Barbed Wire Network Security Policy 27 June 2005 7
How to develop a Security Policy
By : Khawar Nehal
Seminar on Network Security
Sponsored by BarbedWire
27 June 2005
What is a security Policy
Email and web filtering
Approaches to Policy Development
ACL management based on Policies
What is a Security Policy ?
Organizations usually have unwritten policies.
These are known as tacit policies.
Formal Security policy development requires
understanding authority, scope, expiration,
specificity and clarity.
Developing and implementing such policies is
What it does.
A security policy establishes what must be done
to protect information stored on computers. A
well written policy contains sufficient definition
of “what” to do so that the “how” can be
identified and measured or evaluated.
The big deal of “access control”
The problem is that the “network” is designed
and expected to provide access.
The lack of control requires allows people to do
things which result in losses or destruction of
valuables of an organization.
The big deal of “access control”
Access pertains to accessibility, providing
services, performance, and ease of use.
Control focuses on denial of unauthorized service
or access, separation, integrity and safety.
IT Security Policies
IT security policies (including network security
policies) are the foundation, the bottom line, of
information security within an organization. As
such, it is well worth considering a few questions
with respect to them:
Are they comprehensive enough?
Are they up to date?
Do you deliver them effectively ?
Example Policy Brief
Each employee of the organization is
responsible for the security and protection of
electronic information resources over which
he or she has control.
Before and Now.
Before people used to think that one policy existed.
Which was :
Everything is denied except that which is
Everything is permitted except that which is
Looks like an ACL doesn't it.
The real policy which exists is as follows :
Everything is denied except that which is
specifically permitted or that which gets in
Fragmented packets do not have port numbers in
A simple firewall cannot decide wether to accept
In such ambiguous cases a firewall can
Consult the state table to see if the fragment is
part of an existing connection.
Buffer the fragment to complete the IP packet
Let the fragment through and limit speeds of such
packets to reduce DOS attack possibilities.
If outbound ICMP unreachables are disabled
then let the fragment through.
Drop the packet and make the sender retransmit.
Firewall GUIs may look simple.
However there is a large amount of complexity
underneath the simple looking interface.
Sometimes we may be granting access when we
are thinking we are applying control.
These cases are called unenforcable policies.
In the main frame days there used to be policies
like : “no personal use of the organization's
Since 1985 and the times of distributed network
computing. Such policies have become
You are working on a document and you check
an email then you see that someone sent you a
greeting card. You visit the card site or find
something interesting on google. You forget the
document for over an hour.
The policy is written but can not be enforced.
Problems with such policies
If you have an unenforceable administrative
policy, then people are encouraged to ignore or
push the rules.
In fact one reason why cracking is so prevalent is
that any laws against it are virtually
unenforceable, especially because many courts
have ruled that the reconnaissance phase,
scanning, is legal.
Report all virus infections.
Usually a virus is cleaned and people get on with
life without bothering to report it.
With automated monitoring tools the reports can
go from seven manual reports per year to more
than a thousand automated reports.
Unusual user questions
What if my wife sends me an email ? Is it okay to
read it ?
Can I check my stocks at lunch ?
Due to such questions, something called a limited
personal use policy is created.
Basically this limited use policy states things like
You may use the computers for personal use.
BUT. Do not ask. Do not tell. Do not send chain
letters, do fund raising, or pass files which cause
useless discussions to start.
Client Side content filters have matured but
require a subscription.
Proxy server based content filters are a better
Back to centralization
A lot of the problems arising out of the pervasive
computing is that many computers are running
Administrators are reluctant to monitor such a
large number of computers.
Back to centralization
By centralizing the servers to Web Based
softwares, Email clients, groupware and also
using Terminal servers with centralized
computing, the problem of unenforceable policies
is reduced dramatically.
A web Based central mail server either hosted in
the company or in a third party offers a deterrent
because all employees know that their email can
Filtering non company email is easy because
there is only one domain.
Domains like yahoo and hotmail can be blocked.
Email is a very large leak of important
This is mainly due to the fact that most
companies do not clearly state that giving
information out is an offence. New people
entering the workforce are use to copyright
violations and do not think of sharing such
information as an offence.
Before an employee has finished his or her tea,
they shall attach any file you request them to and
never remember that they they sent the file.
Outlook is a user friendly program which accepts
email from anyone and runs any code embedded
just by reading the email. You do not need to
double click an attachment.
HTML Aware Email Clients
Companies currently still allow the use of HTML
aware macro extendable programs such as
What is required are programs which do not
download and execute HTML code whenever an
email is received.
Hardly any organization has the need for such
Gmail provides the best example of client side
Their email software is web based and feels like a
local email client for more than 90% of the
No viruses are possible automatically because the
HTML is opened by server side softwares.
Client Side Backups
Administrators usually backup their servers and
in an emergency or drill situation do not bother
about data on the client machines.
Examples are : The contact list on the marketing
manager's harddisk or the top management's
People move data on Floppies, CDRW, Tapes,
Flash drives, even harddisks.
Companies usually have a policy that states that
all media needs to be declared, however random
spot checks are rarely done in such places.
Examples of lost credit card by Bank of America
on UPS routes exemplifies the need for
encryption of backups.
Business continuity requires response times less
than the usual 3 to 5 hours for cold sites to come
Modems can breach security.
Monitoring of Analog lines is touch.
Monitoring the digital lines is better.
Even the serial port monitor which is cost
effective can be fooled by XON/XOFF
Beware of hardware keyloggers disguised as
Content filtering in the proxy server prevents
access to denied sites.
If thin clients are used then http tunnels and DNS
tunnels are possible but easily monitorable.
Also http tunnels shall be intentional.
Virus management and spywares shall be reduced
dramatically because the servers shall be
monitored by the administrators very carefully.
Usually heavy work can be done on Linux based
servers while other client can use VNC or other
terminal server protocols like RDP.
As requirements change, policies change to meet
Sooner or later the firewall or content filtering
managers shall have a controversy as to what to
allow or deny.
To avoid this problem updated, approved and
signed policies need to be circulated to the ACL
The scope of information security is not organization wide.
Some noncentral information systems may not be well managed
Some third party systems are not appropriately protected
(Example TCS terminals or other service providers terminals)
Information security for personal computers is weak
Insufficient resources are focused on information security
Policy development is not receiving sufficient attention
There are many approaches to developing
The recommended method these days is a risk
Risk Based Approach
In the risk based approach :
We identify the risk
Communicate what is learned to upper
Update or create the security policy
Figure out how to measure compliance to the
What data from a different source used by the
organization shall really hurt if it was not
Find out what the Internet is being currently
being used for. This needs to be done quitely.
Since there is no policy, the users are not doing
Keep the users calm.
Explain to the users that you are simply trying to
establish a baseline and not get anyone into
When some users ask why they need to follow a
policy, then a written, signed and dated policy
from upper management is all it takes to get most
people to accept the idea that things need to be
done slightly differently.
Rule number one of explaining things to upper
You need to realize that they do not understand
the obvious differences between ATM & ATM or
DOS & DOS & DDOS.
Keep the communication simple, balanced and
Avoid Individual Attacks
In the presentation do not mention any person by
name. Management may take that as a personal
attack and dismiss all that you have researched.
Keep the tone general.
Provide problems found and implications.
Provide examples where financial losses were
Provide the management options for managing
It is probably better to use more than one anti
virus software on the mail server.
If management decides to buy only one then
provide enough information for them to be able
to make a reasonable choice.
Do not present as a discussion only.
Provide a written copy to everyone involved in
Hire an information security director to lead the organization wide
efforts to raise information security readiness.
Develop and implement an information security plan
Develop effective working relationships with
– other central offices
– all branches,
– Suppliers and vendors being interfaced with.
– Assist branches in benefiting from what has already been
accomplished at other branches.
– Develop an organization wide information security forum for
informationsharing and solutionseeking
Software systems fail to
adequately address security
and privacy issues during
analysis & design.
Difficult to apply traditional software
requirements engineering techniques to systems
– policy is continually changing the need to respond to
the rapid introduction of new technologies which may
compromise those policies
– increasing external pressure to publicize one’s
information and security practices
Government now requires compliance with laws (e.g. Statebank
Banking Regulations, WTO, Basel II)
Addressing the Problem
– Use effective approaches to ensure security
and privacy requirements coverage
– apply scenario analysis and goaldriven analysis strategies
– perform risk and impact assessments to ensure system requirements align
with organizational policies
– analyze security and privacy policies
– ensure compliance with governing laws
Goal and scenario analyses offer methodical and systematic
approaches both for formulating policy goals and guaranteeing
that a system’s requirements are in compliance with these
policies and users’ values.
Common Policy Problems
Nonconformance to “standard”
– Organisation for Economic Cooperation & Development
– Federal Trade Commission
– State Bank Regulations.
– Fair Information Practices
Ambiguity and misplaced trust
– Policies are difficult to find/interpret
– Failure to implement policy
– Inconsistencies are common
– Security policies
– Privacy policies
– Use heuristics to crosscompare requirements, privacy policies and security
policies to identify and resolve conflicts and ambiguities
Helps identify inconsistencies across requirements and policies
– Requirement: Use PII to complete transaction
Potential Relationships and Conflicts
General Relat ionships:
Constrains Item A constrains Item B.
Depends Item A depends upon Item B.
Supports Item A supports (in some manner) Item B.
Operationalizes Item A operationalizes Item B.
Terminology Complete clash between terminology used within
Differences between terminology used within
Ambiguity documentation in which there is a need to qualify or
further refine some term.
Incomplete Ambiguity A specialized form of ambiguity that results from terms
being left out of the documentation.
Potential There exists even the slightest possibility for a conflict to
occur, as the statements are open to misinterpretation.
Definite A conflict will occur if the requirements and policies are
implemented as written.
Compliance: Policy Statements &
MAINTAIN ENSURE MAINTAIN
member content member data
entrance to visibility to history (for user
server members customization)
Authentication is required for access
to the commerce Web server.
All member account information will
be kept confidential and used for
internal business purposes only.
The firewall should be configured to
limit data access to authorized
How can we guarantee:
– policy complies with law?
– system requirements comply with policy?
– information handling adheres to policy and system requirements?
How can policy be associated with data to ensure policies survive
– users can’t determine whether a site is in compliance with its policy
because many operations are hidden from view.
Before making an ACL
The most important step take before making an
access control list of a firewall is to first examine
the site's policy before making a ruleset.
The general rule of thumb is to keep your rules to
less than 20.
The more the fine grained control required the
longer the rule sets shall be.
Try to group ACLs into logical areas. Much like
the idea of procedures which was created to avoid
the problems of spaghetti code in the 1960s and
Document the relationship between the policy
and the Ruleset.
TCP Port 80
SOAP, HTTP, and a lot of other things use port
80. Even spywares use it.
The current status is that you should not block
You can use deep packet analysis to find
spywares and http tunnels.
Company policy should clearly state what shall
happen to a person found using tunnels.
What was covered.
A brief idea of some of the things which need to
be taken into account in developing a security
policy were mentioned.
We hope you were able to glean at least the
basics as to why unwritten agreements need to be
converted into formal policies.
A lot more....
There are thousands of other things which need to
be catered for in depth in the process of
developing a comprehensive Security Policy.
For further questions please email or call any