Guidelines for the Secure Operation of the Internet
RFC 1281

Document Type RFC - Informational (November 1991; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 1281 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          R. Pethia
Request for Comments: 1281                Software Engineering Institute
                                                              S. Crocker
                                       Trusted Information Systems, Inc.
                                                               B. Fraser
                                          Software Engineering Institute
                                                           November 1991

          Guidelines for the Secure Operation of the Internet

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard.  Distribution of this memo is
   unlimited.

Preamble

   The purpose of this document is to provide a set of guidelines to aid
   in the secure operation of the Internet.  During its history, the
   Internet has grown significantly and is now quite diverse.  Its
   participants include government institutions and agencies, academic
   and research institutions, commercial network and electronic mail
   carriers, non-profit research centers and an increasing array of
   industrial organizations who are primarily users of the technology.
   Despite this dramatic growth, the system is still operated on a
   purely collaborative basis.  Each participating network takes
   responsibility for its own operation.  Service providers, private
   network operators, users and vendors all cooperate to keep the system
   functioning.

   It is important to recognize that the voluntary nature of the
   Internet system is both its strength and, perhaps, its most fragile
   aspect.  Rules of operation, like the rules of etiquette, are
   voluntary and, largely, unenforceable, except where they happen to
   coincide with national laws, violation of which can lead to
   prosecution.  A common set of rules for the successful and
   increasingly secure operation of the Internet can, at best, be
   voluntary, since the laws of various countries are not uniform
   regarding data networking.  Indeed, the guidelines outlined below
   also can be only voluntary.  However, since joining the Internet is
   optional, it is also fair to argue that any Internet rules of
   behavior are part of the bargain for joining and that failure to
   observe them, apart from any legal infrastructure available, are
   grounds for sanctions.

Pethia, Crocker, & Fraser                                       [Page 1]
RFC 1281          Guidelines for the Secure Operation      November 1991

Introduction

   These guidelines address the entire Internet community, consisting of
   users, hosts, local, regional, domestic and international backbone
   networks, and vendors who supply operating systems, routers, network
   management tools, workstations and other network components.

   Security is understood to include protection of the privacy of
   information, protection of information against unauthorized
   modification, protection of systems against denial of service, and
   protection of systems against unauthorized access.

   These guidelines encompass six main points.  These points are
   repeated and elaborated in the next section.  In addition, a
   bibliography of computer and network related references has been
   provided at the end of this document for use by the reader.

 Security Guidelines

   (1)  Users are individually responsible for understanding and
        respecting the security policies of the systems (computers and
        networks) they are using.  Users are individually accountable
        for their own behavior.

   (2)  Users have a responsibility to employ available security
        mechanisms and procedures for protecting their own data.  They
        also have a responsibility for assisting in the protection of
        the systems they use.

   (3)  Computer and network service providers are responsible for
        maintaining the security of the systems they operate.  They are
        further responsible for notifying users of their security
        policies and any changes to these policies.

   (4)  Vendors and system developers are responsible for providing
        systems which are sound and which embody adequate security
        controls.

   (5)  Users, service providers, and hardware and software vendors are
        responsible for cooperating to provide security.

   (6)  Technical improvements in Internet security protocols should be
        sought on a continuing basis.  At the same time, personnel
        developing new protocols, hardware or software for the Internet
        are expected to include security considerations as part of the
        design and development process.

Pethia, Crocker, & Fraser                                       [Page 2]
RFC 1281          Guidelines for the Secure Operation      November 1991

Elaboration

   (1)  Users are individually responsible for understanding and
        respecting the security policies of the systems (computers and
Show full document text