Guidelines for the Secure Operation of the Internet
RFC 1281
Network Working Group R. Pethia
Request for Comments: 1281 Software Engineering Institute
S. Crocker
Trusted Information Systems, Inc.
B. Fraser
Software Engineering Institute
November 1991
Guidelines for the Secure Operation of the Internet
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard. Distribution of this memo is
unlimited.
Preamble
The purpose of this document is to provide a set of guidelines to aid
in the secure operation of the Internet. During its history, the
Internet has grown significantly and is now quite diverse. Its
participants include government institutions and agencies, academic
and research institutions, commercial network and electronic mail
carriers, non-profit research centers and an increasing array of
industrial organizations who are primarily users of the technology.
Despite this dramatic growth, the system is still operated on a
purely collaborative basis. Each participating network takes
responsibility for its own operation. Service providers, private
network operators, users and vendors all cooperate to keep the system
functioning.
It is important to recognize that the voluntary nature of the
Internet system is both its strength and, perhaps, its most fragile
aspect. Rules of operation, like the rules of etiquette, are
voluntary and, largely, unenforceable, except where they happen to
coincide with national laws, violation of which can lead to
prosecution. A common set of rules for the successful and
increasingly secure operation of the Internet can, at best, be
voluntary, since the laws of various countries are not uniform
regarding data networking. Indeed, the guidelines outlined below
also can be only voluntary. However, since joining the Internet is
optional, it is also fair to argue that any Internet rules of
behavior are part of the bargain for joining and that failure to
observe them, apart from any legal infrastructure available, are
grounds for sanctions.
Pethia, Crocker, & Fraser [Page 1]
RFC 1281 Guidelines for the Secure Operation November 1991
Introduction
These guidelines address the entire Internet community, consisting of
users, hosts, local, regional, domestic and international backbone
networks, and vendors who supply operating systems, routers, network
management tools, workstations and other network components.
Security is understood to include protection of the privacy of
information, protection of information against unauthorized
modification, protection of systems against denial of service, and
protection of systems against unauthorized access.
These guidelines encompass six main points. These points are
repeated and elaborated in the next section. In addition, a
bibliography of computer and network related references has been
provided at the end of this document for use by the reader.
Security Guidelines
(1) Users are individually responsible for understanding and
respecting the security policies of the systems (computers and
networks) they are using. Users are individually accountable
for their own behavior.
(2) Users have a responsibility to employ available security
mechanisms and procedures for protecting their own data. They
also have a responsibility for assisting in the protection of
the systems they use.
(3) Computer and network service providers are responsible for
maintaining the security of the systems they operate. They are
further responsible for notifying users of their security
policies and any changes to these policies.
(4) Vendors and system developers are responsible for providing
systems which are sound and which embody adequate security
controls.
(5) Users, service providers, and hardware and software vendors are
responsible for cooperating to provide security.
(6) Technical improvements in Internet security protocols should be
sought on a continuing basis. At the same time, personnel
developing new protocols, hardware or software for the Internet
are expected to include security considerations as part of the
design and development process.
Pethia, Crocker, & Fraser [Page 2]
RFC 1281 Guidelines for the Secure Operation November 1991
Elaboration
(1) Users are individually responsible for understanding and
respecting the security policies of the systems (computers and
Show full document text