-
Security Policy
1. Purpose
This regulation establishes minimum security requirements for the use of the Internet by Accessway.net. This regulation is not written to restrict the use of the Internet, but to ensure that adequate information is in place to protect Accessway.net and its client systems from intruders, file tampering, break-ins and service disruption.
2. Background
In the late 1960s, the Department of Defense (DOD), designed and implemented the ARPAnet network for the exchange of defense industry research information worldwide. TCP/IP was the protocol developed, and UNIX was the platform.
The National Science Foundation (NSF) needed a network also to interconnect their supercomputers and exchange academic research information, so they built their own, but followed the DOD standards. They called their network NSFNET.
The Internet consists of many worldwide, independent networks that allow interconnection and transmission of data across the networks, because they follow the same basic standards and protocols and agreed-upon Internet etiquette with "No central authority." Each user organization pays for its own piece of the network.
Motivated by developments in high-speed networking technology and the National Research and Education Network (NREN) Program, many organizations and individuals are looking at the Internet as a means for expanding their research interests and communications. Consequently, the internet is now growing faster than any telecommunications system thus far, including the telephone system.
New users of the Internet may fail to realize, however, that their sites could be at risk to intruders who use the Internet as a means of attacking and causing various forms of threat. Consequently, new Internet sites are often prime targets for malicious activities, including break-ins, file tampering, and service disruptions. Such activities may be difficult to discover and correct, may be highly embarrassing to the organization, and can be very costly in terms of lost productivity and compromised data integrity.
All Internet users need to be aware of the high potential from threat from the Internet and the steps they should take to secure their sites. Many tools and techniques now exist to provide sites with a higher level of assurance and protection.
3. Abbreviations
- ARPAnet - Advanced Research Projects Network
- DMS - Demilitarized Zone
- DOD - Department of Defense
- FTP - File Transfer Protocol
- LAN - Local Area Network
- NFS - Network File System
- NIST - National Institute of Standards and Technology
- NREN - National Research and Education Network
- NSF - National Science Foundation
- OSI - Open System Interconnect
- TCP - Transmission Control Protocol
- TCP/IP - Transmission Control Protocol/Internet Protocol
4. Policy
The responsibility for protecting Accessway.net resources on the Internet is the responsibility of the Network Services Department. The minimum requirements of this regulation are:
- All Accessway.net staff that plan a gateway to the Internet are responsible for funding, implementing, and maintaining the prescribed protection, including devising and implementing a comprehensive risk management program.
- Departments and staff will access and Internet only through the Accessway.net Internet Access Network.
- Server-based security will be the primary method of protecting Accessway.net systems. However, many server-based security software security packages cannot be trusted to protect us from the Internet because of their vulnerability to denial-of-service attacks.
- Due to inherent weaknesses in
certain Internet telecommunications services and cumbersome aspects
of some security packages, many sites will find that the most
practical method of securing access to systems from the Internet
is to use a secure gateway or a firewall system. Accessway.net
will perform risk assessments to determine where firewalls, smart
cards, or authentication tokens will be most suitable. In particular,
Accessway.net will:
- Use firewalls and/or packet filters on the local routers when the system uses TCP/IP.
- Configure firewalls with outgoing access to the Internet, but strictly limit incoming access to Accessway.net data and systems by Internet users.
- Apply the DMZ concept as part of the firewall design.
- Firewall compromises will be potentially disastrous to subnet security. For this reason, Accessway net will, as far as is practical, adhere to the following listed stipulations when configuring and using firewalls:
- Limit firewall accounts to only those absolutely necessary, such as the administrator. If practical, disable network logins.
- Use smartcard or authentication tokens to provide a much higher degree of security than that provided by simple passwords. Challenge-response and one-time password cards are easily integrated with most popular systems.
- Remove compilers, editors, and other program development tools from the firewall system(s) that could enable a hacker to install Trojan horse software or backdoors.
- Do not run any vulnerable protocols on the firewall such as TFTP, NIS, NFS, or UUCP.
- Consider disabling finger command. The finger command can be used to leak valuable user information.
- Consider not using the e-mail gateway commands which can be used by crackers to probe for user addresses.
- Do no permit loopholes in firewall to allow friendly systems or users special entrance access. The firewall should not view any attempt to gain access to the computers behind the firewall as friendly.
- Disable any feature of the firewall that is not needed, including other network access, user shells, applications and so forth.
- Turn on full-logging at the firewall and read logs weekly at a minimum.
- No Accessway.net computer or subnet that has connections to the Internet can house private or sensitive information without the use of firewalls or some other means to protect the information.
- All software available on the Internet must be scanned for Trojan horses or computer viruses once it has been downloaded to an Accessway.net computer.
- Mandatory vulnerability and risk assessment of existing gateways is required at annual intervals. Initial assessment should be completed within nine (9) months of the issuance of this policy. Weekly or monthly reviews of audit trails of gateway software and firewalls should be conducted for breaches of security.
- Accessway.net sponsored Internet connections are to be used for official Accessway.net company business.
- Host computers should be regularly scanned to ensure compliance with Information Technology Systems security guidelines.
5. Responsibilities
The Security Officer
- Develops, coordinates, implements, interprets, and maintains Internet security policies, procedures, and guidelines for the protection of Accessway.net information system resources.
- Reviews Accessway.net Internet security policy.
- Determines adequacy of security measures for systems used as gateways to the Internet.
- Ensures that Accessway.net conducts periodic information systems security risk assessments, security evaluations, and internal control reviews of operations Accessway.net Internet gateways and facilities.
Installation of a firewall or any sort of gateway will require the Security Officer to:
- Devise and implement a comprehensive risk management program that assures that security risks are identified, considered though the development of cost-effective security controls. The risk management system will include a service access policy that will define those services that will be allowed or explicitly denied from the restricted network, how these services will be used, and the conditions for exception to this policy.
- Another part of the risk management system will be a firewall design policy. This policy relates precisely to firewalls and defines the rules used to implement the service access policy.
- Internet security plans shall be submitted annually with the Accessway.net security plans for review and approval. The guidelines governing the submission of these plans should comply to the Internet Security Plan.
- Perform risk analysis to identify the risks associated with the Internet both for individual users and departments. Cost-effective safeguards, identified in the risk analysis process will be implemented and continually monitored to ensure continued effectiveness.
The Accessway.net Network Services department should be responsible for developing, testing, and maintaining Internet contingency plans. The risk involved with using the Internet makes it essential that plans and procedures be prepared and maintained to:
- Minimize the damage and disruption caused by undesirable events.
- Provide for the continued performance of essential systems functions and services.
- Develop, install, maintain, and regularly review audit trails for unusual system activity.
- Fund, implement, and maintain the prescribed protective features identified as a solution by a risk assessment.
The Security Officer is responsible for:
- Implementing the policy stated in this directive.
- Developing audit trails for any Accessway.net network connected to the Internet.
- Reviewing and monitoring activity audit trails on the Internet connections.
6. Non-Compliance
All users of data and systems are responsible for complying with this Internet systems security policy as well as procedures and practices developed in support of this policy.
Anyone suspecting misuse or attempted misuse of departmental information systems resources is responsible for reporting such activity to their management or the Security Officer or Director of Network Services.
Violations of standards, procedures, or practices in support of this policy will be brought to the attention of management for action, which will result in disciplinary action up to and including termination of employment.
7. References
Adapted from material in Firewalls Complete by Marcus Goncalves, McGraw-Hill, New York, 1998.
NIST CSL Bulletin, July 1993, NIST. Connecting to the Internet: Security Considerations.
