From: Aigars Mahinovs (aigarius_at_debian.org)
Date: Thu Jan 09 2003 - 18:11:55 CET
Hello all,
We here at Latvian Open Source Assoc. need your help. This paper
describes regulations for security standarts for our goverment. They
intend to find a company to create software to do that, we intend to
show, how this can be done using free Linux based solutions.
Thank you very much!
Begin forwarded message:
Date: Wed, 8 Jan 2003 19:19:50 +0200
From: Aigars Mahinovs <aigarius_at_debian.org>
To: valde_at_laka.lv
Subject: Re: Noteikumi
> Firewall requirements
>
> The firewall and VPN end items have to ensure registration and storage
> of all individual TCP connections, which are formed between protected
> network segments and external network (between any two network
> addresses- source address and destination address), as well as
> possibility to analyze them for a period not less than a year, using
> the administrative functions of the firewall.
>
> The firewall has to provide registration and accounting of all
> break-in attempts to the firewall protected network, and storage of
> these data for a period of time not less than a year, using the
> administrative functions of the firewall.
>
> The firewall and VPN equipment administration must be performed
> exclusively via securely enciphered data transfer connection, encoding
> all data stream from the administrator's computer to firewall or VPN
> end item.
>
> All firewall and VPN equipment component mutual communication and user
> authorization and identification functions must compulsory provide
> encryption key length not less than 8192 bits of private RSA keys in
> PKI standard, which corresponds to technology security standards used
> in the military and agencies of national security.
>
> The firewall and VPN encryption system software should allow their
> administrators to have the capacity to control encryption key validity
> period and length, and modify them by necessity.
>
> The firewall and VPN systems have to ensure autonomous public key
> infrastructure (PKI) that would be completely independent from any
> third party certification authorities with an independent encryption
> key infrastructure. To ensure compatibility, when exchanging encoded
> data between various state institutions, international X.509 digital
> certificate format has to be used. The firewall and VPN systems must
> support it for parties involved in such data exchange.
>
> A compulsory firewall and VPN systems security requirement is maximum
> level encryption key and root CA certificate creation option, which
> has to be developed as a firewall PKI function. It is necessary for a
> state institution to be able to securely control and manage its data
> transfer network. Root CA certificate's private encryption key length
> must be not less than 8192 bits and this certificate may not be
> dependent on any third party certification standards. For instance,
> the root certificate must not be dependent on third party certificate
> validity period, encryption key maximum length, or security level. If
> the key escrow method is applied in the encryption key creation
> process, which means that the main encryption key will be placed with
> a trusted third party, such solutions may not be used.
>
> The VPN function of data exchange in telecommunication networks or
> wireless canal has to provide strong encryption of data. It is
> necessary to use such VPN end items, which provide double 3DES
> encryption with 168-bit key length.
>
> All administrator activities (firewall or VPN equipment configuration
> changes, encryption key creation or change actions, administrator work
> sessions, backup copy/recovery functions, etc.) have to be registered
> in the audit logbook on the firewall equipment, whose contents may not
> be altered, e.g. when performing firewall configuration recovery from
> a backup copy.
>
> The firewall has to ensure all e-mail protection according to the
> Cabinet 106 "Information system security regulation", including
> scanning all e-mail messages with the anti-virus software on the
> firewall. This requirement is compulsory to maintain safe operations
> of the computer security protection system. This e-mail scanning
> function against viruses has to be provided by the firewall, it may
> not be done on another equipment or computer, not pertaining to the
> firewall. This is an indispensable requirement, to ensure that in case
> of a virus attack the confidential information, e.g. cryptographic
> keys, would not be subjected to unauthorized use or, as a result of
> malicious virus activities, sent out of the protected network, thus
> compromising the whole computer network security system.
>
> The e-mail protection function of the firewall should be implemented
> using e-mail message content control on e-mail protocol application -
> proxy level, to ensure this function regardless of user activities in
> internal or external computer networks, as well as to guarantee e-mail
> control and accounting regardless of LAN configuration of users'
> computers.
>
> The firewall has to provide virus protection to both incoming and
> outgoing e-mail. It is recommended for core firewalls to provide with
> this type of protection using at least two various anti-virus programs
> that operate from the firewall, and the firewall update their
> databases automatically not less than once an hour. This is necessary
> in order to maintain e-mail protection and security level in cases
> when one of the anti-virus databases is not timely updated for
> protection against the very recent computer viruses.
>
> The firewall has to provide through-going e-mail attachment blocking,
> which are prohibited to use, as well as decompressing compressed
> e-mail attachments and scanning them with anti-virus means; this
> firewall control function has to be effective on several e-mail
> attachment compression levels (at least thrice in depth).
>
> The firewall has to provide effective establishment of limitations to
> the e-mail usage policy, including the following cases: according some
> employee categories, their domain names and IP addresses, should be
> provided only a capability to e-mail correspondence of official use
> with definite addressees, excluding the option to perform e-mail
> correspondence with unauthorized addressees or Internet. Thus, the
> firewall should be able to block official document files,
> cryptographic algorithms, or cryptographic key data or other
> confidential attachment files from being sent to unauthorized
> addressees. Such e-mail usage limitations should be installed in the
> firewall system in all locations where the LAN is connected to public
> data exchange network (Lattelekom, Telia, VITA, Apollo, Delfi, Latnet,
> etc.).
>
> The firewall equipment has to provide following features for the
> e-mail content passing through it: content storage, accounting and
> archiving functions for a period of time not less than a year, as well
> as administrative means for analyses and control of these accounting
> data.
>
> The firewall has to provide an option to register several individual
> administrators for work with its administrative system, providing each
> of such users with an individual access code and password.
>
> The firewall an VPN software source code for the used cryptographic
> algorithms and firewall user authorization algorithms for the version,
> which is going to be acquired from the supplier, shall be submitted on
> a CD- ROM carrier to SAB for examination and storage. The software
> source code, in the used software language format, has to be
> documented to the level so that SAB experts and invited experts could
> perform software source code compilation and installation on similar
> technical devices, thus testing its relevance to the really installed
> security system, and proving the security system's reliability from
> the national data and used cryptographic algorithm security
> standpoint, as well as establish the fact that the mentioned source
> code does not contain hidden covert passwords or alternate keys for
> access to the protected computer network and its information. The
> firewall software cryptographic algorithm source code copy is to be
> renewed each time as software version update is performed.
--
Best regards,
Aigars Mahinovs mailto:aigarius_at_debian.org
#--------------------------------------------------------------#
| .''`. |
| : :' : Debian GNU/Linux & LAKA |
| `. `' http://www.debian.org http://www.laka.lv |
| `- |
#--------------------------------------------------------------#
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Jan 11 2003 - 05:21:13 CET