/rfc1244.txt

E. Nemeth, et al, Unix System Administration Handbook, 2nd. ed., Prentice
Hall, 1995, pp. 722-750




----< Unquote >----


Hope this helps,
Fred


Wolfgang 'Robyn' Braun wrote:
> Greetings
>
> I'm currently working here for this organisation in switzerland, one
> of my main jobs being to come up with a (hopefully reliable) firewall
> solution. So for some weeks now i read Chapman & Zwicky's book on
> firewalls, various security related newsgroups and mailing lists and
> chase every bit of information about firewall tools that i can find.
>
> That's all ok so far. I made myself familiar with the tools i want to
> use and tested them out on a subnet i set up especially for this
> purpose.
> But since i'm subscribed to firewall-wizards, i get the feeling that
> something very basic is missing, and last night i found out what it
> is: A Security Policy!
>
> You can really find tons of information on how to set up your screening
> routers, creating decent packet filter rules and setting up various
> application level proxies. But so far i didn't find any information
> on how to write a secuity policy - and i feel that it is rather important
> to have one if only to show it to the pointy haired manager.
>
> Don't get me wrong, i know what should be allowed across the firewall
> and i know how to implement it (actually i already did it on my
> private subnet) - but i really don't know how to write a security
> policy. Is there some sort of guideline on how to write a security
> policy?
>
> regards
> wolfi
>
> --
> -> Wolfgang Braun <braun () ai-lab fh-furtwangen de>
> -> http://www2.ai-lab.fh-furtwangen.de/~braun
> -> PGP Key fingerprint = F9 49 DC 2E A2 FC 5A 4C  91 70 8E AC 07 A7 27 98
> -> finger me for public key
>
>                                                   
> ---------------------------------------------------------------------
-- 
+------------------- My opinions are my own ---------------------------+
| Fred Donck                   | Voice/Fax : +31-70-311-2374           |
| Unix System Engineer         | E-mail    : fred () RealIT com (private) |
| Internet Technologist        |  f.c.w.donck () siep shell com (work)    |
+------------------------------+---------------------------------------+