Firewall Wizards mailing list archives

Re: Policy ? (was RE: Penetration Tests)

From: "Paul D. Robertson" <proberts () clark net>
Date: Tue, 30 Sep 1997 11:06:37 -0400 (EDT)

On Mon, 29 Sep 1997, Bennett Todd wrote:

[snip]

Now _there's_ a provocative question!

I don't have the expertise to offer any kind of general answer; I doubt many
people have. The short answer is of course "Yes"; it might say "don't use
the network for unofficial business", it might say "all web traffic will be
proxied and ...". Exactly what it says will vary widely, and better closely
reflect the specific needs of the organization --- though use of proxies is
less likely to belong in the policy manual; that's just one way to implement a
policy.


I'll take a stab at unraveling this puzzle.

What's being discussed here should be something like:

Usage Policy -
  
  This is where you tell users what they can and can't do within 
  the realms of their duties.  This is also where, if you're in 
  the US for sure, and hopefully elswhere, you explicitly explain that 
  none of what they do is private.  Everyone who touches a computer on 
  your network should be made to read this (Employees, contractors, 
  vendor maintenance staff...).  

Security Policy -
  
  This is where you define for your administrators what they can 
  and can't do within the realms of their duties at a level of what
  those duties are (check logs, incident response, investigations...) .  
  It's also where you define you basic stance (deny all but what's explicitly 
  accepted, etc.), and enumerate what is allowed (or denied, depending on 
  stance), as well as the criteria, metrics, and procedures for adding and 
  deleting from that list.  This document should be of a more limited 
  distribution than the above document, or split into site and user 
  sections if things like user responsibilities, password policies, and the 
  like are included.  This is also the criteria for any security audits.

Implementation Documentation - 

  This is where you name names, products, versions, IP addresses, 
  user-ids, filter rules, which logs will be checked for what info,
  and other specific implementation details.  This document should be
  distributed only to a very small set of people who 'need' it.
  
Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

Re: Penetration Tests, (continued)
- Re: Penetration Tests Marcus J. Ranum (Sep 25)
  - Re: Penetration Tests Brian Mitchell (Sep 26)
    - Re[2]: Penetration Tests Edward Cracknell (Sep 26)
    - Re: Re[2]: Penetration Tests Arjan Vos (Sep 27)
    - Re: Re[2]: Penetration Tests Alfred Huger (Sep 27)
- Re: Penetration Tests Paul D. Robertson (Sep 26)
- Re: Penetration Tests Bennett Todd (Sep 26)
  - Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
    - Re: Policy ? (was RE: Penetration Tests) Edward Cracknell (Sep 29)
    - Re: Policy ? (was RE: Penetration Tests) Bennett Todd (Sep 29)
    - Re: Policy ? (was RE: Penetration Tests) Paul D. Robertson (Sep 30)
- Re: Penetration Tests Darren Reed (Sep 26)
  - Re[2]: Penetration Tests Edward Cracknell (Sep 26)
  - Re: Penetration Tests -= ArkanoiD =- (Sep 26)
- Re: Penetration Tests Chuck Kenyon (Sep 26)
- Re: Penetration tests Bill Kennedy (Sep 26)
- Re[2]: Penetration Tests Frank Willoughby (Sep 29)
- RE: Penetration Tests Gary Crumrine (Sep 29)
- RE: Penetration Tests Andreas Siegert (Sep 30)