************************************************************************** Security Bulletin 9225 DISA Defense Communications System October 7, 1992 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9225). ************************************************************************** TAC Access Control Policy Circular Announcement A circular describing TAC Access and related policies will soon be released in conjunction with the release of DDN Management Bulletin #101, which describes MILNET TAC user validation and registration. This circular will define the areas of respon- sibility for procuring TAC Access and make public the official policies and procedures regarding the administration, processing, validation and distribution of MILNET TAC Access Cards. The "TAC Access Control Policy Circular" will apply to all Service and Agency host and gateway administrators who are authorized to submit requests for TAC Cards. The circular will be provided to other addresses for general information and guidance. The Circular will consist of seven parts each of which will describe the various aspects of TAC Access in detail. Among those topics discussed will be the following: * policies for authorization and administration of network access via a TAC, * procedures for ensuring network security and preventing unauthorized TAC Access, * proper procedures for using TAC Access Cards, * a description of the re-registration process and its function relative to TAC Card issuance, * updated policies and procedures related to quarterly Guest TAC Cards. In addition to the information outlined in this Circular, please refer to the following DDN Management Bulletins for further discussion of procedures and policies relating to TAC Usage and TAC Card issuance: * DDN Management Bulletin #37, 16 Dec 87, DDN Node Site Coordinator (NSC) and Host Administrator Duties * DDN Management Bulletin #94, 16 Mar 92, MILNET/NIC Re-registration Schedule and TAC Card Expiration * DDN Management Bulletin #101, 24 Sep 92, MILNET TAC User Validation and Registration All gateways,concentrators, or routers that are directly attached to the MILNET (i.e., those that have a 26 network address) have designated administrators that are registered with the NIC. These administrators have primary responsibility for requesting/authorizing TAC Access Cards. The gateway admini- istrators have the option of delegating this authority to the host administrators of systems that access MILNET via their gateways. These host administrators must also be registered with the NIC. Users applying for TAC access cards must contact their local host administrators or the NIC to determine the required signature authority for their site. Hosts that are directly connected to MILNET (those that have a network address of 26) also have designated administrators that must be registered with the NIC. These host administrators have the authority to request TAC access cards. However, some MILNET hosts that are currently direct-connected are being disconnected and moved behind gateways/concentrators. The administrators of such hosts must be delegated the authority to request TAC access cards by the administrator of the gateway that provides their connection to MILNET (in accordance with the Draft TAC Access Control Policy Circular). This delegation of authority will allow administrators of hosts behind gateways/concentrators to register their users to their local hosts and to request TAC Access Cards for them. Users of hosts that have moved behind gateways must be re-registered so that they will appear in the NIC database as associated with the correct host and gateway. Therefore, all administrators of hosts moving behind gateways MUST coordinate with the administrator of their gateway/concentrator and with the DDN NIC Registrar to arrange the re-registration of their TAC users BEFORE the host on which they are currently registered is disconnected. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************