Re: Security Policy

[Bennett Todd <bet () rahul net>]

On Mon, Oct 20, 1997 at 03:20:59PM +0200, Wolfgang 'Robyn' Braun wrote:
> [...] I get the feeling that something very basic is missing, and
> last night i found out what it is: A Security Policy! [...] I
> know what should be allowed across the firewall and i know how to
> implement it (actually i already did it on my private subnet) -
> but i really don't know how to write a security policy.

The content of a security policy need be no more than what you
say you know --- what should be allowed across the firewall. The
security policy serves two purposes: first, and critical for
firewall implementation, it documents what the firewall is supposed
to accomplish. Second, and critical for firewall _maintenance_,
it documents, either explicity in its text, or else implicitly by
the negotiation process that created it, the rationale behind the
spec --- the justifications in terms of organizational needs and
risk exposures and implementation costs. This in turn is the source
of authority you must have when people come and ask for services
that aren't approved by the protocol, and it further implies the
appropriate steps to take to revise the policy.

But the security policy really should specify more than just the
firewall. Unless you have guards searching everyone who enters
and leaves every entrance and exit to your center; unless you
have mechanically-tamper-resistant-and-alarmed wiring systems for
all in-house telecomms; unless your in-house systems and networks
are awesomely tightly secured; unless you are a really hideously
paranoid shop --- the firewall is only there to enforce the same
rules you want to have everywhere; they are basics like ``don't
release company proprietary data to the outside world; don't corrupt
or destroy business-critical data; don't import destructive or
illegal data from the outside''. The firewall is there mostly
because without it, it's usually easy for someone _outside_ the
organization to violate your security policy unassisted. You still
really want to document the organization's security goals, and make
sure people understand them, and make sure your firewall config is
consistent with them. If you try to enforce a level of security with
the firewall, and that level is seriously inconsistent --- stricter
or more relaxed --- than the rest of the organization's security
posture, then you are doing something wrong.

> Is there some sort of guideline on how to write a security policy?

There are many. The key rfc would be 1244, the Site Security
Handbook, by the Site Security Policy Handbook Working Group.

-Bennett