diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc2196.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc2196.txt')
-rw-r--r-- | doc/rfc/rfc2196.txt | 4203 |
1 files changed, 4203 insertions, 0 deletions
diff --git a/doc/rfc/rfc2196.txt b/doc/rfc/rfc2196.txt new file mode 100644 index 0000000..f736ca1 --- /dev/null +++ b/doc/rfc/rfc2196.txt @@ -0,0 +1,4203 @@ + + + + + + +Network Working Group B. Fraser +Request for Comments: 2196 Editor +FYI: 8 SEI/CMU +Obsoletes: 1244 September 1997 +Category: Informational + + + Site Security Handbook + + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Abstract + + This handbook is a guide to developing computer security policies and + procedures for sites that have systems on the Internet. The purpose + of this handbook is to provide practical guidance to administrators + trying to secure their information and services. The subjects + covered include policy content and formation, a broad range of + technical system and network security topics, and security incident + response. + + +Table of Contents + +1. Introduction.................................................... 2 +1.1 Purpose of this Work............................................ 3 +1.2 Audience........................................................ 3 +1.3 Definitions..................................................... 3 +1.4 Related Work.................................................... 4 +1.5 Basic Approach.................................................. 4 +1.6 Risk Assessment................................................. 5 +2. Security Policies............................................... 6 +2.1 What is a Security Policy and Why Have One?..................... 6 +2.2 What Makes a Good Security Policy?.............................. 9 +2.3 Keeping the Policy Flexible..................................... 11 +3. Architecture.................................................... 11 +3.1 Objectives...................................................... 11 +3.2 Network and Service Configuration............................... 14 +3.3 Firewalls....................................................... 20 +4. Security Services and Procedures................................ 24 +4.1 Authentication.................................................. 24 +4.2 Confidentiality................................................. 28 +4.3 Integrity....................................................... 28 + + + +Fraser, Ed. Informational [Page 1] + +RFC 2196 Site Security Handbook September 1997 + + +4.4 Authorization................................................... 29 +4.5 Access.......................................................... 30 +4.6 Auditing........................................................ 34 +4.7 Securing Backups................................................ 37 +5. Security Incident Handling...................................... 37 +5.1 Preparing and Planning for Incident Handling.................... 39 +5.2 Notification and Points of Contact.............................. 42 +5.3 Identifying an Incident......................................... 50 +5.4 Handling an Incident............................................ 52 +5.5 Aftermath of an Incident........................................ 58 +5.6 Responsibilities................................................ 59 +6. Ongoing Activities.............................................. 60 +7. Tools and Locations............................................. 60 +8. Mailing Lists and Other Resources............................... 62 +9. References...................................................... 64 + +1. Introduction + + This document provides guidance to system and network administrators + on how to address security issues within the Internet community. It + builds on the foundation provided in RFC 1244 and is the collective + work of a number of contributing authors. Those authors include: + Jules P. Aronson (aronson@nlm.nih.gov), Nevil Brownlee + (n.brownlee@auckland.ac.nz), Frank Byrum (byrum@norfolk.infi.net), + Joao Nuno Ferreira (ferreira@rccn.net), Barbara Fraser + (byf@cert.org), Steve Glass (glass@ftp.com), Erik Guttman + (erik.guttman@eng.sun.com), Tom Killalea (tomk@nwnet.net), Klaus- + Peter Kossakowski (kossakowski@cert.dfn.de), Lorna Leone + (lorna@staff.singnet.com.sg), Edward.P.Lewis + (Edward.P.Lewis.1@gsfc.nasa.gov), Gary Malkin (gmalkin@xylogics.com), + Russ Mundy (mundy@tis.com), Philip J. Nesser + (pjnesser@martigny.ai.mit.edu), and Michael S. Ramsey + (msr@interpath.net). + + In addition to the principle writers, a number of reviewers provided + valuable comments. Those reviewers include: Eric Luiijf + (luiijf@fel.tno.nl), Marijke Kaat (marijke.kaat@sec.nl), Ray Plzak + (plzak@nic.mil) and Han Pronk (h.m.pronk@vka.nl). + + A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook, + CICnet, for their vision, leadership, and effort in the creation of + the first version of this handbook. It is the working group's sincere + hope that this version will be as helpful to the community as the + earlier one was. + + + + + + + +Fraser, Ed. Informational [Page 2] + +RFC 2196 Site Security Handbook September 1997 + + +1.1 Purpose of This Work + + This handbook is a guide to setting computer security policies and + procedures for sites that have systems on the Internet (however, the + information provided should also be useful to sites not yet connected + to the Internet). This guide lists issues and factors that a site + must consider when setting their own policies. It makes a number of + recommendations and provides discussions of relevant areas. + + This guide is only a framework for setting security policies and + procedures. In order to have an effective set of policies and + procedures, a site will have to make many decisions, gain agreement, + and then communicate and implement these policies. + +1.2 Audience + + The audience for this document are system and network administrators, + and decision makers (typically "middle management") at sites. For + brevity, we will use the term "administrator" throughout this + document to refer to system and network administrators. + + This document is not directed at programmers or those trying to + create secure programs or systems. The focus of this document is on + the policies and procedures that need to be in place to support the + technical security features that a site may be implementing. + + The primary audience for this work are sites that are members of the + Internet community. However, this document should be useful to any + site that allows communication with other sites. As a general guide + to security policies, this document may also be useful to sites with + isolated systems. + +1.3 Definitions + + For the purposes of this guide, a "site" is any organization that + owns computers or network-related resources. These resources may + include host computers that users use, routers, terminal servers, PCs + or other devices that have access to the Internet. A site may be an + end user of Internet services or a service provider such as a mid- + level network. However, most of the focus of this guide is on those + end users of Internet services. We assume that the site has the + ability to set policies and procedures for itself with the + concurrence and support from those who actually own the resources. It + will be assumed that sites that are parts of larger organizations + will know when they need to consult, collaborate, or take + recommendations from, the larger entity. + + + + + +Fraser, Ed. Informational [Page 3] + +RFC 2196 Site Security Handbook September 1997 + + + The "Internet" is a collection of thousands of networks linked by a + common set of technical protocols which make it possible for users of + any one of the networks to communicate with, or use the services + located on, any of the other networks (FYI4, RFC 1594). + + The term "administrator" is used to cover all those people who are + responsible for the day-to-day operation of system and network + resources. This may be a number of individuals or an organization. + + The term "security administrator" is used to cover all those people + who are responsible for the security of information and information + technology. At some sites this function may be combined with + administrator (above); at others, this will be a separate position. + + The term "decision maker" refers to those people at a site who set or + approve policy. These are often (but not always) the people who own + the resources. + +1.4 Related Work + + The Site Security Handbook Working Group is working on a User's Guide + to Internet Security. It will provide practical guidance to end users + to help them protect their information and the resources they use. + +1.5 Basic Approach + + This guide is written to provide basic guidance in developing a + security plan for your site. One generally accepted approach to + follow is suggested by Fites, et. al. [Fites 1989] and includes the + following steps: + + (1) Identify what you are trying to protect. + (2) Determine what you are trying to protect it from. + (3) Determine how likely the threats are. + (4) Implement measures which will protect your assets in a cost- + effective manner. + (5) Review the process continuously and make improvements each time + a weakness is found. + + Most of this document is focused on item 4 above, but the other steps + cannot be avoided if an effective plan is to be established at your + site. One old truism in security is that the cost of protecting + yourself against a threat should be less than the cost of recovering + if the threat were to strike you. Cost in this context should be + remembered to include losses expressed in real currency, reputation, + trustworthiness, and other less obvious measures. Without reasonable + knowledge of what you are protecting and what the likely threats are, + following this rule could be difficult. + + + +Fraser, Ed. Informational [Page 4] + +RFC 2196 Site Security Handbook September 1997 + + +1.6 Risk Assessment + +1.6.1 General Discussion + + One of the most important reasons for creating a computer security + policy is to ensure that efforts spent on security yield cost + effective benefits. Although this may seem obvious, it is possible + to be mislead about where the effort is needed. As an example, there + is a great deal of publicity about intruders on computers systems; + yet most surveys of computer security show that, for most + organizations, the actual loss from "insiders" is much greater. + + Risk analysis involves determining what you need to protect, what you + need to protect it from, and how to protect it. It is the process of + examining all of your risks, then ranking those risks by level of + severity. This process involves making cost-effective decisions on + what you want to protect. As mentioned above, you should probably + not spend more to protect something than it is actually worth. + + A full treatment of risk analysis is outside the scope of this + document. [Fites 1989] and [Pfleeger 1989] provide introductions to + this topic. However, there are two elements of a risk analysis that + will be briefly covered in the next two sections: + + (1) Identifying the assets + (2) Identifying the threats + + For each asset, the basic goals of security are availability, + confidentiality, and integrity. Each threat should be examined with + an eye to how the threat could affect these areas. + +1.6.2 Identifying the Assets + + One step in a risk analysis is to identify all the things that need + to be protected. Some things are obvious, like valuable proprietary + information, intellectual property, and all the various pieces of + hardware; but, some are overlooked, such as the people who actually + use the systems. The essential point is to list all things that could + be affected by a security problem. + + One list of categories is suggested by Pfleeger [Pfleeger 1989]; this + list is adapted from that source: + + (1) Hardware: CPUs, boards, keyboards, terminals, + workstations, personal computers, printers, disk + drives, communication lines, terminal servers, routers. + + + + + +Fraser, Ed. Informational [Page 5] + +RFC 2196 Site Security Handbook September 1997 + + + (2) Software: source programs, object programs, + utilities, diagnostic programs, operating systems, + communication programs. + + (3) Data: during execution, stored on-line, archived off-line, + backups, audit logs, databases, in transit over + communication media. + + (4) People: users, administrators, hardware maintainers. + + (5) Documentation: on programs, hardware, systems, local + administrative procedures. + + (6) Supplies: paper, forms, ribbons, magnetic media. + +1.6.3 Identifying the Threats + + Once the assets requiring protection are identified, it is necessary + to identify threats to those assets. The threats can then be + examined to determine what potential for loss exists. It helps to + consider from what threats you are trying to protect your assets. + The following are classic threats that should be considered. + Depending on your site, there will be more specific threats that + should be identified and addressed. + + (1) Unauthorized access to resources and/or information + (2) Unintented and/or unauthorized Disclosure of information + (3) Denial of service + +2. Security Policies + + Throughout this document there will be many references to policies. + Often these references will include recommendations for specific + policies. Rather than repeat guidance in how to create and + communicate such a policy, the reader should apply the advice + presented in this chapter when developing any policy recommended + later in this book. + +2.1 What is a Security Policy and Why Have One? + + The security-related decisions you make, or fail to make, as + administrator largely determines how secure or insecure your network + is, how much functionality your network offers, and how easy your + network is to use. However, you cannot make good decisions about + security without first determining what your security goals are. + Until you determine what your security goals are, you cannot make + effective use of any collection of security tools because you simply + will not know what to check for and what restrictions to impose. + + + +Fraser, Ed. Informational [Page 6] + +RFC 2196 Site Security Handbook September 1997 + + + For example, your goals will probably be very different from the + goals of a product vendor. Vendors are trying to make configuration + and operation of their products as simple as possible, which implies + that the default configurations will often be as open (i.e., + insecure) as possible. While this does make it easier to install new + products, it also leaves access to those systems, and other systems + through them, open to any user who wanders by. + + Your goals will be largely determined by the following key tradeoffs: + + (1) services offered versus security provided - + Each service offered to users carries its own security risks. + For some services the risk outweighs the benefit of the service + and the administrator may choose to eliminate the service rather + than try to secure it. + + (2) ease of use versus security - + The easiest system to use would allow access to any user and + require no passwords; that is, there would be no security. + Requiring passwords makes the system a little less convenient, + but more secure. Requiring device-generated one-time passwords + makes the system even more difficult to use, but much more + secure. + + (3) cost of security versus risk of loss - + There are many different costs to security: monetary (i.e., the + cost of purchasing security hardware and software like firewalls + and one-time password generators), performance (i.e., encryption + and decryption take time), and ease of use (as mentioned above). + There are also many levels of risk: loss of privacy (i.e., the + reading of information by unauthorized individuals), loss of + data (i.e., the corruption or erasure of information), and the + loss of service (e.g., the filling of data storage space, usage + of computational resources, and denial of network access). Each + type of cost must be weighed against each type of loss. + + + Your goals should be communicated to all users, operations staff, and + managers through a set of security rules, called a "security policy." + We are using this term, rather than the narrower "computer security + policy" since the scope includes all types of information technology + and the information stored and manipulated by the technology. + +2.1.1 Definition of a Security Policy + + A security policy is a formal statement of the rules by which people + who are given access to an organization's technology and information + assets must abide. + + + +Fraser, Ed. Informational [Page 7] + +RFC 2196 Site Security Handbook September 1997 + + +2.1.2 Purposes of a Security Policy + + The main purpose of a security policy is to inform users, staff and + managers of their obligatory requirements for protecting technology + and information assets. The policy should specify the mechanisms + through which these requirements can be met. Another purpose is to + provide a baseline from which to acquire, configure and audit + computer systems and networks for compliance with the policy. + Therefore an attempt to use a set of security tools in the absence of + at least an implied security policy is meaningless. + + An Appropriate Use Policy (AUP) may also be part of a security + policy. It should spell out what users shall and shall not do on the + various components of the system, including the type of traffic + allowed on the networks. The AUP should be as explicit as possible + to avoid ambiguity or misunderstanding. For example, an AUP might + list any prohibited USENET newsgroups. (Note: Appropriate Use Policy + is referred to as Acceptable Use Policy by some sites.) + +2.1.3 Who Should be Involved When Forming Policy? + + In order for a security policy to be appropriate and effective, it + needs to have the acceptance and support of all levels of employees + within the organization. It is especially important that corporate + management fully support the security policy process otherwise there + is little chance that they will have the intended impact. The + following is a list of individuals who should be involved in the + creation and review of security policy documents: + + (1) site security administrator + (2) information technology technical staff (e.g., staff from + computing center) + (3) administrators of large user groups within the organization + (e.g., business divisions, computer science department within a + university, etc.) + (4) security incident response team + (5) representatives of the user groups affected by the security + policy + (6) responsible management + (7) legal counsel (if appropriate) + + The list above is representative of many organizations, but is not + necessarily comprehensive. The idea is to bring in representation + from key stakeholders, management who have budget and policy + authority, technical staff who know what can and cannot be supported, + and legal counsel who know the legal ramifications of various policy + + + + + +Fraser, Ed. Informational [Page 8] + +RFC 2196 Site Security Handbook September 1997 + + + choices. In some organizations, it may be appropriate to include EDP + audit personnel. Involving this group is important if resulting + policy statements are to reach the broadest possible acceptance. It + is also relevant to mention that the role of legal counsel will also + vary from country to country. + +2.2 What Makes a Good Security Policy? + + The characteristics of a good security policy are: + + (1) It must be implementable through system administration + procedures, publishing of acceptable use guidelines, or other + appropriate methods. + + (2) It must be enforcible with security tools, where appropriate, + and with sanctions, where actual prevention is not technically + feasible. + + (3) It must clearly define the areas of responsibility for the + users, administrators, and management. + + The components of a good security policy include: + + (1) Computer Technology Purchasing Guidelines which specify + required, or preferred, security features. These should + supplement existing purchasing policies and guidelines. + + (2) A Privacy Policy which defines reasonable expectations of + privacy regarding such issues as monitoring of electronic mail, + logging of keystrokes, and access to users' files. + + (3) An Access Policy which defines access rights and privileges to + protect assets from loss or disclosure by specifying acceptable + use guidelines for users, operations staff, and management. It + should provide guidelines for external connections, data + communications, connecting devices to a network, and adding new + software to systems. It should also specify any required + notification messages (e.g., connect messages should provide + warnings about authorized usage and line monitoring, and not + simply say "Welcome"). + + (4) An Accountability Policy which defines the responsibilities of + users, operations staff, and management. It should specify an + audit capability, and provide incident handling guidelines + (i.e., what to do and who to contact if a possible intrusion is + detected). + + + + + +Fraser, Ed. Informational [Page 9] + +RFC 2196 Site Security Handbook September 1997 + + + (5) An Authentication Policy which establishes trust through an + effective password policy, and by setting guidelines for remote + location authentication and the use of authentication devices + (e.g., one-time passwords and the devices that generate them). + + (6) An Availability statement which sets users' expectations for the + availability of resources. It should address redundancy and + recovery issues, as well as specify operating hours and + maintenance down-time periods. It should also include contact + information for reporting system and network failures. + + (7) An Information Technology System & Network Maintenance Policy + which describes how both internal and external maintenance + people are allowed to handle and access technology. One + important topic to be addressed here is whether remote + maintenance is allowed and how such access is controlled. + Another area for consideration here is outsourcing and how it is + managed. + + (8) A Violations Reporting Policy that indicates which types of + violations (e.g., privacy and security, internal and external) + must be reported and to whom the reports are made. A non- + threatening atmosphere and the possibility of anonymous + reporting will result in a greater probability that a violation + will be reported if it is detected. + + (9) Supporting Information which provides users, staff, and + management with contact information for each type of policy + violation; guidelines on how to handle outside queries about a + security incident, or information which may be considered + confidential or proprietary; and cross-references to security + procedures and related information, such as company policies and + governmental laws and regulations. + + There may be regulatory requirements that affect some aspects of your + security policy (e.g., line monitoring). The creators of the + security policy should consider seeking legal assistance in the + creation of the policy. At a minimum, the policy should be reviewed + by legal counsel. + + Once your security policy has been established it should be clearly + communicated to users, staff, and management. Having all personnel + sign a statement indicating that they have read, understood, and + agreed to abide by the policy is an important part of the process. + Finally, your policy should be reviewed on a regular basis to see if + it is successfully supporting your security needs. + + + + + +Fraser, Ed. Informational [Page 10] + +RFC 2196 Site Security Handbook September 1997 + + +2.3 Keeping the Policy Flexible + + In order for a security policy to be viable for the long term, it + requires a lot of flexibility based upon an architectural security + concept. A security policy should be (largely) independent from + specific hardware and software situations (as specific systems tend + to be replaced or moved overnight). The mechanisms for updating the + policy should be clearly spelled out. This includes the process, the + people involved, and the people who must sign-off on the changes. + + It is also important to recognize that there are exceptions to every + rule. Whenever possible, the policy should spell out what exceptions + to the general policy exist. For example, under what conditions is a + system administrator allowed to go through a user's files. Also, + there may be some cases when multiple users will have access to the + same userid. For example, on systems with a "root" user, multiple + system administrators may know the password and use the root account. + + Another consideration is called the "Garbage Truck Syndrome." This + refers to what would happen to a site if a key person was suddenly + unavailable for his/her job function (e.g., was suddenly ill or left + the company unexpectedly). While the greatest security resides in + the minimum dissemination of information, the risk of losing critical + information increases when that information is not shared. It is + important to determine what the proper balance is for your site. + +3. Architecture + +3.1 Objectives + +3.1.1 Completely Defined Security Plans + + All sites should define a comprehensive security plan. This plan + should be at a higher level than the specific policies discussed in + chapter 2, and it should be crafted as a framework of broad + guidelines into which specific policies will fit. + + It is important to have this framework in place so that individual + policies can be consistent with the overall site security + architecture. For example, having a strong policy with regard to + Internet access and having weak restrictions on modem usage is + inconsistent with an overall philosophy of strong security + restrictions on external access. + + A security plan should define: the list of network services that will + be provided; which areas of the organization will provide the + services; who will have access to those services; how access will be + provided; who will administer those services; etc. + + + +Fraser, Ed. Informational [Page 11] + +RFC 2196 Site Security Handbook September 1997 + + + The plan should also address how incident will be handled. Chapter 5 + provides an in-depth discussion of this topic, but it is important + for each site to define classes of incidents and corresponding + responses. For example, sites with firewalls should set a threshold + on the number of attempts made to foil the firewall before triggering + a response? Escallation levels should be defined for both attacks + and responses. Sites without firewalls will have to determine if a + single attempt to connect to a host constitutes an incident? What + about a systematic scan of systems? + + For sites connected to the Internet, the rampant media magnification + of Internet related security incidents can overshadow a (potentially) + more serious internal security problem. Likewise, companies who have + never been connected to the Internet may have strong, well defined, + internal policies but fail to adequately address an external + connection policy. + +3.1.2 Separation of Services + + There are many services which a site may wish to provide for its + users, some of which may be external. There are a variety of + security reasons to attempt to isolate services onto dedicated host + computers. There are also performance reasons in most cases, but a + detailed discussion is beyond to scope of this document. + + The services which a site may provide will, in most cases, have + different levels of access needs and models of trust. Services which + are essential to the security or smooth operation of a site would be + better off being placed on a dedicated machine with very limited + access (see Section 3.1.3 "deny all" model), rather than on a machine + that provides a service (or services) which has traditionally been + less secure, or requires greater accessability by users who may + accidentally suborn security. + + It is also important to distinguish between hosts which operate + within different models of trust (e.g., all the hosts inside of a + firewall and any host on an exposed network). + + Some of the services which should be examined for potential + separation are outlined in section 3.2.3. It is important to remember + that security is only as strong as the weakest link in the chain. + Several of the most publicized penetrations in recent years have been + through the exploitation of vulnerabilities in electronic mail + systems. The intruders were not trying to steal electronic mail, but + they used the vulnerability in that service to gain access to other + systems. + + + + + +Fraser, Ed. Informational [Page 12] + +RFC 2196 Site Security Handbook September 1997 + + + If possible, each service should be running on a different machine + whose only duty is to provide a specific service. This helps to + isolate intruders and limit potential harm. + +3.1.3 Deny all/ Allow all + + There are two diametrically opposed underlying philosophies which can + be adopted when defining a security plan. Both alternatives are + legitimate models to adopt, and the choice between them will depend + on the site and its needs for security. + + The first option is to turn off all services and then selectively + enable services on a case by case basis as they are needed. This can + be done at the host or network level as appropriate. This model, + which will here after be referred to as the "deny all" model, is + generally more secure than the other model described in the next + paragraph. More work is required to successfully implement a "deny + all" configuration as well as a better understanding of services. + Allowing only known services provides for a better analysis of a + particular service/protocol and the design of a security mechanism + suited to the security level of the site. + + The other model, which will here after be referred to as the "allow + all" model, is much easier to implement, but is generally less secure + than the "deny all" model. Simply turn on all services, usually the + default at the host level, and allow all protocols to travel across + network boundaries, usually the default at the router level. As + security holes become apparent, they are restricted or patched at + either the host or network level. + + Each of these models can be applied to different portions of the + site, depending on functionality requirements, administrative + control, site policy, etc. For example, the policy may be to use the + "allow all" model when setting up workstations for general use, but + adopt a "deny all" model when setting up information servers, like an + email hub. Likewise, an "allow all" policy may be adopted for + traffic between LAN's internal to the site, but a "deny all" policy + can be adopted between the site and the Internet. + + Be careful when mixing philosophies as in the examples above. Many + sites adopt the theory of a hard "crunchy" shell and a soft "squishy" + middle. They are willing to pay the cost of security for their + external traffic and require strong security measures, but are + unwilling or unable to provide similar protections internally. This + works fine as long as the outer defenses are never breached and the + internal users can be trusted. Once the outer shell (firewall) is + breached, subverting the internal network is trivial. + + + + +Fraser, Ed. Informational [Page 13] + +RFC 2196 Site Security Handbook September 1997 + + +3.1.4 Identify Real Needs for Services + + There is a large variety of services which may be provided, both + internally and on the Internet at large. Managing security is, in + many ways, managing access to services internal to the site and + managing how internal users access information at remote sites. + + Services tend to rush like waves over the Internet. Over the years + many sites have established anonymous FTP servers, gopher servers, + wais servers, WWW servers, etc. as they became popular, but not + particularly needed, at all sites. Evaluate all new services that + are established with a skeptical attitude to determine if they are + actually needed or just the current fad sweeping the Internet. + + Bear in mind that security complexity can grow exponentially with the + number of services provided. Filtering routers need to be modified + to support the new protocols. Some protocols are inherently + difficult to filter safely (e.g., RPC and UDP services), thus + providing more openings to the internal network. Services provided + on the same machine can interact in catastrophic ways. For example, + allowing anonymous FTP on the same machine as the WWW server may + allow an intruder to place a file in the anonymous FTP area and cause + the HTTP server to execute it. + +3.2 Network and Service Configuration + +3.2.1 Protecting the Infrastructure + + Many network administrators go to great lengths to protect the hosts + on their networks. Few administrators make any effort to protect the + networks themselves. There is some rationale to this. For example, + it is far easier to protect a host than a network. Also, intruders + are likely to be after data on the hosts; damaging the network would + not serve their purposes. That said, there are still reasons to + protect the networks. For example, an intruder might divert network + traffic through an outside host in order to examine the data (i.e., + to search for passwords). Also, infrastructure includes more than + the networks and the routers which interconnect them. Infrastructure + also includes network management (e.g., SNMP), services (e.g., DNS, + NFS, NTP, WWW), and security (i.e., user authentication and access + restrictions). + + The infrastructure also needs protection against human error. When + an administrator misconfigures a host, that host may offer degraded + service. This only affects users who require that host and, unless + + + + + + +Fraser, Ed. Informational [Page 14] + +RFC 2196 Site Security Handbook September 1997 + + + that host is a primary server, the number of affected users will + therefore be limited. However, if a router is misconfigured, all + users who require the network will be affected. Obviously, this is a + far larger number of users than those depending on any one host. + +3.2.2 Protecting the Network + + There are several problems to which networks are vulnerable. The + classic problem is a "denial of service" attack. In this case, the + network is brought to a state in which it can no longer carry + legitimate users' data. There are two common ways this can be done: + by attacking the routers and by flooding the network with extraneous + traffic. Please note that the term "router" in this section is used + as an example of a larger class of active network interconnection + components that also includes components like firewalls, proxy- + servers, etc. + + An attack on the router is designed to cause it to stop forwarding + packets, or to forward them improperly. The former case may be due + to a misconfiguration, the injection of a spurious routing update, or + a "flood attack" (i.e., the router is bombarded with unroutable + packets, causing its performance to degrade). A flood attack on a + network is similar to a flood attack on a router, except that the + flood packets are usually broadcast. An ideal flood attack would be + the injection of a single packet which exploits some known flaw in + the network nodes and causes them to retransmit the packet, or + generate error packets, each of which is picked up and repeated by + another host. A well chosen attack packet can even generate an + exponential explosion of transmissions. + + Another classic problem is "spoofing." In this case, spurious + routing updates are sent to one or more routers causing them to + misroute packets. This differs from a denial of service attack only + in the purpose behind the spurious route. In denial of service, the + object is to make the router unusable; a state which will be quickly + detected by network users. In spoofing, the spurious route will + cause packets to be routed to a host from which an intruder may + monitor the data in the packets. These packets are then re-routed to + their correct destinations. However, the intruder may or may not + have altered the contents of the packets. + + The solution to most of these problems is to protect the routing + update packets sent by the routing protocols in use (e.g., RIP-2, + OSPF). There are three levels of protection: clear-text password, + cryptographic checksum, and encryption. Passwords offer only minimal + protection against intruders who do not have direct access to the + physical networks. Passwords also offer some protection against + misconfigured routers (i.e, routers which, out of the box, attempt to + + + +Fraser, Ed. Informational [Page 15] + +RFC 2196 Site Security Handbook September 1997 + + + route packets). The advantage of passwords is that they have a very + low overhead, in both bandwidth and CPU consumption. Checksums + protect against the injection of spurious packets, even if the + intruder has direct access to the physical network. Combined with a + sequence number, or other unique identifier, a checksum can also + protect again "replay" attacks, wherein an old (but valid at the + time) routing update is retransmitted by either an intruder or a + misbehaving router. The most security is provided by complete + encryption of sequenced, or uniquely identified, routing updates. + This prevents an intruder from determining the topology of the + network. The disadvantage to encryption is the overhead involved in + processing the updates. + + RIP-2 (RFC 1723) and OSPF (RFC 1583) both support clear-text + passwords in their base design specifications. In addition, there + are extensions to each base protocol to support MD5 encryption. + + Unfortunately, there is no adequate protection against a flooding + attack, or a misbehaving host or router which is flooding the + network. Fortunately, this type of attack is obvious when it occurs + and can usually be terminated relatively simply. + +3.2.3 Protecting the Services + + There are many types of services and each has its own security + requirements. These requirements will vary based on the intended use + of the service. For example, a service which should only be usable + within a site (e.g., NFS) may require different protection mechanisms + than a service provided for external use. It may be sufficient to + protect the internal server from external access. However, a WWW + server, which provides a home page intended for viewing by users + anywhere on the Internet, requires built-in protection. That is, the + service/protocol/server must provide whatever security may be + required to prevent unauthorized access and modification of the Web + database. + + Internal services (i.e., services meant to be used only by users + within a site) and external services (i.e., services deliberately + made available to users outside a site) will, in general, have + protection requirements which differ as previously described. It is + therefore wise to isolate the internal services to one set of server + host computers and the external services to another set of server + host computers. That is, internal and external servers should not be + co-located on the same host computer. In fact, many sites go so far + + + + + + + +Fraser, Ed. Informational [Page 16] + +RFC 2196 Site Security Handbook September 1997 + + + as to have one set of subnets (or even different networks) which are + accessible from the outside and another set which may be accessed + only within the site. Of course, there is usually a firewall which + connects these partitions. Great care must be taken to ensure that + such a firewall is operating properly. + + There is increasing interest in using intranets to connect different + parts of a organization (e.g., divisions of a company). While this + document generally differentiates between external and internal + (public and private), sites using intranets should be aware that they + will need to consider three separations and take appropriate actions + when designing and offering services. A service offered to an + intranet would be neither public, nor as completely private as a + service to a single organizational subunit. Therefore, the service + would need its own supporting system, separated from both external + and internal services and networks. + + One form of external service deserves some special consideration, and + that is anonymous, or guest, access. This may be either anonymous + FTP or guest (unauthenticated) login. It is extremely important to + ensure that anonymous FTP servers and guest login userids are + carefully isolated from any hosts and file systems from which outside + users should be kept. Another area to which special attention must + be paid concerns anonymous, writable access. A site may be legally + responsible for the content of publicly available information, so + careful monitoring of the information deposited by anonymous users is + advised. + + Now we shall consider some of the most popular services: name + service, password/key service, authentication/proxy service, + electronic mail, WWW, file transfer, and NFS. Since these are the + most frequently used services, they are the most obvious points of + attack. Also, a successful attack on one of these services can + produce disaster all out of proportion to the innocence of the basic + service. + +3.2.3.1 Name Servers (DNS and NIS(+)) + + The Internet uses the Domain Name System (DNS) to perform address + resolution for host and network names. The Network Information + Service (NIS) and NIS+ are not used on the global Internet, but are + subject to the same risks as a DNS server. Name-to-address + resolution is critical to the secure operation of any network. An + attacker who can successfully control or impersonate a DNS server can + re-route traffic to subvert security protections. For example, + routine traffic can be diverted to a compromised system to be + monitored; or, users can be tricked into providing authentication + secrets. An organization should create well known, protected sites + + + +Fraser, Ed. Informational [Page 17] + +RFC 2196 Site Security Handbook September 1997 + + + to act as secondary name servers and protect their DNS masters from + denial of service attacks using filtering routers. + + Traditionally, DNS has had no security capabilities. In particular, + the information returned from a query could not be checked for + modification or verified that it had come from the name server in + question. Work has been done to incorporate digital signatures into + the protocol which, when deployed, will allow the integrity of the + information to be cryptographically verified (see RFC 2065). + +3.2.3.2 Password/Key Servers (NIS(+) and KDC) + + Password and key servers generally protect their vital information + (i.e., the passwords and keys) with encryption algorithms. However, + even a one-way encrypted password can be determined by a dictionary + attack (wherein common words are encrypted to see if they match the + stored encryption). It is therefore necessary to ensure that these + servers are not accessable by hosts which do not plan to use them for + the service, and even those hosts should only be able to access the + service (i.e., general services, such as Telnet and FTP, should not + be allowed by anyone other than administrators). + +3.2.3.3 Authentication/Proxy Servers (SOCKS, FWTK) + + A proxy server provides a number of security enhancements. It allows + sites to concentrate services through a specific host to allow + monitoring, hiding of internal structure, etc. This funnelling of + services creates an attractive target for a potential intruder. The + type of protection required for a proxy server depends greatly on the + proxy protocol in use and the services being proxied. The general + rule of limiting access only to those hosts which need the services, + and limiting access by those hosts to only those services, is a good + starting point. + +3.2.3.4 Electronic Mail + + Electronic mail (email) systems have long been a source for intruder + break-ins because email protocols are among the oldest and most + widely deployed services. Also, by it's very nature, an email server + requires access to the outside world; most email servers accept input + from any source. An email server generally consists of two parts: a + receiving/sending agent and a processing agent. Since email is + delivered to all users, and is usually private, the processing agent + typically requires system (root) privileges to deliver the mail. + Most email implementations perform both portions of the service, + which means the receiving agent also has system privileges. This + opens several security holes which this document will not describe. + There are some implementations available which allow a separation of + + + +Fraser, Ed. Informational [Page 18] + +RFC 2196 Site Security Handbook September 1997 + + + the two agents. Such implementations are generally considered more + secure, but still require careful installation to avoid creating a + security problem. + +3.2.3.5 World Wide Web (WWW) + + The Web is growing in popularity exponentially because of its ease of + use and the powerful ability to concentrate information services. + Most WWW servers accept some type of direction and action from the + persons accessing their services. The most common example is taking + a request from a remote user and passing the provided information to + a program running on the server to process the request. Some of + these programs are not written with security in mind and can create + security holes. If a Web server is available to the Internet + community, it is especially important that confidential information + not be co-located on the same host as that server. In fact, it is + recommended that the server have a dedicated host which is not + "trusted" by other internal hosts. + + Many sites may want to co-locate FTP service with their WWW service. + But this should only occur for anon-ftp servers that only provide + information (ftp-get). Anon-ftp puts, in combination with WWW, might + be dangerous (e.g., they could result in modifications to the + information your site is publishing to the web) and in themselves + make the security considerations for each service different. + +3.2.3.6 File Transfer (FTP, TFTP) + + FTP and TFTP both allow users to receive and send electronic files in + a point-to-point manner. However, FTP requires authentication while + TFTP requires none. For this reason, TFTP should be avoided as much + as possible. + + Improperly configured FTP servers can allow intruders to copy, + replace and delete files at will, anywhere on a host, so it is very + important to configure this service correctly. Access to encrypted + passwords and proprietary data, and the introduction of Trojan horses + are just a few of the potential security holes that can occur when + the service is configured incorrectly. FTP servers should reside on + their own host. Some sites choose to co-locate FTP with a Web + server, since the two protocols share common security considerations + However, the the practice isn't recommended, especially when the FTP + service allows the deposit of files (see section on WWW above). As + mentioned in the opening paragraphs of section 3.2.3, services + offered internally to your site should not be co-located with + services offered externally. Each should have its own host. + + + + + +Fraser, Ed. Informational [Page 19] + +RFC 2196 Site Security Handbook September 1997 + + + TFTP does not support the same range of functions as FTP, and has no + security whatsoever. This service should only be considered for + internal use, and then it should be configured in a restricted way so + that the server only has access to a set of predetermined files + (instead of every world-readable file on the system). Probably the + most common usage of TFTP is for downloading router configuration + files to a router. TFTP should reside on its own host, and should + not be installed on hosts supporting external FTP or Web access. + +3.2.3.7 NFS + + The Network File Service allows hosts to share common disks. NFS is + frequently used by diskless hosts who depend on a disk server for all + of their storage needs. Unfortunately, NFS has no built-in security. + It is therefore necessary that the NFS server be accessable only by + those hosts which are using it for service. This is achieved by + specifying which hosts the file system is being exported to and in + what manner (e.g., read-only, read-write, etc.). Filesystems should + not be exported to any hosts outside the local network since this + will require that the NFS service be accessible externally. Ideally, + external access to NFS service should be stopped by a firewall. + +3.2.4 Protecting the Protection + + It is amazing how often a site will overlook the most obvious + weakness in its security by leaving the security server itself open + to attack. Based on considerations previously discussed, it should + be clear that: the security server should not be accessible from + off-site; should offer minimum access, except for the authentication + function, to users on-site; and should not be co-located with any + other servers. Further, all access to the node, including access to + the service itself, should be logged to provide a "paper trail" in + the event of a security breach. + +3.3 Firewalls + + One of the most widely deployed and publicized security measures in + use on the Internet is a "firewall." Firewalls have been given the + reputation of a general panacea for many, if not all, of the Internet + security issues. They are not. Firewalls are just another tool in + the quest for system security. They provide a certain level of + protection and are, in general, a way of implementing security policy + at the network level. The level of security that a firewall provides + can vary as much as the level of security on a particular machine. + There are the traditional trade-offs between security, ease of use, + cost, complexity, etc. + + + + + +Fraser, Ed. Informational [Page 20] + +RFC 2196 Site Security Handbook September 1997 + + + A firewall is any one of several mechanisms used to control and watch + access to and from a network for the purpose of protecting it. A + firewall acts as a gateway through which all traffic to and from the + protected network and/or systems passes. Firewalls help to place + limitations on the amount and type of communication that takes place + between the protected network and the another network (e.g., the + Internet, or another piece of the site's network). + + A firewall is generally a way to build a wall between one part of a + network, a company's internal network, for example, and another part, + the global Internet, for example. The unique feature about this wall + is that there needs to be ways for some traffic with particular + characteristics to pass through carefully monitored doors + ("gateways"). The difficult part is establishing the criteria by + which the packets are allowed or denied access through the doors. + Books written on firewalls use different terminology to describe the + various forms of firewalls. This can be confusing to system + administrators who are not familiar with firewalls. The thing to note + here is that there is no fixed terminology for the description of + firewalls. + + Firewalls are not always, or even typically, a single machine. + Rather, firewalls are often a combination of routers, network + segments, and host computers. Therefore, for the purposes of this + discussion, the term "firewall" can consist of more than one physical + device. Firewalls are typically built using two different + components, filtering routers and proxy servers. + + Filtering routers are the easiest component to conceptualize in a + firewall. A router moves data back and forth between two (or more) + different networks. A "normal" router takes a packet from network A + and "routes" it to its destination on network B. A filtering router + does the same thing but decides not only how to route the packet, but + whether it should route the packet. This is done by installing a + series of filters by which the router decides what to do with any + given packet of data. + + A discussion concerning capabilities of a particular brand of router, + running a particular software version is outside the scope of this + document. However, when evaluating a router to be used for filtering + packets, the following criteria can be important when implementing a + filtering policy: source and destination IP address, source and + destination TCP port numbers, state of the TCP "ack" bit, UDP source + and destination port numbers, and direction of packet flow (i.e.. A- + >B or B->A). Other information necessary to construct a secure + filtering scheme are whether the router reorders filter instructions + (designed to optimize filters, this can sometimes change the meaning + and cause unintended access), and whether it is possible to apply + + + +Fraser, Ed. Informational [Page 21] + +RFC 2196 Site Security Handbook September 1997 + + + filters for inbound and outbound packets on each interface (if the + router filters only outbound packets then the router is "outside" of + its filters and may be more vulnerable to attack). In addition to + the router being vulnerable, this distinction between applying + filters on inbound or outbound packets is especially relevant for + routers with more than 2 interfaces. Other important issues are the + ability to create filters based on IP header options and the fragment + state of a packet. Building a good filter can be very difficult and + requires a good understanding of the type of services (protocols) + that will be filtered. + + For better security, the filters usually restrict access between the + two connected nets to just one host, the bastion host. It is only + possible to access the other network via this bastion host. As only + this host, rather than a few hundred hosts, can get attacked, it is + easier to maintain a certain level of security because only this host + has to be protected very carefully. To make resources available to + legitimate users across this firewall, services have to be forwarded + by the bastion host. Some servers have forwarding built in (like + DNS-servers or SMTP-servers), for other services (e.g., Telnet, FTP, + etc.), proxy servers can be used to allow access to the resources + across the firewall in a secure way. + + A proxy server is way to concentrate application services through a + single machine. There is typically a single machine (the bastion + host) that acts as a proxy server for a variety of protocols (Telnet, + SMTP, FTP, HTTP, etc.) but there can be individual host computers for + each service. Instead of connecting directly to an external server, + the client connects to the proxy server which in turn initiates a + connection to the requested external server. Depending on the type + of proxy server used, it is possible to configure internal clients to + perform this redirection automatically, without knowledge to the + user, others might require that the user connect directly to the + proxy server and then initiate the connection through a specified + format. + + There are significant security benefits which can be derived from + using proxy servers. It is possible to add access control lists to + protocols, requiring users or systems to provide some level of + authentication before access is granted. Smarter proxy servers, + sometimes called Application Layer Gateways (ALGs), can be written + which understand specific protocols and can be configured to block + only subsections of the protocol. For example, an ALG for FTP can + tell the difference between the "put" command and the "get" command; + an organization may wish to allow users to "get" files from the + Internet, but not be able to "put" internal files on a remote server. + By contrast, a filtering router could either block all FTP access, or + none, but not a subset. + + + +Fraser, Ed. Informational [Page 22] + +RFC 2196 Site Security Handbook September 1997 + + + Proxy servers can also be configured to encrypt data streams based on + a variety of parameters. An organization might use this feature to + allow encrypted connections between two locations whose sole access + points are on the Internet. + + Firewalls are typically thought of as a way to keep intruders out, + but they are also often used as a way to let legitimate users into a + site. There are many examples where a valid user might need to + regularly access the "home" site while on travel to trade shows and + conferences, etc. Access to the Internet is often available but may + be through an untrusted machine or network. A correctly configured + proxy server can allow the correct users into the site while still + denying access to other users. + + The current best effort in firewall techniques is found using a + combination of a pair of screening routers with one or more proxy + servers on a network between the two routers. This setup allows the + external router to block off any attempts to use the underlying IP + layer to break security (IP spoofing, source routing, packet + fragments), while allowing the proxy server to handle potential + security holes in the higher layer protocols. The internal router's + purpose is to block all traffic except to the proxy server. If this + setup is rigidly implemented, a high level of security can be + achieved. + + Most firewalls provide logging which can be tuned to make security + administration of the network more convenient. Logging may be + centralized and the system may be configured to send out alerts for + abnormal conditions. It is important to regularly monitor these logs + for any signs of intrusions or break-in attempts. Since some + intruders will attempt to cover their tracks by editing logs, it is + desirable to protect these logs. A variety of methods is available, + including: write once, read many (WORM) drives; papers logs; and + centralized logging via the "syslog" utility. Another technique is + to use a "fake" serial printer, but have the serial port connected to + an isolated machine or PC which keeps the logs. + + Firewalls are available in a wide range of quality and strengths. + Commercial packages start at approximately $10,000US and go up to + over $250,000US. "Home grown" firewalls can be built for smaller + amounts of capital. It should be remembered that the correct setup + of a firewall (commercial or homegrown) requires a significant amount + of skill and knowledge of TCP/IP. Both types require regular + maintenance, installation of software patches and updates, and + regular monitoring. When budgeting for a firewall, these additional + costs should be considered in addition to the cost of the physical + elements of the firewall. + + + + +Fraser, Ed. Informational [Page 23] + +RFC 2196 Site Security Handbook September 1997 + + + As an aside, building a "home grown" firewall requires a significant + amount of skill and knowledge of TCP/IP. It should not be trivially + attempted because a perceived sense of security is worse in the long + run than knowing that there is no security. As with all security + measures, it is important to decide on the threat, the value of the + assets to be protected, and the costs to implement security. + + A final note about firewalls. They can be a great aid when + implementing security for a site and they protect against a large + variety of attacks. But it is important to keep in mind that they + are only one part of the solution. They cannot protect your site + against all types of attack. + +4. Security Services and Procedures + + This chapter guides the reader through a number of topics that should + be addressed when securing a site. Each section touches on a + security service or capability that may be required to protect the + information and systems at a site. The topics are presented at a + fairly high-level to introduce the reader to the concepts. + + Throughout the chapter, you will find significant mention of + cryptography. It is outside the scope of this document to delve into + details concerning cryptography, but the interested reader can obtain + more information from books and articles listed in the reference + section of this document. + +4.1 Authentication + + For many years, the prescribed method for authenticating users has + been through the use of standard, reusable passwords. Originally, + these passwords were used by users at terminals to authenticate + themselves to a central computer. At the time, there were no + networks (internally or externally), so the risk of disclosure of the + clear text password was minimal. Today, systems are connected + together through local networks, and these local networks are further + connected together and to the Internet. Users are logging in from + all over the globe; their reusable passwords are often transmitted + across those same networks in clear text, ripe for anyone in-between + to capture. And indeed, the CERT* Coordination Center and other + response teams are seeing a tremendous number of incidents involving + packet sniffers which are capturing the clear text passwords. + + With the advent of newer technologies like one-time passwords (e.g., + S/Key), PGP, and token-based authentication devices, people are using + password-like strings as secret tokens and pins. If these secret + tokens and pins are not properly selected and protected, the + authentication will be easily subverted. + + + +Fraser, Ed. Informational [Page 24] + +RFC 2196 Site Security Handbook September 1997 + + +4.1.1 One-Time passwords + + As mentioned above, given today's networked environments, it is + recommended that sites concerned about the security and integrity of + their systems and networks consider moving away from standard, + reusable passwords. There have been many incidents involving Trojan + network programs (e.g., telnet and rlogin) and network packet + sniffing programs. These programs capture clear text + hostname/account name/password triplets. Intruders can use the + captured information for subsequent access to those hosts and + accounts. This is possible because 1) the password is used over and + over (hence the term "reusable"), and 2) the password passes across + the network in clear text. + + Several authentication techniques have been developed that address + this problem. Among these techniques are challenge-response + technologies that provide passwords that are only used once (commonly + called one-time passwords). There are a number of products available + that sites should consider using. The decision to use a product is + the responsibility of each organization, and each organization should + perform its own evaluation and selection. + +4.1.2 Kerberos + + Kerberos is a distributed network security system which provides for + authentication across unsecured networks. If requested by the + application, integrity and encryption can also be provided. Kerberos + was originally developed at the Massachusetts Institute of Technology + (MIT) in the mid 1980s. There are two major releases of Kerberos, + version 4 and 5, which are for practical purposes, incompatible. + + Kerberos relies on a symmetric key database using a key distribution + center (KDC) which is known as the Kerberos server. A user or + service (known as "principals") are granted electronic "tickets" + after properly communicating with the KDC. These tickets are used + for authentication between principals. All tickets include a time + stamp which limits the time period for which the ticket is valid. + Therefore, Kerberos clients and server must have a secure time + source, and be able to keep time accurately. + + The practical side of Kerberos is its integration with the + application level. Typical applications like FTP, telnet, POP, and + NFS have been integrated with the Kerberos system. There are a + variety of implementations which have varying levels of integration. + Please see the Kerberos FAQ available at http://www.ov.com/misc/krb- + faq.html for the latest information. + + + + + +Fraser, Ed. Informational [Page 25] + +RFC 2196 Site Security Handbook September 1997 + + +4.1.3 Choosing and Protecting Secret Tokens and PINs + + When selecting secret tokens, take care to choose them carefully. + Like the selection of passwords, they should be robust against brute + force efforts to guess them. That is, they should not be single + words in any language, any common, industry, or cultural acronyms, + etc. Ideally, they will be longer rather than shorter and consist of + pass phrases that combine upper and lower case character, digits, and + other characters. + + Once chosen, the protection of these secret tokens is very important. + Some are used as pins to hardware devices (like token cards) and + these should not be written down or placed in the same location as + the device with which they are associated. Others, such as a secret + Pretty Good Privacy (PGP) key, should be protected from unauthorized + access. + + One final word on this subject. When using cryptography products, + like PGP, take care to determine the proper key length and ensure + that your users are trained to do likewise. As technology advances, + the minimum safe key length continues to grow. Make sure your site + keeps up with the latest knowledge on the technology so that you can + ensure that any cryptography in use is providing the protection you + believe it is. + +4.1.4 Password Assurance + + While the need to eliminate the use of standard, reusable passwords + cannot be overstated, it is recognized that some organizations may + still be using them. While it's recommended that these organizations + transition to the use of better technology, in the mean time, we have + the following advice to help with the selection and maintenance of + traditional passwords. But remember, none of these measures provides + protection against disclosure due to sniffer programs. + + (1) The importance of robust passwords - In many (if not most) cases + of system penetration, the intruder needs to gain access to an + account on the system. One way that goal is typically + accomplished is through guessing the password of a legitimate + user. This is often accomplished by running an automated + password cracking program, which utilizes a very large + dictionary, against the system's password file. The only way to + guard against passwords being disclosed in this manner is + through the careful selection of passwords which cannot be + easily guessed (i.e., combinations of numbers, letters, and + punctuation characters). Passwords should also be as long as + the system supports and users can tolerate. + + + + +Fraser, Ed. Informational [Page 26] + +RFC 2196 Site Security Handbook September 1997 + + + (2) Changing default passwords - Many operating systems and + application programs are installed with default accounts and + passwords. These must be changed immediately to something that + cannot be guessed or cracked. + + (3) Restricting access to the password file - In particular, a site + wants to protect the encrypted password portion of the file so + that would-be intruders don't have them available for cracking. + One effective technique is to use shadow passwords where the + password field of the standard file contains a dummy or false + password. The file containing the legitimate passwords are + protected elsewhere on the system. + + (4) Password aging - When and how to expire passwords is still a + subject of controversy among the security community. It is + generally accepted that a password should not be maintained once + an account is no longer in use, but it is hotly debated whether + a user should be forced to change a good password that's in + active use. The arguments for changing passwords relate to the + prevention of the continued use of penetrated accounts. + However, the opposition claims that frequent password changes + lead to users writing down their passwords in visible areas + (such as pasting them to a terminal), or to users selecting very + simple passwords that are easy to guess. It should also be + stated that an intruder will probably use a captured or guessed + password sooner rather than later, in which case password aging + provides little if any protection. + + While there is no definitive answer to this dilemma, a password + policy should directly address the issue and provide guidelines + for how often a user should change the password. Certainly, an + annual change in their password is usually not difficult for + most users, and you should consider requiring it. It is + recommended that passwords be changed at least whenever a + privileged account is compromised, there is a critical change in + personnel (especially if it is an administrator!), or when an + account has been compromised. In addition, if a privileged + account password is compromised, all passwords on the system + should be changed. + + (5) Password/account blocking - Some sites find it useful to disable + accounts after a predefined number of failed attempts to + authenticate. If your site decides to employ this mechanism, it + is recommended that the mechanism not "advertise" itself. After + + + + + + + +Fraser, Ed. Informational [Page 27] + +RFC 2196 Site Security Handbook September 1997 + + + disabling, even if the correct password is presented, the + message displayed should remain that of a failed login attempt. + Implementing this mechanism will require that legitimate users + contact their system administrator to request that their account + be reactivated. + + (6) A word about the finger daemon - By default, the finger daemon + displays considerable system and user information. For example, + it can display a list of all users currently using a system, or + all the contents of a specific user's .plan file. This + information can be used by would-be intruders to identify + usernames and guess their passwords. It is recommended that + sites consider modifying finger to restrict the information + displayed. + +4.2 Confidentiality + + There will be information assets that your site will want to protect + from disclosure to unauthorized entities. Operating systems often + have built-in file protection mechanisms that allow an administrator + to control who on the system can access, or "see," the contents of a + given file. A stronger way to provide confidentiality is through + encryption. Encryption is accomplished by scrambling data so that it + is very difficult and time consuming for anyone other than the + authorized recipients or owners to obtain the plain text. Authorized + recipients and the owner of the information will possess the + corresponding decryption keys that allow them to easily unscramble + the text to a readable (clear text) form. We recommend that sites + use encryption to provide confidentiality and protect valuable + information. + + The use of encryption is sometimes controlled by governmental and + site regulations, so we encourage administrators to become informed + of laws or policies that regulate its use before employing it. It is + outside the scope of this document to discuss the various algorithms + and programs available for this purpose, but we do caution against + the casual use of the UNIX crypt program as it has been found to be + easily broken. We also encourage everyone to take time to understand + the strength of the encryption in any given algorithm/product before + using it. Most well-known products are well-documented in the + literature, so this should be a fairly easy task. + +4.3 Integrity + + As an administrator, you will want to make sure that information + (e.g., operating system files, company data, etc.) has not been + altered in an unauthorized fashion. This means you will want to + provide some assurance as to the integrity of the information on your + + + +Fraser, Ed. Informational [Page 28] + +RFC 2196 Site Security Handbook September 1997 + + + systems. One way to provide this is to produce a checksum of the + unaltered file, store that checksum offline, and periodically (or + when desired) check to make sure the checksum of the online file + hasn't changed (which would indicate the data has been modified). + + Some operating systems come with checksumming programs, such as the + UNIX sum program. However, these may not provide the protection you + actually need. Files can be modified in such a way as to preserve + the result of the UNIX sum program! Therefore, we suggest that you + use a cryptographically strong program, such as the message digesting + program MD5 [ref], to produce the checksums you will be using to + assure integrity. + + There are other applications where integrity will need to be assured, + such as when transmitting an email message between two parties. There + are products available that can provide this capability. Once you + identify that this is a capability you need, you can go about + identifying technologies that will provide it. + +4.4 Authorization + + Authorization refers to the process of granting privileges to + processes and, ultimately, users. This differs from authentication + in that authentication is the process used to identify a user. Once + identified (reliably), the privileges, rights, property, and + permissible actions of the user are determined by authorization. + + Explicitly listing the authorized activities of each user (and user + process) with respect to all resources (objects) is impossible in a + reasonable system. In a real system certain techniques are used to + simplify the process of granting and checking authorization(s). + + One approach, popularized in UNIX systems, is to assign to each + object three classes of user: owner, group and world. The owner is + either the creator of the object or the user assigned as owner by the + super-user. The owner permissions (read, write and execute) apply + only to the owner. A group is a collection of users which share + access rights to an object. The group permissions (read, write and + execute) apply to all users in the group (except the owner). The + world refers to everybody else with access to the system. The world + permissions (read, write and execute) apply to all users (except the + owner and members of the group). + + Another approach is to attach to an object a list which explicitly + contains the identity of all permitted users (or groups). This is an + Access Control List (ACL). The advantage of ACLs are that they are + + + + + +Fraser, Ed. Informational [Page 29] + +RFC 2196 Site Security Handbook September 1997 + + + easily maintained (one central list per object) and it's very easy to + visually check who has access to what. The disadvantages are the + extra resources required to store such lists, as well as the vast + number of such lists required for large systems. + +4.5 Access + +4.5.1 Physical Access + + Restrict physical access to hosts, allowing access only to those + people who are supposed to use the hosts. Hosts include "trusted" + terminals (i.e., terminals which allow unauthenticated use such as + system consoles, operator terminals and terminals dedicated to + special tasks), and individual microcomputers and workstations, + especially those connected to your network. Make sure people's work + areas mesh well with access restrictions; otherwise they will find + ways to circumvent your physical security (e.g., jamming doors open). + + Keep original and backup copies of data and programs safe. Apart + from keeping them in good condition for backup purposes, they must be + protected from theft. It is important to keep backups in a separate + location from the originals, not only for damage considerations, but + also to guard against thefts. + + Portable hosts are a particular risk. Make sure it won't cause + problems if one of your staff's portable computer is stolen. + Consider developing guidelines for the kinds of data that should be + allowed to reside on the disks of portable computers as well as how + the data should be protected (e.g., encryption) when it is on a + portable computer. + + Other areas where physical access should be restricted is the wiring + closets and important network elements like file servers, name server + hosts, and routers. + +4.5.2 Walk-up Network Connections + + By "walk-up" connections, we mean network connection points located + to provide a convenient way for users to connect a portable host to + your network. + + Consider whether you need to provide this service, bearing in mind + that it allows any user to attach an unauthorized host to your + network. This increases the risk of attacks via techniques such as + + + + + + + +Fraser, Ed. Informational [Page 30] + +RFC 2196 Site Security Handbook September 1997 + + + IP address spoofing, packet sniffing, etc. Users and site management + must appreciate the risks involved. If you decide to provide walk-up + connections, plan the service carefully and define precisely where + you will provide it so that you can ensure the necessary physical + access security. + + A walk-up host should be authenticated before its user is permitted + to access resources on your network. As an alternative, it may be + possible to control physical access. For example, if the service is + to be used by students, you might only provide walk-up connection + sockets in student laboratories. + + If you are providing walk-up access for visitors to connect back to + their home networks (e.g., to read e-mail, etc.) in your facility, + consider using a separate subnet that has no connectivity to the + internal network. + + Keep an eye on any area that contains unmonitored access to the + network, such as vacant offices. It may be sensible to disconnect + such areas at the wiring closet, and consider using secure hubs and + monitoring attempts to connect unauthorized hosts. + +4.5.3 Other Network Technologies + + Technologies considered here include X.25, ISDN, SMDS, DDS and Frame + Relay. All are provided via physical links which go through + telephone exchanges, providing the potential for them to be diverted. + Crackers are certainly interested in telephone switches as well as in + data networks! + + With switched technologies, use Permanent Virtual Circuits or Closed + User Groups whenever this is possible. Technologies which provide + authentication and/or encryption (such as IPv6) are evolving rapidly; + consider using them on links where security is important. + +4.5.4 Modems + +4.5.4.1 Modem Lines Must Be Managed + + Although they provide convenient access to a site for its users, they + can also provide an effective detour around the site's firewalls. + For this reason it is essential to maintain proper control of modems. + + Don't allow users to install a modem line without proper + authorization. This includes temporary installations (e.g., plugging + a modem into a facsimile or telephone line overnight). + + + + + +Fraser, Ed. Informational [Page 31] + +RFC 2196 Site Security Handbook September 1997 + + + Maintain a register of all your modem lines and keep your register up + to date. Conduct regular (ideally automated) site checks for + unauthorized modems. + +4.5.4.2 Dial-in Users Must Be Authenticated + + A username and password check should be completed before a user can + access anything on your network. Normal password security + considerations are particularly important (see section 4.1.1). + + Remember that telephone lines can be tapped, and that it is quite + easy to intercept messages to cellular phones. Modern high-speed + modems use more sophisticated modulation techniques, which makes them + somewhat more difficult to monitor, but it is prudent to assume that + hackers know how to eavesdrop on your lines. For this reason, you + should use one-time passwords if at all possible. + + It is helpful to have a single dial-in point (e.g., a single large + modem pool) so that all users are authenticated in the same way. + + Users will occasionally mis-type a password. Set a short delay - say + two seconds - after the first and second failed logins, and force a + disconnect after the third. This will slow down automated password + attacks. Don't tell the user whether the username, the password, or + both, were incorrect. + +4.5.4.3 Call-back Capability + + Some dial-in servers offer call-back facilities (i.e., the user dials + in and is authenticated, then the system disconnects the call and + calls back on a specified number). Call-back is useful since if + someone were to guess a username and password, they are disconnected, + and the system then calls back the actual user whose password was + cracked; random calls from a server are suspicious, at best. This + does mean users may only log in from one location (where the server + is configured to dial them back), and of course there may be phone + charges associated with there call-back location. + + This feature should be used with caution; it can easily be bypassed. + At a minimum, make sure that the return call is never made from the + same modem as the incoming one. Overall, although call-back can + improve modem security, you should not depend on it alone. + +4.5.4.4 All Logins Should Be Logged + + All logins, whether successful or unsuccessful should be logged. + However, do not keep correct passwords in the log. Rather, log them + simply as a successful login attempt. Since most bad passwords are + + + +Fraser, Ed. Informational [Page 32] + +RFC 2196 Site Security Handbook September 1997 + + + mistyped by authorized users, they only vary by a single character + from the actual password. Therefore if you can't keep such a log + secure, don't log it at all. + + If Calling Line Identification is available, take advantage of it by + recording the calling number for each login attempt. Be sensitive to + the privacy issues raised by Calling Line Identification. Also be + aware that Calling Line Identification is not to be trusted (since + intruders have been known to break into phone switches and forward + phone numbers or make other changes); use the data for informational + purposes only, not for authentication. + +4.5.4.5 Choose Your Opening Banner Carefully + + Many sites use a system default contained in a message of the day + file for their opening banner. Unfortunately, this often includes the + type of host hardware or operating system present on the host. This + can provide valuable information to a would-be intruder. Instead, + each site should create its own specific login banner, taking care to + only include necessary information. + + Display a short banner, but don't offer an "inviting" name (e.g., + University of XYZ, Student Records System). Instead, give your site + name, a short warning that sessions may be monitored, and a + username/password prompt. Verify possible legal issues related to + the text you put into the banner. + + For high-security applications, consider using a "blind" password + (i.e., give no response to an incoming call until the user has typed + in a password). This effectively simulates a dead modem. + +4.5.4.6 Dial-out Authentication + + Dial-out users should also be authenticated, particularly since your + site will have to pay their telephone charges. + + Never allow dial-out from an unauthenticated dial-in call, and + consider whether you will allow it from an authenticated one. The + goal here is to prevent callers using your modem pool as part of a + chain of logins. This can be hard to detect, particularly if a + hacker sets up a path through several hosts on your site. + + At a minimum, don't allow the same modems and phone lines to be used + for both dial-in and dial-out. This can be implemented easily if you + run separate dial-in and dial-out modem pools. + + + + + + +Fraser, Ed. Informational [Page 33] + +RFC 2196 Site Security Handbook September 1997 + + +4.5.4.7 Make Your Modem Programming as "Bullet-proof" as Possible + + Be sure modems can't be reprogrammed while they're in service. At a + minimum, make sure that three plus signs won't put your dial-in + modems into command mode! + + Program your modems to reset to your standard configuration at the + start of each new call. Failing this, make them reset at the end of + each call. This precaution will protect you against accidental + reprogramming of your modems. Resetting at both the end and the + beginning of each call will assure an even higher level of confidence + that a new caller will not inherit a previous caller's session. + + Check that your modems terminate calls cleanly. When a user logs out + from an access server, verify that the server hangs up the phone line + properly. It is equally important that the server forces logouts + from whatever sessions were active if the user hangs up unexpectedly. + +4.6 Auditing + + This section covers the procedures for collecting data generated by + network activity, which may be useful in analyzing the security of a + network and responding to security incidents. + +4.6.1 What to Collect + + Audit data should include any attempt to achieve a different security + level by any person, process, or other entity in the network. This + includes login and logout, super user access (or the non-UNIX + equivalent), ticket generation (for Kerberos, for example), and any + other change of access or status. It is especially important to note + "anonymous" or "guest" access to public servers. + + The actual data to collect will differ for different sites and for + different types of access changes within a site. In general, the + information you want to collect includes: username and hostname, for + login and logout; previous and new access rights, for a change of + access rights; and a timestamp. Of course, there is much more + information which might be gathered, depending on what the system + makes available and how much space is available to store that + information. + + One very important note: do not gather passwords. This creates an + enormous potential security breach if the audit records should be + improperly accessed. Do not gather incorrect passwords either, as + they often differ from valid passwords by only a single character or + transposition. + + + + +Fraser, Ed. Informational [Page 34] + +RFC 2196 Site Security Handbook September 1997 + + +4.6.2 Collection Process + + The collection process should be enacted by the host or resource + being accessed. Depending on the importance of the data and the need + to have it local in instances in which services are being denied, + data could be kept local to the resource until needed or be + transmitted to storage after each event. + + There are basically three ways to store audit records: in a + read/write file on a host, on a write-once/read-many device (e.g., a + CD-ROM or a specially configured tape drive), or on a write-only + device (e.g., a line printer). Each method has advantages and + disadvantages. + + File system logging is the least resource intensive of the three + methods and the easiest to configure. It allows instant access to + the records for analysis, which may be important if an attack is in + progress. File system logging is also the least reliable method. If + the logging host has been compromised, the file system is usually the + first thing to go; an intruder could easily cover up traces of the + intrusion. + + Collecting audit data on a write-once device is slightly more effort + to configure than a simple file, but it has the significant advantage + of greatly increased security because an intruder could not alter the + data showing that an intrusion has occurred. The disadvantage of + this method is the need to maintain a supply of storage media and the + cost of that media. Also, the data may not be instantly available. + + Line printer logging is useful in system where permanent and + immediate logs are required. A real time system is an example of + this, where the exact point of a failure or attack must be recorded. + A laser printer, or other device which buffers data (e.g., a print + server), may suffer from lost data if buffers contain the needed data + at a critical instant. The disadvantage of, literally, "paper + trails" is the need to keep the printer fed and the need to scan + records by hand. There is also the issue of where to store the, + potentially, enormous volume of paper which may be generated. + + For each of the logging methods described, there is also the issue of + securing the path between the device generating the log and actual + logging device (i.e., the file server, tape/CD-ROM drive, printer). + If that path is compromised, logging can be stopped or spoofed or + both. In an ideal world, the logging device would be directly + + + + + + + +Fraser, Ed. Informational [Page 35] + +RFC 2196 Site Security Handbook September 1997 + + + attached by a single, simple, point-to-point cable. Since that is + usually impractical, the path should pass through the minimum number + of networks and routers. Even if logs can be blocked, spoofing can + be prevented with cryptographic checksums (it probably isn't + necessary to encrypt the logs because they should not contain + sensitive information in the first place). + +4.6.3 Collection Load + + Collecting audit data may result in a rapid accumulation of bytes so + storage availability for this information must be considered in + advance. There are a few ways to reduce the required storage space. + First, data can be compressed, using one of many methods. Or, the + required space can be minimized by keeping data for a shorter period + of time with only summaries of that data kept in long-term archives. + One major drawback to the latter method involves incident response. + Often, an incident has been ongoing for some period of time when a + site notices it and begins to investigate. At that point in time, + it's very helpful to have detailed audit logs available. If these are + just summaries, there may not be sufficient detail to fully handle + the incident. + +4.6.4 Handling and Preserving Audit Data + + Audit data should be some of the most carefully secured data at the + site and in the backups. If an intruder were to gain access to audit + logs, the systems themselves, in addition to the data, would be at + risk. + + Audit data may also become key to the investigation, apprehension, + and prosecution of the perpetrator of an incident. For this reason, + it is advisable to seek the advice of legal council when deciding how + audit data should be treated. This should happen before an incident + occurs. + + If a data handling plan is not adequately defined prior to an + incident, it may mean that there is no recourse in the aftermath of + an event, and it may create liability resulting from improper + treatment of the data. + +4.6.5 Legal Considerations + + Due to the content of audit data, there are a number of legal + questions that arise which might need to be addressed by your legal + counsel. If you collect and save audit data, you need to be prepared + for consequences resulting both from its existence and its content. + + + + + +Fraser, Ed. Informational [Page 36] + +RFC 2196 Site Security Handbook September 1997 + + + One area concerns the privacy of individuals. In certain instances, + audit data may contain personal information. Searching through the + data, even for a routine check of the system's security, could + represent an invasion of privacy. + + A second area of concern involves knowledge of intrusive behavior + originating from your site. If an organization keeps audit data, is + it responsible for examining it to search for incidents? If a host + in one organization is used as a launching point for an attack + against another organization, can the second organization use the + audit data of the first organization to prove negligence on the part + of that organization? + + The above examples are meant to be comprehensive, but should motivate + your organization to consider the legal issues involved with audit + data. + +4.7 Securing Backups + + The procedure of creating backups is a classic part of operating a + computer system. Within the context of this document, backups are + addressed as part of the overall security plan of a site. There are + several aspects to backups that are important within this context: + + (1) Make sure your site is creating backups + (2) Make sure your site is using offsite storage for backups. The + storage site should be carefully selected for both its security + and its availability. + (3) Consider encrypting your backups to provide additional protection + of the information once it is off-site. However, be aware that + you will need a good key management scheme so that you'll be + able to recover data at any point in the future. Also, make + sure you will have access to the necessary decryption programs + at such time in the future as you need to perform the + decryption. + (4) Don't always assume that your backups are good. There have been + many instances of computer security incidents that have gone on + for long periods of time before a site has noticed the incident. + In such cases, backups of the affected systems are also tainted. + (5) Periodically verify the correctness and completeness of your + backups. + +5. Security Incident Handling + + This chapter of the document will supply guidance to be used before, + during, and after a computer security incident occurs on a host, + network, site, or multi-site environment. The operative philosophy + in the event of a breach of computer security is to react according + + + +Fraser, Ed. Informational [Page 37] + +RFC 2196 Site Security Handbook September 1997 + + + to a plan. This is true whether the breach is the result of an + external intruder attack, unintentional damage, a student testing + some new program to exploit a software vulnerability, or a + disgruntled employee. Each of the possible types of events, such as + those just listed, should be addressed in advance by adequate + contingency plans. + + Traditional computer security, while quite important in the overall + site security plan, usually pays little attention to how to actually + handle an attack once one occurs. The result is that when an attack + is in progress, many decisions are made in haste and can be damaging + to tracking down the source of the incident, collecting evidence to + be used in prosecution efforts, preparing for the recovery of the + system, and protecting the valuable data contained on the system. + + One of the most important, but often overlooked, benefits for + efficient incident handling is an economic one. Having both + technical and managerial personnel respond to an incident requires + considerable resources. If trained to handle incidents efficiently, + less staff time is required when one occurs. + + Due to the world-wide network most incidents are not restricted to a + single site. Operating systems vulnerabilities apply (in some cases) + to several millions of systems, and many vulnerabilities are + exploited within the network itself. Therefore, it is vital that all + sites with involved parties be informed as soon as possible. + + Another benefit is related to public relations. News about computer + security incidents tends to be damaging to an organization's stature + among current or potential clients. Efficient incident handling + minimizes the potential for negative exposure. + + A final benefit of efficient incident handling is related to legal + issues. It is possible that in the near future organizations may be + held responsible because one of their nodes was used to launch a + network attack. In a similar vein, people who develop patches or + workarounds may be sued if the patches or workarounds are + ineffective, resulting in compromise of the systems, or, if the + patches or workarounds themselves damage systems. Knowing about + operating system vulnerabilities and patterns of attacks, and then + taking appropriate measures to counter these potential threats, is + critical to circumventing possible legal problems. + + + + + + + + + +Fraser, Ed. Informational [Page 38] + +RFC 2196 Site Security Handbook September 1997 + + + The sections in this chapter provide an outline and starting point + for creating your site's policy for handling security incidents. The + sections are: + + (1) Preparing and planning (what are the goals and objectives in + handling an incident). + (2) Notification (who should be contacted in the case of an + incident). + - Local managers and personnel + - Law enforcement and investigative agencies + - Computer security incidents handling teams + - Affected and involved sites + - Internal communications + - Public relations and press releases + (3) Identifying an incident (is it an incident and how serious is + it). + (4) Handling (what should be done when an incident occurs). + - Notification (who should be notified about the incident) + - Protecting evidence and activity logs (what records should be + kept from before, during, and after the incident) + - Containment (how can the damage be limited) + - Eradication (how to eliminate the reasons for the incident) + - Recovery (how to reestablish service and systems) + - Follow Up (what actions should be taken after the incident) + (5) Aftermath (what are the implications of past incidents). + (6) Administrative response to incidents. + + The remainder of this chapter will detail the issues involved in each + of the important topics listed above, and provide some guidance as to + what should be included in a site policy for handling incidents. + +5.1 Preparing and Planning for Incident Handling + + Part of handling an incident is being prepared to respond to an + incident before the incident occurs in the first place. This + includes establishing a suitable level of protections as explained in + the preceding chapters. Doing this should help your site prevent + incidents as well as limit potential damage resulting from them when + they do occur. Protection also includes preparing incident handling + guidelines as part of a contingency plan for your organization or + site. Having written plans eliminates much of the ambiguity which + occurs during an incident, and will lead to a more appropriate and + thorough set of responses. It is vitally important to test the + proposed plan before an incident occurs through "dry runs". A team + might even consider hiring a tiger team to act in parallel with the + dry run. (Note: a tiger team is a team of specialists that try to + penetrate the security of a system.) + + + + +Fraser, Ed. Informational [Page 39] + +RFC 2196 Site Security Handbook September 1997 + + + Learning to respond efficiently to an incident is important for a + number of reasons: + + (1) Protecting the assets which could be compromised + (2) Protecting resources which could be utilized more + profitably if an incident did not require their services + (3) Complying with (government or other) regulations + (4) Preventing the use of your systems in attacks against other + systems (which could cause you to incur legal liability) + (5) Minimizing the potential for negative exposure + + As in any set of pre-planned procedures, attention must be paid to a + set of goals for handling an incident. These goals will be + prioritized differently depending on the site. A specific set of + objectives can be identified for dealing with incidents: + + (1) Figure out how it happened. + (2) Find out how to avoid further exploitation of the same + vulnerability. + (3) Avoid escalation and further incidents. + (4) Assess the impact and damage of the incident. + (5) Recover from the incident. + (6) Update policies and procedures as needed. + (7) Find out who did it (if appropriate and possible). + + Due to the nature of the incident, there might be a conflict between + analyzing the original source of a problem and restoring systems and + services. Overall goals (like assuring the integrity of critical + systems) might be the reason for not analyzing an incident. Of + course, this is an important management decision; but all involved + parties must be aware that without analysis the same incident may + happen again. + + It is also important to prioritize the actions to be taken during an + incident well in advance of the time an incident occurs. Sometimes + an incident may be so complex that it is impossible to do everything + at once to respond to it; priorities are essential. Although + priorities will vary from institution to institution, the following + suggested priorities may serve as a starting point for defining your + organization's response: + + (1) Priority one -- protect human life and people's + safety; human life always has precedence over all + other considerations. + + (2) Priority two -- protect classified and/or sensitive + data. Prevent exploitation of classified and/or + sensitive systems, networks or sites. Inform affected + + + +Fraser, Ed. Informational [Page 40] + +RFC 2196 Site Security Handbook September 1997 + + + classified and/or sensitive systems, networks or sites + about already occurred penetrations. + (Be aware of regulations by your site or by government) + + (3) Priority three -- protect other data, including + proprietary, scientific, managerial and other data, + because loss of data is costly in terms of resources. + Prevent exploitations of other systems, networks or + sites and inform already affected systems, networks or + sites about successful penetrations. + + (4) Priority four -- prevent damage to systems (e.g., loss + or alteration of system files, damage to disk drives, + etc.). Damage to systems can result in costly down + time and recovery. + + (5) Priority five -- minimize disruption of computing + resources (including processes). It is better in many + cases to shut a system down or disconnect from a network + than to risk damage to data or systems. Sites will have + to evaluate the trade-offs between shutting down and + disconnecting, and staying up. There may be service + agreements in place that may require keeping systems + up even in light of further damage occurring. However, + the damage and scope of an incident may be so extensive + that service agreements may have to be over-ridden. + + An important implication for defining priorities is that once human + life and national security considerations have been addressed, it is + generally more important to save data than system software and + hardware. Although it is undesirable to have any damage or loss + during an incident, systems can be replaced. However, the loss or + compromise of data (especially classified or proprietary data) is + usually not an acceptable outcome under any circumstances. + + Another important concern is the effect on others, beyond the systems + and networks where the incident occurs. Within the limits imposed by + government regulations it is always important to inform affected + parties as soon as possible. Due to the legal implications of this + topic, it should be included in the planned procedures to avoid + further delays and uncertainties for the administrators. + + Any plan for responding to security incidents should be guided by + local policies and regulations. Government and private sites that + deal with classified material have specific rules that they must + follow. + + + + + +Fraser, Ed. Informational [Page 41] + +RFC 2196 Site Security Handbook September 1997 + + + The policies chosen by your site on how it reacts to incidents will + shape your response. For example, it may make little sense to create + mechanisms to monitor and trace intruders if your site does not plan + to take action against the intruders if they are caught. Other + organizations may have policies that affect your plans. Telephone + companies often release information about telephone traces only to + law enforcement agencies. + + Handling incidents can be tedious and require any number of routine + tasks that could be handled by support personnel. To free the + technical staff it may be helpful to identify support staff who will + help with tasks like: photocopying, fax'ing, etc. + +5.2 Notification and Points of Contact + + It is important to establish contacts with various personnel before a + real incident occurs. Many times, incidents are not real + emergencies. Indeed, often you will be able to handle the activities + internally. However, there will also be many times when others + outside your immediate department will need to be included in the + incident handling. These additional contacts include local managers + and system administrators, administrative contacts for other sites on + the Internet, and various investigative organizations. Getting to + know these contacts before incidents occurs will help to make your + incident handling process more efficient. + + For each type of communication contact, specific "Points of Contact" + (POC) should be defined. These may be technical or administrative in + nature and may include legal or investigative agencies as well as + service providers and vendors. When establishing these contact, it + is important to decide how much information will be shared with each + class of contact. It is especially important to define, ahead of + time, what information will be shared with the users at a site, with + the public (including the press), and with other sites. + + Settling these issues are especially important for the local person + responsible for handling the incident, since that is the person + responsible for the actual notification of others. A list of + contacts in each of these categories is an important time saver for + this person during an incident. It can be quite difficult to find an + appropriate person during an incident when many urgent events are + ongoing. It is strongly recommended that all relevant telephone + numbers (also electronic mail addresses and fax numbers) be included + in the site security policy. The names and contact information of + all individuals who will be directly involved in the handling of an + incident should be placed at the top of this list. + + + + + +Fraser, Ed. Informational [Page 42] + +RFC 2196 Site Security Handbook September 1997 + + +5.2.1 Local Managers and Personnel + + When an incident is under way, a major issue is deciding who is in + charge of coordinating the activity of the multitude of players. A + major mistake that can be made is to have a number of people who are + each working independently, but are not working together. This will + only add to the confusion of the event and will probably lead to + wasted or ineffective effort. + + The single POC may or may not be the person responsible for handling + the incident. There are two distinct roles to fill when deciding who + shall be the POC and who will be the person in charge of the + incident. The person in charge of the incident will make decisions + as to the interpretation of policy applied to the event. In + contrast, the POC must coordinate the effort of all the parties + involved with handling the event. + + The POC must be a person with the technical expertise to successfully + coordinate the efforts of the system managers and users involved in + monitoring and reacting to the attack. Care should be taken when + identifying who this person will be. It should not necessarily be + the same person who has administrative responsibility for the + compromised systems since often such administrators have knowledge + only sufficient for the day to day use of the computers, and lack in + depth technical expertise. + + Another important function of the POC is to maintain contact with law + enforcement and other external agencies to assure that multi-agency + involvement occurs. The level of involvement will be determined by + management decisions as well as legal constraints. + + A single POC should also be the single person in charge of collecting + evidence, since as a rule of thumb, the more people that touch a + potential piece of evidence, the greater the possibility that it will + be inadmissible in court. To ensure that evidence will be acceptable + to the legal community, collecting evidence should be done following + predefined procedures in accordance with local laws and legal + regulations. + + One of the most critical tasks for the POC is the coordination of all + relevant processes. Responsibilities may be distributed over the + whole site, involving multiple independent departments or groups. + This will require a well coordinated effort in order to achieve + overall success. The situation becomes even more complex if multiple + sites are involved. When this happens, rarely will a single POC at + one site be able to adequately coordinate the handling of the entire + incident. Instead, appropriate incident response teams should be + involved. + + + +Fraser, Ed. Informational [Page 43] + +RFC 2196 Site Security Handbook September 1997 + + + The incident handling process should provide some escalation + mechanisms. In order to define such a mechanism, sites will need to + create an internal classification scheme for incidents. Associated + with each level of incident will be the appropriate POC and + procedures. As an incident is escalated, there may be a change in + the POC which will need to be communicated to all others involved in + handling the incident. When a change in the POC occurs, old POC + should brief the new POC in all background information. + + Lastly, users must know how to report suspected incidents. Sites + should establish reporting procedures that will work both during and + outside normal working hours. Help desks are often used to receive + these reports during normal working hours, while beepers and + telephones can be used for out of hours reporting. + +5.2.2 Law Enforcement and Investigative Agencies + + In the event of an incident that has legal consequences, it is + important to establish contact with investigative agencies (e.g, the + FBI and Secret Service in the U.S.) as soon as possible. Local law + enforcement, local security offices, and campus police departments + should also be informed as appropriate. This section describes many + of the issues that will be confronted, but it is acknowledged that + each organization will have its own local and governmental laws and + regulations that will impact how they interact with law enforcement + and investigative agencies. The most important point to make is that + each site needs to work through these issues. + + A primary reason for determining these point of contact well in + advance of an incident is that once a major attack is in progress, + there is little time to call these agencies to determine exactly who + the correct point of contact is. Another reason is that it is + important to cooperate with these agencies in a manner that will + foster a good working relationship, and that will be in accordance + with the working procedures of these agencies. Knowing the working + procedures in advance, and the expectations of your point of contact + is a big step in this direction. For example, it is important to + gather evidence that will be admissible in any subsequent legal + proceedings, and this will require prior knowledge of how to gather + such evidence. A final reason for establishing contacts as soon as + possible is that it is impossible to know the particular agency that + will assume jurisdiction in any given incident. Making contacts and + finding the proper channels early on will make responding to an + incident go considerably more smoothly. + + + + + + + +Fraser, Ed. Informational [Page 44] + +RFC 2196 Site Security Handbook September 1997 + + + If your organization or site has a legal counsel, you need to notify + this office soon after you learn that an incident is in progress. At + a minimum, your legal counsel needs to be involved to protect the + legal and financial interests of your site or organization. There + are many legal and practical issues, a few of which are: + + + (1) Whether your site or organization is willing to risk negative + publicity or exposure to cooperate with legal prosecution + efforts. + + (2) Downstream liability--if you leave a compromised system as is so + it can be monitored and another computer is damaged because the + attack originated from your system, your site or organization + may be liable for damages incurred. + + (3) Distribution of information--if your site or organization + distributes information about an attack in which another site or + organization may be involved or the vulnerability in a product + that may affect ability to market that product, your site or + organization may again be liable for any damages (including + damage of reputation). + + (4) Liabilities due to monitoring--your site or organization may be + sued if users at your site or elsewhere discover that your site + is monitoring account activity without informing users. + + Unfortunately, there are no clear precedents yet on the liabilities + or responsibilities of organizations involved in a security incident + or who might be involved in supporting an investigative effort. + Investigators will often encourage organizations to help trace and + monitor intruders. Indeed, most investigators cannot pursue computer + intrusions without extensive support from the organizations involved. + However, investigators cannot provide protection from liability + claims, and these kinds of efforts may drag out for months and may + take a lot of effort. + + On the other hand, an organization's legal council may advise extreme + caution and suggest that tracing activities be halted and an intruder + shut out of the system. This, in itself, may not provide protection + from liability, and may prevent investigators from identifying the + perpetrator. + + The balance between supporting investigative activity and limiting + liability is tricky. You'll need to consider the advice of your legal + counsel and the damage the intruder is causing (if any) when making + your decision about what to do during any particular incident. + + + + +Fraser, Ed. Informational [Page 45] + +RFC 2196 Site Security Handbook September 1997 + + + Your legal counsel should also be involved in any decision to contact + investigative agencies when an incident occurs at your site. The + decision to coordinate efforts with investigative agencies is most + properly that of your site or organization. Involving your legal + counsel will also foster the multi-level coordination between your + site and the particular investigative agency involved, which in turn + results in an efficient division of labor. Another result is that + you are likely to obtain guidance that will help you avoid future + legal mistakes. + + Finally, your legal counsel should evaluate your site's written + procedures for responding to incidents. It is essential to obtain a + "clean bill of health" from a legal perspective before you actually + carry out these procedures. + + It is vital, when dealing with investigative agencies, to verify that + the person who calls asking for information is a legitimate + representative from the agency in question. Unfortunately, many well + intentioned people have unknowingly leaked sensitive details about + incidents, allowed unauthorized people into their systems, etc., + because a caller has masqueraded as a representative of a government + agency. (Note: this word of caution actually applies to all external + contacts.) + + A similar consideration is using a secure means of communication. + Because many network attackers can easily re-route electronic mail, + avoid using electronic mail to communicate with other agencies (as + well as others dealing with the incident at hand). Non-secured phone + lines (the phones normally used in the business world) are also + frequent targets for tapping by network intruders, so be careful! + + There is no one established set of rules for responding to an + incident when the local government becomes involved. Normally (in + the U.S.), except by legal order, no agency can force you to monitor, + to disconnect from the network, to avoid telephone contact with the + suspected attackers, etc. Each organization will have a set of local + and national laws and regulations that must be adhered to when + handling incidents. It is recommended that each site be familiar with + those laws and regulations, and identify and get know the contacts + for agencies with jurisdiction well in advance of handling an + incident. + +5.2.3 Computer Security Incident Handling Teams + + There are currently a number of of Computer Security Incident + Response teams (CSIRTs) such as the CERT Coordination Center, the + German DFN-CERT, and other teams around the globe. Teams exist for + many major government agencies and large corporations. If such a + + + +Fraser, Ed. Informational [Page 46] + +RFC 2196 Site Security Handbook September 1997 + + + team is available, notifying it should be of primary consideration + during the early stages of an incident. These teams are responsible + for coordinating computer security incidents over a range of sites + and larger entities. Even if the incident is believed to be + contained within a single site, it is possible that the information + available through a response team could help in fully resolving the + incident. + + If it is determined that the breach occurred due to a flaw in the + system's hardware or software, the vendor (or supplier) and a + Computer Security Incident Handling team should be notified as soon + as possible. This is especially important because many other systems + are vulnerable, and these vendor and response team organizations can + help disseminate help to other affected sites. + + In setting up a site policy for incident handling, it may be + desirable to create a subgroup, much like those teams that already + exist, that will be responsible for handling computer security + incidents for the site (or organization). If such a team is created, + it is essential that communication lines be opened between this team + and other teams. Once an incident is under way, it is difficult to + open a trusted dialogue between other teams if none has existed + before. + +5.2.4 Affected and Involved Sites + + If an incident has an impact on other sites, it is good practice to + inform them. It may be obvious from the beginning that the incident + is not limited to the local site, or it may emerge only after further + analysis. + + Each site may choose to contact other sites directly or they can pass + the information to an appropriate incident response team. It is often + very difficult to find the responsible POC at remote sites and the + incident response team will be able to facilitate contact by making + use of already established channels. + + The legal and liability issues arising from a security incident will + differ from site to site. It is important to define a policy for the + sharing and logging of information about other sites before an + incident occurs. + + Information about specific people is especially sensitive, and may be + subject to privacy laws. To avoid problems in this area, irrelevant + information should be deleted and a statement of how to handle the + remaining information should be included. A clear statement of how + this information is to be used is essential. No one who informs a + site of a security incident wants to read about it in the public + + + +Fraser, Ed. Informational [Page 47] + +RFC 2196 Site Security Handbook September 1997 + + + press. Incident response teams are valuable in this respect. When + they pass information to responsible POCs, they are able to protect + the anonymity of the original source. But, be aware that, in many + cases, the analysis of logs and information at other sites will + reveal addresses of your site. + + All the problems discussed above should be not taken as reasons not + to involve other sites. In fact, the experiences of existing teams + reveal that most sites informed about security problems are not even + aware that their site had been compromised. Without timely + information, other sites are often unable to take action against + intruders. + +5.2.5 Internal Communications + + It is crucial during a major incident to communicate why certain + actions are being taken, and how the users (or departments) are + expected to behave. In particular, it should be made very clear to + users what they are allowed to say (and not say) to the outside world + (including other departments). For example, it wouldn't be good for + an organization if users replied to customers with something like, + "I'm sorry the systems are down, we've had an intruder and we are + trying to clean things up." It would be much better if they were + instructed to respond with a prepared statement like, "I'm sorry our + systems are unavailable, they are being maintained for better service + in the future." + + Communications with customers and contract partners should be handled + in a sensible, but sensitive way. One can prepare for the main issues + by preparing a checklist. When an incident occurs, the checklist can + be used with the addition of a sentence or two for the specific + circumstances of the incident. + + Public relations departments can be very helpful during incidents. + They should be involved in all planning and can provide well + constructed responses for use when contact with outside departments + and organizations is necessary. + +5.2.6 Public Relations - Press Releases + + There has been a tremendous growth in the amount of media coverage + dedicated to computer security incidents in the United States. Such + press coverage is bound to extend to other countries as the Internet + continues to grow and expand internationally. Readers from countries + where such media attention has not yet occurred, can learn from the + experiences in the U.S. and should be forwarned and prepared. + + + + + +Fraser, Ed. Informational [Page 48] + +RFC 2196 Site Security Handbook September 1997 + + + One of the most important issues to consider is when, who, and how + much to release to the general public through the press. There are + many issues to consider when deciding this particular issue. First + and foremost, if a public relations office exists for the site, it is + important to use this office as liaison to the press. The public + relations office is trained in the type and wording of information + released, and will help to assure that the image of the site is + protected during and after the incident (if possible). A public + relations office has the advantage that you can communicate candidly + with them, and provide a buffer between the constant press attention + and the need of the POC to maintain control over the incident. + + If a public relations office is not available, the information + released to the press must be carefully considered. If the + information is sensitive, it may be advantageous to provide only + minimal or overview information to the press. It is quite possible + that any information provided to the press will be quickly reviewed + by the perpetrator of the incident. Also note that misleading the + press can often backfire and cause more damage than releasing + sensitive information. + + While it is difficult to determine in advance what level of detail to + provide to the press, some guidelines to keep in mind are: + + (1) Keep the technical level of detail low. Detailed + information about the incident may provide enough + information for others to launch similar attacks on + other sites, or even damage the site's ability to + prosecute the guilty party once the event is over. + + (2) Keep the speculation out of press statements. + Speculation of who is causing the incident or the + motives are very likely to be in error and may cause + an inflamed view of the incident. + + (3) Work with law enforcement professionals to assure that + evidence is protected. If prosecution is involved, + assure that the evidence collected is not divulged to + the press. + + (4) Try not to be forced into a press interview before you are + prepared. The popular press is famous for the "2 am" + interview, where the hope is to catch the interviewee off + guard and obtain information otherwise not available. + + (5) Do not allow the press attention to detract from the + handling of the event. Always remember that the successful + closure of an incident is of primary importance. + + + +Fraser, Ed. Informational [Page 49] + +RFC 2196 Site Security Handbook September 1997 + + +5.3 Identifying an Incident + +5.3.1 Is It Real? + + This stage involves determining if a problem really exists. Of + course many if not most signs often associated with virus infection, + system intrusions, malicious users, etc., are simply anomalies such + as hardware failures or suspicious system/user behavior. To assist + in identifying whether there really is an incident, it is usually + helpful to obtain and use any detection software which may be + available. Audit information is also extremely useful, especially in + determining whether there is a network attack. It is extremely + important to obtain a system snapshot as soon as one suspects that + something is wrong. Many incidents cause a dynamic chain of events + to occur, and an initial system snapshot may be the most valuable + tool for identifying the problem and any source of attack. Finally, + it is important to start a log book. Recording system events, + telephone conversations, time stamps, etc., can lead to a more rapid + and systematic identification of the problem, and is the basis for + subsequent stages of incident handling. + + There are certain indications or "symptoms" of an incident that + deserve special attention: + + (1) System crashes. + (2) New user accounts (the account RUMPLESTILTSKIN has been + unexpectedly created), or high activity on a previously + low usage account. + (3) New files (usually with novel or strange file names, + such as data.xx or k or .xx ). + (4) Accounting discrepancies (in a UNIX system you might + notice the shrinking of an accounting file called + /usr/admin/lastlog, something that should make you very + suspicious that there may be an intruder). + (5) Changes in file lengths or dates (a user should be + suspicious if .EXE files in an MS DOS computer have + unexplainedly grown by over 1800 bytes). + (6) Attempts to write to system (a system manager notices + that a privileged user in a VMS system is attempting to + alter RIGHTSLIST.DAT). + (7) Data modification or deletion (files start to disappear). + (8) Denial of service (a system manager and all other users + become locked out of a UNIX system, now in single user mode). + (9) Unexplained, poor system performance + (10) Anomalies ("GOTCHA" is displayed on the console or there + are frequent unexplained "beeps"). + (11) Suspicious probes (there are numerous unsuccessful login + attempts from another node). + + + +Fraser, Ed. Informational [Page 50] + +RFC 2196 Site Security Handbook September 1997 + + + (12) Suspicious browsing (someone becomes a root user on a UNIX + system and accesses file after file on many user accounts.) + (13) Inability of a user to log in due to modifications of his/her + account. + + By no means is this list comprehensive; we have just listed a number + of common indicators. It is best to collaborate with other technical + and computer security personnel to make a decision as a group about + whether an incident is occurring. + +5.3.2 Types and Scope of Incidents + + Along with the identification of the incident is the evaluation of + the scope and impact of the problem. It is important to correctly + identify the boundaries of the incident in order to effectively deal + with it and prioritize responses. + + In order to identify the scope and impact a set of criteria should be + defined which is appropriate to the site and to the type of + connections available. Some of the issues include: + + (1) Is this a multi-site incident? + (2) Are many computers at your site affected by this incident? + (3) Is sensitive information involved? + (4) What is the entry point of the incident (network, + phone line, local terminal, etc.)? + (5) Is the press involved? + (6) What is the potential damage of the incident? + (7) What is the estimated time to close out the incident? + (8) What resources could be required to handle the incident? + (9) Is law enforcement involved? + +5.3.3 Assessing the Damage and Extent + + The analysis of the damage and extent of the incident can be quite + time consuming, but should lead to some insight into the nature of + the incident, and aid investigation and prosecution. As soon as the + breach has occurred, the entire system and all of its components + should be considered suspect. System software is the most probable + target. Preparation is key to be able to detect all changes for a + possibly tainted system. This includes checksumming all media from + the vendor using a algorithm which is resistant to tampering. (See + sections 4.3) + + Assuming original vendor distribution media are available, an + analysis of all system files should commence, and any irregularities + should be noted and referred to all parties involved in handling the + incident. It can be very difficult, in some cases, to decide which + + + +Fraser, Ed. Informational [Page 51] + +RFC 2196 Site Security Handbook September 1997 + + + backup media are showing a correct system status. Consider, for + example, that the incident may have continued for months or years + before discovery, and the suspect may be an employee of the site, or + otherwise have intimate knowledge or access to the systems. In all + cases, the pre-incident preparation will determine what recovery is + possible. + + If the system supports centralized logging (most do), go back over + the logs and look for abnormalities. If process accounting and + connect time accounting is enabled, look for patterns of system + usage. To a lesser extent, disk usage may shed light on the + incident. Accounting can provide much helpful information in an + analysis of an incident and subsequent prosecution. Your ability to + address all aspects of a specific incident strongly depends on the + success of this analysis. + +5.4 Handling an Incident + + Certain steps are necessary to take during the handling of an + incident. In all security related activities, the most important + point to be made is that all sites should have policies in place. + Without defined policies and goals, activities undertaken will remain + without focus. The goals should be defined by management and legal + counsel in advance. + + One of the most fundamental objectives is to restore control of the + affected systems and to limit the impact and damage. In the worst + case scenario, shutting down the system, or disconnecting the system + from the network, may the only practical solution. + + As the activities involved are complex, try to get as much help as + necessary. While trying to solve the problem alone, real damage + might occur due to delays or missing information. Most + administrators take the discovery of an intruder as a personal + challenge. By proceeding this way, other objectives as outlined in + the local policies may not always be considered. Trying to catch + intruders may be a very low priority, compared to system integrity, + for example. Monitoring a hacker's activity is useful, but it might + not be considered worth the risk to allow the continued access. + +5.4.1 Types of Notification and Exchange of Information + + When you have confirmed that an incident is occurring, the + appropriate personnel must be notified. How this notification is + achieved is very important to keeping the event under control both + from a technical and emotional standpoint. The circumstances should + be described in as much detail as possible, in order to aid prompt + acknowledgment and understanding of the problem. Great care should + + + +Fraser, Ed. Informational [Page 52] + +RFC 2196 Site Security Handbook September 1997 + + + be taken when determining to which groups detailed technical + information is given during the notification. For example, it is + helpful to pass this kind of information to an incident handling team + as they can assist you by providing helpful hints for eradicating the + vulnerabilities involved in an incident. On the other hand, putting + the critical knowledge into the public domain (e.g., via USENET + newsgroups or mailing lists) may potentially put a large number of + systems at risk of intrusion. It is invalid to assume that all + administrators reading a particular newsgroup have access to + operating system source code, or can even understand an advisory well + enough to take adequate steps. + + First of all, any notification to either local or off-site personnel + must be explicit. This requires that any statement (be it an + electronic mail message, phone call, fax, beeper, or semaphone) + providing information about the incident be clear, concise, and fully + qualified. When you are notifying others that will help you handle + an event, a "smoke screen" will only divide the effort and create + confusion. If a division of labor is suggested, it is helpful to + provide information to each participant about what is being + accomplished in other efforts. This will not only reduce duplication + of effort, but allow people working on parts of the problem to know + where to obtain information relevant to their part of the incident. + + Another important consideration when communicating about the incident + is to be factual. Attempting to hide aspects of the incident by + providing false or incomplete information may not only prevent a + successful resolution to the incident, but may even worsen the + situation. + + The choice of language used when notifying people about the incident + can have a profound effect on the way that information is received. + When you use emotional or inflammatory terms, you raise the potential + for damage and negative outcomes of the incident. It is important to + remain calm both in written and spoken communications. + + Another consideration is that not all people speak the same language. + Due to this fact, misunderstandings and delay may arise, especially + if it is a multi-national incident. Other international concerns + include differing legal implications of a security incident and + cultural differences. However, cultural differences do not only + exist between countries. They even exist within countries, between + different social or user groups. For example, an administrator of a + university system might be very relaxed about attempts to connect to + the system via telnet, but the administrator of a military system is + likely to consider the same action as a possible attack. + + + + + +Fraser, Ed. Informational [Page 53] + +RFC 2196 Site Security Handbook September 1997 + + + Another issue associated with the choice of language is the + notification of non-technical or off-site personnel. It is important + to accurately describe the incident without generating undue alarm or + confusion. While it is more difficult to describe the incident to a + non-technical audience, it is often more important. A non-technical + description may be required for upper-level management, the press, or + law enforcement liaisons. The importance of these communications + cannot be underestimated and may make the difference between + resolving the incident properly and escalating to some higher level + of damage. + + If an incident response team becomes involved, it might be necessary + to fill out a template for the information exchange. Although this + may seem to be an additional burden and adds a certain delay, it + helps the team to act on this minimum set of information. The + response team may be able to respond to aspects of the incident of + which the local administrator is unaware. If information is given out + to someone else, the following minimum information should be + provided: + + (1) timezone of logs, ... in GMT or local time + (2) information about the remote system, including host names, + IP addresses and (perhaps) user IDs + (3) all log entries relevant for the remote site + (4) type of incident (what happened, why should you care) + + If local information (i.e., local user IDs) is included in the log + entries, it will be necessary to sanitize the entries beforehand to + avoid privacy issues. In general, all information which might assist + a remote site in resolving an incident should be given out, unless + local policies prohibit this. + +5.4.2 Protecting Evidence and Activity Logs + + When you respond to an incident, document all details related to the + incident. This will provide valuable information to yourself and + others as you try to unravel the course of events. Documenting all + details will ultimately save you time. If you don't document every + relevant phone call, for example, you are likely to forget a + significant portion of information you obtain, requiring you to + contact the source of information again. At the same time, recording + details will provide evidence for prosecution efforts, providing the + case moves in that direction. Documenting an incident will also help + you perform a final assessment of damage (something your management, + as well as law enforcement officers, will want to know), and will + provide the basis for later phases of the handling process: + eradication, recovery, and follow-up "lessons learned." + + + + +Fraser, Ed. Informational [Page 54] + +RFC 2196 Site Security Handbook September 1997 + + + During the initial stages of an incident, it is often infeasible to + determine whether prosecution is viable, so you should document as if + you are gathering evidence for a court case. At a minimum, you + should record: + + (1) all system events (audit records) + (2) all actions you take (time tagged) + (3) all external conversations (including the person with whom + you talked, the date and time, and the content of the + conversation) + + The most straightforward way to maintain documentation is keeping a + log book. This allows you to go to a centralized, chronological + source of information when you need it, instead of requiring you to + page through individual sheets of paper. Much of this information is + potential evidence in a court of law. Thus, when a legal follow-up + is a possibility, one should follow the prepared procedures and avoid + jeopardizing the legal follow-up by improper handling of possible + evidence. If appropriate, the following steps may be taken. + + (1) Regularly (e.g., every day) turn in photocopied, signed + copies of your logbook (as well as media you use to record + system events) to a document custodian. + (2) The custodian should store these copied pages in a secure + place (e.g., a safe). + (3) When you submit information for storage, you should + receive a signed, dated receipt from the document + custodian. + + Failure to observe these procedures can result in invalidation of any + evidence you obtain in a court of law. + +5.4.3 Containment + + The purpose of containment is to limit the extent of an attack. An + essential part of containment is decision making (e.g., determining + whether to shut a system down, disconnect from a network, monitor + system or network activity, set traps, disable functions such as + remote file transfer, etc.). + + Sometimes this decision is trivial; shut the system down if the + information is classified, sensitive, or proprietary. Bear in mind + that removing all access while an incident is in progress obviously + notifies all users, including the alleged problem users, that the + administrators are aware of a problem; this may have a deleterious + + + + + + +Fraser, Ed. Informational [Page 55] + +RFC 2196 Site Security Handbook September 1997 + + + effect on an investigation. In some cases, it is prudent to remove + all access or functionality as soon as possible, then restore normal + operation in limited stages. In other cases, it is worthwhile to + risk some damage to the system if keeping the system up might enable + you to identify an intruder. + + This stage should involve carrying out predetermined procedures. + Your organization or site should, for example, define acceptable + risks in dealing with an incident, and should prescribe specific + actions and strategies accordingly. This is especially important + when a quick decision is necessary and it is not possible to first + contact all involved parties to discuss the decision. In the absence + of predefined procedures, the person in charge of the incident will + often not have the power to make difficult management decisions (like + to lose the results of a costly experiment by shutting down a + system). A final activity that should occur during this stage of + incident handling is the notification of appropriate authorities. + +5.4.4 Eradication + + Once the incident has been contained, it is time to eradicate the + cause. But before eradicating the cause, great care should be taken + to collect all necessary information about the compromised system(s) + and the cause of the incident as they will likely be lost when + cleaning up the system. + + Software may be available to help you in the eradication process, + such as anti-virus software. If any bogus files have been created, + archive them before deleting them. In the case of virus infections, + it is important to clean and reformat any media containing infected + files. Finally, ensure that all backups are clean. Many systems + infected with viruses become periodically re-infected simply because + people do not systematically eradicate the virus from backups. After + eradication, a new backup should be taken. + + Removing all vulnerabilities once an incident has occurred is + difficult. The key to removing vulnerabilities is knowledge and + understanding of the breach. + + It may be necessary to go back to the original distribution media and + re-customize the system. To facilitate this worst case scenario, a + record of the original system setup and each customization change + should be maintained. In the case of a network-based attack, it is + important to install patches for each operating system vulnerability + which was exploited. + + + + + + +Fraser, Ed. Informational [Page 56] + +RFC 2196 Site Security Handbook September 1997 + + + As discussed in section 5.4.2, a security log can be most valuable + during this phase of removing vulnerabilities. The logs showing how + the incident was discovered and contained can be used later to help + determine how extensive the damage was from a given incident. The + steps taken can be used in the future to make sure the problem does + not resurface. Ideally, one should automate and regularly apply the + same test as was used to detect the security incident. + + If a particular vulnerability is isolated as having been exploited, + the next step is to find a mechanism to protect your system. The + security mailing lists and bulletins would be a good place to search + for this information, and you can get advice from incident response + teams. + +5.4.5 Recovery + + Once the cause of an incident has been eradicated, the recovery phase + defines the next stage of action. The goal of recovery is to return + the system to normal. In general, bringing up services in the order + of demand to allow a minimum of user inconvenience is the best + practice. Understand that the proper recovery procedures for the + system are extremely important and should be specific to the site. + +5.4.6 Follow-Up + + Once you believe that a system has been restored to a "safe" state, + it is still possible that holes, and even traps, could be lurking in + the system. One of the most important stages of responding to + incidents is also the most often omitted, the follow-up stage. In + the follow-up stage, the system should be monitored for items that + may have been missed during the cleanup stage. It would be prudent + to utilize some of the tools mentioned in chapter 7 as a start. + Remember, these tools don't replace continual system monitoring and + good systems administration practices. + + The most important element of the follow-up stage is performing a + postmortem analysis. Exactly what happened, and at what times? How + well did the staff involved with the incident perform? What kind of + information did the staff need quickly, and how could they have + gotten that information as soon as possible? What would the staff do + differently next time? + + After an incident, it is prudent to write a report describing the + exact sequence of events: the method of discovery, correction + procedure, monitoring procedure, and a summary of lesson learned. + This will aid in the clear understanding of the problem. Creating a + formal chronology of events (including time stamps) is also important + for legal reasons. + + + +Fraser, Ed. Informational [Page 57] + +RFC 2196 Site Security Handbook September 1997 + + + A follow-up report is valuable for many reasons. It provides a + reference to be used in case of other similar incidents. It is also + important to, as quickly as possible obtain a monetary estimate of + the amount of damage the incident caused. This estimate should + include costs associated with any loss of software and files + (especially the value of proprietary data that may have been + disclosed), hardware damage, and manpower costs to restore altered + files, reconfigure affected systems, and so forth. This estimate may + become the basis for subsequent prosecution activity. The report can + also help justify an organization's computer security effort to + management. + +5.5 Aftermath of an Incident + + In the wake of an incident, several actions should take place. These + actions can be summarized as follows: + + (1) An inventory should be taken of the systems' assets, + (i.e., a careful examination should determine how the + system was affected by the incident). + + (2) The lessons learned as a result of the incident + should be included in revised security plan to + prevent the incident from re-occurring. + + (3) A new risk analysis should be developed in light of the + incident. + + (4) An investigation and prosecution of the individuals + who caused the incident should commence, if it is + deemed desirable. + + If an incident is based on poor policy, and unless the policy is + changed, then one is doomed to repeat the past. Once a site has + recovered from and incident, site policy and procedures should be + reviewed to encompass changes to prevent similar incidents. Even + without an incident, it would be prudent to review policies and + procedures on a regular basis. Reviews are imperative due to today's + changing computing environments. + + The whole purpose of this post mortem process is to improve all + security measures to protect the site against future attacks. As a + result of an incident, a site or organization should gain practical + knowledge from the experience. A concrete goal of the post mortem is + to develop new proactive methods. Another important facet of the + aftermath may be end user and administrator education to prevent a + reoccurrence of the security problem. + + + + +Fraser, Ed. Informational [Page 58] + +RFC 2196 Site Security Handbook September 1997 + + +5.6 Responsibilities + +5.6.1 Not Crossing the Line + + It is one thing to protect one's own network, but quite another to + assume that one should protect other networks. During the handling + of an incident, certain system vulnerabilities of one's own systems + and the systems of others become apparent. It is quite easy and may + even be tempting to pursue the intruders in order to track them. + Keep in mind that at a certain point it is possible to "cross the + line," and, with the best of intentions, become no better than the + intruder. + + The best rule when it comes to propriety is to not use any facility + of remote sites which is not public. This clearly excludes any entry + onto a system (such as a remote shell or login session) which is not + expressly permitted. This may be very tempting; after a breach of + security is detected, a system administrator may have the means to + "follow it up," to ascertain what damage is being done to the remote + site. Don't do it! Instead, attempt to reach the appropriate point + of contact for the affected site. + +5.6.2 Good Internet Citizenship + + During a security incident there are two choices one can make. + First, a site can choose to watch the intruder in the hopes of + catching him; or, the site can go about cleaning up after the + incident and shut the intruder out of the systems. This is a + decision that must be made very thoughtfully, as there may be legal + liabilities if you choose to leave your site open, knowing that an + intruder is using your site as a launching pad to reach out to other + sites. Being a good Internet citizen means that you should try to + alert other sites that may have been impacted by the intruder. These + affected sites may be readily apparent after a thorough review of + your log files. + +5.6.3 Administrative Response to Incidents + + When a security incident involves a user, the site's security policy + should describe what action is to be taken. The transgression should + be taken seriously, but it is very important to be sure of the role + the user played. Was the user naive? Could there be a mistake in + attributing the security breach to the user? Applying administrative + action that assumes the user intentionally caused the incident may + + + + + + + +Fraser, Ed. Informational [Page 59] + +RFC 2196 Site Security Handbook September 1997 + + + not be appropriate for a user who simply made a mistake. It may be + appropriate to include sanctions more suitable for such a situation + in your policies (e.g., education or reprimand of a user) in addition + to more stern measures for intentional acts of intrusion and system + misuse. + +6. Ongoing Activities + + At this point in time, your site has hopefully developed a complete + security policy and has developed procedures to assist in the + configuration and management of your technology in support of those + policies. How nice it would be if you could sit back and relax at + this point and know that you were finished with the job of security. + Unfortunately, that isn't possible. Your systems and networks are + not a static environment, so you will need to review policies and + procedures on a regular basis. There are a number of steps you can + take to help you keep up with the changes around you so that you can + initiate corresponding actions to address those changes. The + following is a starter set and you may add others as appropriate for + your site. + + (1) Subscribe to advisories that are issued by various security incident + response teams, like those of the CERT Coordination Center, and + update your systems against those threats that apply to your site's + technology. + + (2) Monitor security patches that are produced by the vendors of your + equipment, and obtain and install all that apply. + + (3) Actively watch the configurations of your systems to identify any + changes that may have occurred, and investigate all anomalies. + + (4) Review all security policies and procedures annually (at a minimum). + + (5) Read relevant mailing lists and USENET newsgroups to keep up to + date with the latest information being shared by fellow + administrators. + + (6) Regularly check for compliance with policies and procedures. This + audit should be performed by someone other than the people who + define or implement the policies and procedures. + +7. Tools and Locations + + This chapter provides a brief list of publicly available security + technology which can be downloaded from the Internet. Many of the + items described below will undoubtedly be surpassed or made obsolete + before this document is published. + + + +Fraser, Ed. Informational [Page 60] + +RFC 2196 Site Security Handbook September 1997 + + + Some of the tools listed are applications such as end user programs + (clients) and their supporting system infrastructure (servers). + Others are tools that a general user will never see or need to use, + but may be used by applications, or by administrators to troubleshoot + security problems or to guard against intruders. + + A sad fact is that there are very few security conscious applications + currently available. Primarily, this is caused by the need for a + security infrastructure which must first be put into place for most + applications to operate securely. There is considerable effort + currently taking place to build this infrastructure so that + applications can take advantage of secure communications. + + Most of the tools and applications described below can be found in + one of the following archive sites: + + (1) CERT Coordination Center + ftp://info.cert.org:/pub/tools + (2) DFN-CERT + ftp://ftp.cert.dfn.de/pub/tools/ + (3) Computer Operations, Audit, and Security Tools (COAST) + coast.cs.purdue.edu:/pub/tools + + It is important to note that many sites, including CERT and COAST are + mirrored throughout the Internet. Be careful to use a "well known" + mirror site to retrieve software, and to use verification tools (md5 + checksums, etc.) to validate that software. A clever cracker might + advertise security software that has intentionally been designed to + provide access to data or systems. + +Tools + + COPS + DES + Drawbridge + identd (not really a security tool) + ISS + Kerberos + logdaemon + lsof + MD5 + PEM + PGP + rpcbind/portmapper replacement + SATAN + sfingerd + S/KEY + smrsh + + + +Fraser, Ed. Informational [Page 61] + +RFC 2196 Site Security Handbook September 1997 + + + ssh + swatch + TCP-Wrapper + tiger + Tripwire* + TROJAN.PL + +8. Mailing Lists and Other Resources + + It would be impossible to list all of the mail-lists and other + resources dealing with site security. However, these are some "jump- + points" from which the reader can begin. All of these references are + for the "INTERNET" constituency. More specific (vendor and + geographical) resources can be found through these references. + + Mailing Lists + + (1) CERT(TM) Advisory + Send mail to: cert-advisory-request@cert.org + Message Body: subscribe cert <FIRST NAME> <LAST NAME> + + A CERT advisory provides information on how to obtain a patch or + details of a workaround for a known computer security problem. + The CERT Coordination Center works with vendors to produce a + workaround or a patch for a problem, and does not publish + vulnerability information until a workaround or a patch is + available. A CERT advisory may also be a warning to our + constituency about ongoing attacks (e.g., + "CA-91:18.Active.Internet.tftp.Attacks"). + + + CERT advisories are also published on the USENET newsgroup: + comp.security.announce + + CERT advisory archives are available via anonymous FTP from + info.cert.org in the /pub/cert_advisories directory. + + (2) VIRUS-L List + Send mail to: listserv%lehiibm1.bitnet@mitvma.mit.edu + Message Body: subscribe virus-L FIRSTNAME LASTNAME + + VIRUS-L is a moderated mailing list with a focus + on computer virus issues. For more information, + including a copy of the posting guidelines, see + the file "virus-l.README", available by anonymous + FTP from cs.ucr.edu. + + + + + +Fraser, Ed. Informational [Page 62] + +RFC 2196 Site Security Handbook September 1997 + + + (3) Internet Firewalls + Send mail to: majordomo@greatcircle.com + Message Body: subscribe firewalls user@host + + The Firewalls mailing list is a discussion forum for + firewall administrators and implementors. + + USENET newsgroups + + (1) comp.security.announce + The comp.security.announce newsgroup is moderated + and is used solely for the distribution of CERT + advisories. + + (2) comp.security.misc + The comp.security.misc is a forum for the + discussion of computer security, especially as it + relates to the UNIX(r) Operating System. + + (3) alt.security + The alt.security newsgroup is also a forum for the + discussion of computer security, as well as other + issues such as car locks and alarm systems. + + (4) comp.virus + The comp.virus newsgroup is a moderated newsgroup + with a focus on computer virus issues. For more + information, including a copy of the posting + guidelines, see the file "virus-l.README", + available via anonymous FTP on info.cert.org + in the /pub/virus-l directory. + + (5) comp.risks + The comp.risks newsgroup is a moderated forum on + the risks to the public in computers and related + systems. + + World-Wide Web Pages + + (1) http://www.first.org/ + + Computer Security Resource Clearinghouse. The main focus is on + crisis response information; information on computer + security-related threats, vulnerabilities, and solutions. At the + same time, the Clearinghouse strives to be a general index to + computer security information on a broad variety of subjects, + including general risks, privacy, legal issues, viruses, + assurance, policy, and training. + + + +Fraser, Ed. Informational [Page 63] + +RFC 2196 Site Security Handbook September 1997 + + + (2) http://www.telstra.com.au/info/security.html + + This Reference Index contains a list of links to information + sources on Network and Computer Security. There is no implied + fitness to the Tools, Techniques and Documents contained within this + archive. Many if not all of these items work well, but we do + not guarantee that this will be so. This information is for the + education and legitimate use of computer security techniques only. + + (3) http://www.alw.nih.gov/Security/security.html + + This page features general information about computer security. + Information is organized by source and each section is organized + by topic. Recent modifications are noted in What's New page. + + (4) http://csrc.ncsl.nist.gov + + This archive at the National Institute of Standards and Technology's + Computer Security Resource Clearinghouse page contains a number of + announcements, programs, and documents related to computer security. + + * CERT and Tripwire are registered in the U.S. Patent and Trademark Office + +9. References + + The following references may not be available in all countries. + + [Appelman, et. al., 1995] Appelman, Heller, Ehrman, White, and + McAuliffe, "The Law and The Internet", USENIX 1995 Technical + Conference on UNIX and Advanced Computing, New Orleans, LA, January + 16-20, 1995. + + [ABA, 1989] American Bar Association, Section of Science and + Technology, "Guide to the Prosecution of Telecommunication Fraud by + the Use of Computer Crime Statutes", American Bar Association, 1989. + + [Aucoin, 1989] R. Aucoin, "Computer Viruses: Checklist for Recovery", + Computers in Libraries, Vol. 9, No. 2, Pg. 4, February 1989. + + [Barrett, 1996] D. Barrett, "Bandits on the Information + Superhighway", O'Reilly & Associates, Sebastopol, CA, 1996. + + [Bates, 1992] R. Bates, "Disaster Recovery Planning: Networks, + Telecommunications and Data Communications", McGraw-Hill, 1992. + + [Bellovin, 1989] S. Bellovin, "Security Problems in the TCP/IP + Protocol Suite", Computer Communication Review, Vol 19, 2, pp. 32-48, + April 1989. + + + +Fraser, Ed. Informational [Page 64] + +RFC 2196 Site Security Handbook September 1997 + + + [Bellovin, 1990] S. Bellovin, and M. Merritt, "Limitations of the + Kerberos Authentication System", Computer Communications Review, + October 1990. + + [Bellovin, 1992] S. Bellovin, "There Be Dragon", USENIX: Proceedings + of the Third Usenix Security Symposium, Baltimore, MD. September, + 1992. + + [Bender, 1894] D. Bender, "Computer Law: Evidence and Procedure", M. + Bender, New York, NY, 1978-present. + + [Bloombecker, 1990] B. Bloombecker, "Spectacular Computer Crimes", + Dow Jones- Irwin, Homewood, IL. 1990. + + [Brand, 1990] R. Brand, "Coping with the Threat of Computer Security + Incidents: A Primer from Prevention through Recovery", R. Brand, 8 + June 1990. + + [Brock, 1989] J. Brock, "November 1988 Internet Computer Virus and + the Vulnerability of National Telecommunications Networks to Computer + Viruses", GAO/T-IMTEC-89-10, Washington, DC, 20 July 1989. + + [BS 7799] British Standard, BS Tech Cttee BSFD/12, Info. Sec. Mgmt, + "BS 7799 : 1995 Code of Practice for Information Security + Management", British Standards Institution, London, 54, Effective 15 + February 1995. + + [Caelli, 1988] W. Caelli, Editor, "Computer Security in the Age of + Information", Proceedings of the Fifth IFIP International Conference + on Computer Security, IFIP/Sec '88. + + [Carroll, 1987] J. Carroll, "Computer Security", 2nd Edition, + Butterworth Publishers, Stoneham, MA, 1987. + + [Cavazos and Morin, 1995] E. Cavazos and G. Morin, "Cyber-Space and + The Law", MIT Press, Cambridge, MA, 1995. + + [CCH, 1989] Commerce Clearing House, "Guide to Computer Law", + (Topical Law Reports), Chicago, IL., 1989. + + [Chapman, 1992] B. Chapman, "Network(In) Security Through IP Packet + Filtering", USENIX: Proceedings of the Third UNIX Security Symposium, + Baltimore, MD, September 1992. + + [Chapman and Zwicky, 1995] B. Chapman and E. Zwicky, "Building + Internet Firewalls", O'Reilly and Associates, Sebastopol, CA, 1995. + + + + + +Fraser, Ed. Informational [Page 65] + +RFC 2196 Site Security Handbook September 1997 + + + [Cheswick, 1990] B. Cheswick, "The Design of a Secure Internet + Gateway", Proceedings of the Summer Usenix Conference, Anaheim, CA, + June 1990. + + [Cheswick1] W. Cheswick, "An Evening with Berferd In Which a Cracker + is Lured, Endured, and Studied", AT&T Bell Laboratories. + + [Cheswick and Bellovin, 1994] W. Cheswick and S. Bellovin, "Firewalls + and Internet Security: Repelling the Wily Hacker", Addison-Wesley, + Reading, MA, 1994. + + [Conly, 1989] C. Conly, "Organizing for Computer Crime Investigation + and Prosecution", U.S. Dept. of Justice, Office of Justice Programs, + Under Contract Number OJP-86-C-002, National Institute of Justice, + Washington, DC, July 1989. + + [Cooper, 1989] J. Cooper, "Computer and Communications Security: + Strategies for the 1990s", McGraw-Hill, 1989. + + [CPSR, 1989] Computer Professionals for Social Responsibility, "CPSR + Statement on the Computer Virus", CPSR, Communications of the ACM, + Vol. 32, No. 6, Pg. 699, June 1989. + + [CSC-STD-002-85, 1985] Department of Defense, "Password Management + Guideline", CSC-STD-002-85, 12 April 1985, 31 pages. + + [Curry, 1990] D. Curry, "Improving the Security of Your UNIX System", + SRI International Report ITSTD-721-FR-90-21, April 1990. + + [Curry, 1992] D. Curry, "UNIX System Security: A Guide for Users and + Systems Administrators", Addision-Wesley, Reading, MA, 1992. + + [DDN88] Defense Data Network, "BSD 4.2 and 4.3 Software Problem + Resolution", DDN MGT Bulletin #43, DDN Network Information Center, 3 + November 1988. + + [DDN89] DCA DDN Defense Communications System, "DDN Security Bulletin + 03", DDN Security Coordination Center, 17 October 1989. + + [Denning, 1990] P. Denning, Editor, "Computers Under Attack: + Intruders, Worms, and Viruses", ACM Press, 1990. + + [Eichin and Rochlis, 1989] M. Eichin, and J. Rochlis, "With + Microscope and Tweezers: An Analysis of the Internet Virus of + November 1988", Massachusetts Institute of Technology, February 1989. + + + + + + +Fraser, Ed. Informational [Page 66] + +RFC 2196 Site Security Handbook September 1997 + + + [Eisenberg, et. al., 89] T. Eisenberg, D. Gries, J. Hartmanis, D. + Holcomb, M. Lynn, and T. Santoro, "The Computer Worm", Cornell + University, 6 February 1989. + + [Ermann, Willians, and Gutierrez, 1990] D. Ermann, M. Williams, and + C. Gutierrez, Editors, "Computers, Ethics, and Society", Oxford + University Press, NY, 1990. (376 pages, includes bibliographical + references). + + [Farmer and Spafford, 1990] D. Farmer and E. Spafford, "The COPS + Security Checker System", Proceedings of the Summer 1990 USENIX + Conference, Anaheim, CA, Pgs. 165-170, June 1990. + + [Farrow, 1991] Rik Farrow, "UNIX Systems Security", Addison-Wesley, + Reading, MA, 1991. + + [Fenwick, 1985] W. Fenwick, Chair, "Computer Litigation, 1985: Trial + Tactics and Techniques", Litigation Course Handbook Series No. 280, + Prepared for distribution at the Computer Litigation, 1985: Trial + Tactics and Techniques Program, February-March 1985. + + [Fites 1989] M. Fites, P. Kratz, and A. Brebner, "Control and + Security of Computer Information Systems", Computer Science Press, + 1989. + + [Fites, Johnson, and Kratz, 1992] Fites, Johnson, and Kratz, "The + Computer Virus Crisis", Van Hostrand Reinhold, 2nd edition, 1992. + + [Forester and Morrison, 1990] T. Forester, and P. Morrison, "Computer + Ethics: Tales and Ethical Dilemmas in Computing", MIT Press, + Cambridge, MA, 1990. + + [Foster and Morrision, 1990] T. Forester, and P. Morrison, "Computer + Ethics: Tales and Ethical Dilemmas in Computing", MIT Press, + Cambridge, MA, 1990. (192 pages including index.) + + [GAO/IMTEX-89-57, 1989] U.S. General Accounting Office, "Computer + Security - Virus Highlights Need for Improved Internet Management", + United States General Accounting Office, Washington, DC, 1989. + + [Garfinkel and Spafford, 1991] S. Garfinkel, and E. Spafford, + "Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2, + May 1991. + + [Garfinkel, 1995] S. Garfinkel, "PGP:Pretty Good Privacy", O'Reilly & + Associates, Sebastopol, CA, 1996. + + + + + +Fraser, Ed. Informational [Page 67] + +RFC 2196 Site Security Handbook September 1997 + + + [Garfinkel and Spafford, 1996] S. Garfinkel and E. Spafford, + "Practical UNIX and Internet Security", O'Reilly & Associates, + Sebastopol, CA, 1996. + + [Gemignani, 1989] M. Gemignani, "Viruses and Criminal Law", + Communications of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989. + + [Goodell, 1996] J. Goodell, "The Cyberthief and the Samurai: The True + Story of Kevin Mitnick-And The Man Who Hunted Him Down", Dell + Publishing, 1996. + + [Gould, 1989] C. Gould, Editor, "The Information Web: Ethical and + Social Implications of Computer Networking", Westview Press, Boulder, + CO, 1989. + + [Greenia, 1989] M. Greenia, "Computer Security Information + Sourcebook", Lexikon Services, Sacramento, CA, 1989. + + [Hafner and Markoff, 1991] K. Hafner and J. Markoff, "Cyberpunk: + Outlaws and Hackers on the Computer Frontier", Touchstone, Simon & + Schuster, 1991. + + [Hess, Safford, and Pooch] D. Hess, D. Safford, and U. Pooch, "A Unix + Network Protocol Security Study: Network Information Service", Texas + A&M University. + + [Hoffman, 1990] L. Hoffman, "Rogue Programs: Viruses, Worms, and + Trojan Horses", Van Nostrand Reinhold, NY, 1990. (384 pages, + includes bibliographical references and index.) + + [Howard, 1995] G. Howard, "Introduction to Internet Security: From + Basics to Beyond", Prima Publishing, Rocklin, CA, 1995. + + [Huband and Shelton, 1986] F. Huband, and R. Shelton, Editors, + "Protection of Computer Systems and Software: New Approaches for + Combating Theft of Software and Unauthorized Intrusion", Papers + presented at a workshop sponsored by the National Science Foundation, + 1986. + + [Hughes, 1995] L. Hughes Jr., "Actually Useful Internet Security + Techniques", New Riders Publishing, Indianapolis, IN, 1995. + + [IAB-RFC1087, 1989] Internet Activities Board, "Ethics and the + Internet", RFC 1087, IAB, January 1989. Also appears in the + Communications of the ACM, Vol. 32, No. 6, Pg. 710, June 1989. + + + + + + +Fraser, Ed. Informational [Page 68] + +RFC 2196 Site Security Handbook September 1997 + + + [Icove, Seger, and VonStorch, 1995] D. Icove, K. Seger, and W. + VonStorch, "Computer Crime: A Crimefighter's Handbook", O'Reilly & + Associates, Sebastopol, CA, 1995. + + [IVPC, 1996] IVPC, "International Virus Prevention Conference '96 + Proceedings", NCSA, 1996. + + [Johnson and Podesta] D. Johnson, and J. Podesta, "Formulating A + Company Policy on Access to and Use and Disclosure of Electronic Mail + on Company Computer Systems". + + [Kane, 1994] P. Kane, "PC Security and Virus Protection Handbook: The + Ongoing War Against Information Sabotage", M&T Books, 1994. + + [Kaufman, Perlman, and Speciner, 1995] C. Kaufman, R. Perlman, and M. + Speciner, "Network Security: PRIVATE Communication in a PUBLIC + World", Prentice Hall, Englewood Cliffs, NJ, 1995. + + [Kent, 1990] S. Kent, "E-Mail Privacy for the Internet: New Software + and Strict Registration Procedures will be Implemented this Year", + Business Communications Review, Vol. 20, No. 1, Pg. 55, 1 January + 1990. + + [Levy, 1984] S. Levy, "Hacker: Heroes of the Computer Revolution", + Delta, 1984. + + [Lewis, 1996] S. Lewis, "Disaster Recovery Yellow Pages", The Systems + Audit Group, 1996. + + [Littleman, 1996] J. Littleman, "The Fugitive Game: Online with Kevin + Mitnick", Little, Brown, Boston, MA., 1996. + + [Lu and Sundareshan, 1989] W. Lu and M. Sundareshan, "Secure + Communication in Internet Environments: A Hierarchical Key Management + Scheme for End-to-End Encryption", IEEE Transactions on + Communications, Vol. 37, No. 10, Pg. 1014, 1 October 1989. + + [Lu and Sundareshan, 1990] W. Lu and M. Sundareshan, "A Model for + Multilevel Security in Computer Networks", IEEE Transactions on + Software Engineering, Vol. 16, No. 6, Page 647, 1 June 1990. + + [Martin and Schinzinger, 1989] M. Martin, and R. Schinzinger, "Ethics + in Engineering", McGraw Hill, 2nd Edition, 1989. + + [Merkle] R. Merkle, "A Fast Software One Way Hash Function", Journal + of Cryptology, Vol. 3, No. 1. + + + + + +Fraser, Ed. Informational [Page 69] + +RFC 2196 Site Security Handbook September 1997 + + + [McEwen, 1989] J. McEwen, "Dedicated Computer Crime Units", Report + Contributors: D. Fester and H. Nugent, Prepared for the National + Institute of Justice, U.S. Department of Justice, by Institute for + Law and Justice, Inc., under contract number OJP-85-C-006, + Washington, DC, 1989. + + [MIT, 1989] Massachusetts Institute of Technology, "Teaching Students + About Responsible Use of Computers", MIT, 1985-1986. Also reprinted + in the Communications of the ACM, Vol. 32, No. 6, Pg. 704, Athena + Project, MIT, June 1989. + + [Mogel, 1989] Mogul, J., "Simple and Flexible Datagram Access + Controls for UNIX-based Gateways", Digital Western Research + Laboratory Research Report 89/4, March 1989. + + [Muffett, 1992] A. Muffett, "Crack Version 4.1: A Sensible Password + Checker for Unix" + + [NCSA1, 1995] NCSA, "NCSA Firewall Policy Guide", 1995. + + [NCSA2, 1995] NCSA, "NCSA's Corporate Computer Virus Prevention + Policy Model", NCSA, 1995. + + [NCSA, 1996] NCSA, "Firewalls & Internet Security Conference '96 + Proceedings", 1996. + + [NCSC-89-660-P, 1990] National Computer Security Center, "Guidelines + for Formal Verification Systems", Shipping list no.: 89-660-P, The + Center, Fort George G. Meade, MD, 1 April 1990. + + [NCSC-89-254-P, 1988] National Computer Security Center, "Glossary of + Computer Security Terms", Shipping list no.: 89-254-P, The Center, + Fort George G. Meade, MD, 21 October 1988. + + [NCSC-C1-001-89, 1989] Tinto, M., "Computer Viruses: Prevention, + Detection, and Treatment", National Computer Security Center C1 + Technical Report C1-001-89, June 1989. + + [NCSC Conference, 1989] National Computer Security Conference, "12th + National Computer Security Conference: Baltimore Convention Center, + Baltimore, MD, 10-13 October, 1989: Information Systems Security, + Solutions for Today - Concepts for Tomorrow", National Institute of + Standards and National Computer Security Center, 1989. + + [NCSC-CSC-STD-003-85, 1985] National Computer Security Center, + "Guidance for Applying the Department of Defense Trusted Computer + System Evaluation Criteria in Specific Environments", CSC-STD-003-85, + NCSC, 25 June 1985. + + + +Fraser, Ed. Informational [Page 70] + +RFC 2196 Site Security Handbook September 1997 + + + [NCSC-STD-004-85, 1985] National Computer Security Center, "Technical + Rationale Behind CSC-STD-003-85: Computer Security Requirements", + CSC-STD-004-85, NCSC, 25 June 1985. + + [NCSC-STD-005-85, 1985] National Computer Security Center, "Magnetic + Remanence Security Guideline", CSC-STD-005-85, NCSC, 15 November + 1985. + + [NCSC-TCSEC, 1985] National Computer Security Center, "Trusted + Computer System Evaluation Criteria", DoD 5200.28-STD, CSC-STD-001- + 83, NCSC, December 1985. + + [NCSC-TG-003, 1987] NCSC, "A Guide to Understanding DISCRETIONARY + ACCESS CONTROL in Trusted Systems", NCSC-TG-003, Version-1, 30 + September 1987, 29 pages. + + [NCSC-TG-001, 1988] NCSC, "A Guide to Understanding AUDIT in Trusted + Systems", NCSC-TG-001, Version-2, 1 June 1988, 25 pages. + + [NCSC-TG-004, 1988] National Computer Security Center, "Glossary of + Computer Security Terms", NCSC-TG-004, NCSC, 21 October 1988. + + [NCSC-TG-005, 1987] National Computer Security Center, "Trusted + Network Interpretation", NCSC-TG-005, NCSC, 31 July 1987. + + [NCSC-TG-006, 1988] NCSC, "A Guide to Understanding CONFIGURATION + MANAGEMENT in Trusted Systems", NCSC-TG-006, Version-1, 28 March + 1988, 31 pages. + + [NCSC-TRUSIX, 1990] National Computer Security Center, "Trusted UNIX + Working Group (TRUSIX) rationale for selecting access control list + features for the UNIX system", Shipping list no.: 90-076-P, The + Center, Fort George G. Meade, MD, 1990. + + [NRC, 1991] National Research Council, "Computers at Risk: Safe + Computing in the Information Age", National Academy Press, 1991. + + [Nemeth, et. al, 1995] E. Nemeth, G. Snyder, S. Seebass, and T. Hein, + "UNIX Systems Administration Handbook", Prentice Hall PTR, Englewood + Cliffs, NJ, 2nd ed. 1995. + + [NIST, 1989] National Institute of Standards and Technology, + "Computer Viruses and Related Threats: A Management Guide", NIST + Special Publication 500-166, August 1989. + + [NSA] National Security Agency, "Information Systems Security + Products and Services Catalog", NSA, Quarterly Publication. + + + + +Fraser, Ed. Informational [Page 71] + +RFC 2196 Site Security Handbook September 1997 + + + [NSF, 1988] National Science Foundation, "NSF Poses Code of + Networking Ethics", Communications of the ACM, Vol. 32, No. 6, Pg. + 688, June 1989. Also appears in the minutes of the regular meeting + of the Division Advisory Panel for Networking and Communications + Research and Infrastructure, Dave Farber, Chair, November 29-30, + 1988. + + [NTISSAM, 1987] NTISS, "Advisory Memorandum on Office Automation + Security Guideline", NTISSAM COMPUSEC/1-87, 16 January 1987, 58 + pages. + + [OTA-CIT-310, 1987] United States Congress, Office of Technology + Assessment, "Defending Secrets, Sharing Data: New Locks and Keys for + Electronic Information", OTA-CIT-310, October 1987. + + [OTA-TCT-606] Congress of the United States, Office of Technology + Assessment, "Information Security and Privacy in Network + Environments", OTA-TCT-606, September 1994. + + [Palmer and Potter, 1989] I. Palmer, and G. Potter, "Computer + Security Risk Management", Van Nostrand Reinhold, NY, 1989. + + [Parker, 1989] D. Parker, "Computer Crime: Criminal Justice Resource + Manual", U.S. Dept. of Justice, National Institute of Justice, Office + of Justice Programs, Under Contract Number OJP-86-C-002, Washington, + D.C., August 1989. + + [Parker, Swope, and Baker, 1990] D. Parker, S. Swope, and B. Baker, + "Ethical Conflicts: Information and Computer Science, Technology and + Business", QED Information Sciences, Inc., Wellesley, MA. (245 + pages). + + [Pfleeger, 1989] C. Pfleeger, "Security in Computing", Prentice-Hall, + Englewood Cliffs, NJ, 1989. + + [Quarterman, 1990] J. Quarterman, J., "The Matrix: Computer Networks + and Conferencing Systems Worldwide", Digital Press, Bedford, MA, + 1990. + + [Ranum1, 1992] M. Ranum, "An Internet Firewall", Proceedings of World + Conference on Systems Management and Security, 1992. + + [Ranum2, 1992] M. Ranum, "A Network Firewall", Digital Equipment + Corporation Washington Open Systems Resource Center, June 12, 1992. + + [Ranum, 1993] M. Ranum, "Thinking About Firewalls", 1993. + + + + + +Fraser, Ed. Informational [Page 72] + +RFC 2196 Site Security Handbook September 1997 + + + [Ranum and Avolio, 1994] M. Ranum and F. Avolio, "A Toolkit and + Methods for Internet Firewalls", Trustest Information Systems, 1994. + + [Reinhardt, 1992] R. Reinhardt, "An Architectural Overview of UNIX + Network Security" + + [Reinhardt, 1993] R. Reinhardt, "An Architectural Overview of UNIX + Network Security", ARINC Research Corporation, February 18, 1993. + + [Reynolds-RFC1135, 1989] The Helminthiasis of the Internet, RFC 1135, + USC/Information Sciences Institute, Marina del Rey, CA, December + 1989. + + [Russell and Gangemi, 1991] D. Russell and G. Gangemi, "Computer + Security Basics" O'Reilly & Associates, Sebastopol, CA, 1991. + + [Schneier 1996] B. Schneier, "Applied Cryptography: Protocols, + Algorithms, and Source Code in C", John Wiley & Sons, New York, + second edition, 1996. + + [Seeley, 1989] D. Seeley, "A Tour of the Worm", Proceedings of 1989 + Winter USENIX Conference, Usenix Association, San Diego, CA, February + 1989. + + [Shaw, 1986] E. Shaw Jr., "Computer Fraud and Abuse Act of 1986", + Congressional Record (3 June 1986), Washington, D.C., 3 June 1986. + + [Shimomura, 1996] T. Shimomura with J. Markoff, "Takedown:The Pursuit + and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw- + by the Man Who Did It", Hyperion, 1996. + + [Shirey, 1990] R. Shirey, "Defense Data Network Security + Architecture", Computer Communication Review, Vol. 20, No. 2, Page + 66, 1 April 1990. + + [Slatalla and Quittner, 1995] M. Slatalla and J. Quittner, "Masters + of Deception: The Gang that Ruled Cyberspace", Harper Collins + Publishers, 1995. + + [Smith, 1989] M. Smith, "Commonsense Computer Security: Your + Practical Guide to Preventing Accidental and Deliberate Electronic + Data Loss", McGraw-Hill, New York, NY, 1989. + + [Smith, 1995] D. Smith, "Forming an Incident Response Team", Sixth + Annual Computer Security Incident Handling Workshop, Boston, MA, July + 25-29, 1995. + + + + + +Fraser, Ed. Informational [Page 73] + +RFC 2196 Site Security Handbook September 1997 + + + [Spafford, 1988] E. Spafford, "The Internet Worm Program: An + Analysis", Computer Communication Review, Vol. 19, No. 1, ACM SIGCOM, + January 1989. Also issued as Purdue CS Technical Report CSD-TR-823, + 28 November 1988. + + [Spafford, 1989] G. Spafford, "An Analysis of the Internet Worm", + Proceedings of the European Software Engineering Conference 1989, + Warwick England, September 1989. Proceedings published by Springer- + Verlag as: Lecture Notes in Computer Science #387. Also issued as + Purdue Technical Report #CSD-TR-933. + + [Spafford, Keaphy, and Ferbrache, 1989] E. Spafford, K. Heaphy, and + D. Ferbrache, "Computer Viruses: Dealing with Electronic Vandalism + and Programmed Threats", ADAPSO, 1989. (109 pages.) + + [Stallings1, 1995] W. Stallings, "Internet Security Handbook", IDG + Books, Foster City CA, 1995. + + [Stallings2, 1995] W. Stallings, "Network and InterNetwork Security", + Prentice Hall, , 1995. + + [Stallings3, 1995] W. Stallings, "Protect Your Privacy: A Guide for + PGP Users" PTR Prentice Hall, 1995. + + [Stoll, 1988] C. Stoll, "Stalking the Wily Hacker", Communications of + the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM, New York, NY, May 1988. + + [Stoll, 1989] C. Stoll, "The Cuckoo's Egg", ISBN 00385-24946-2, + Doubleday, 1989. + + [Treese and Wolman, 1993] G. Treese and A. Wolman, "X Through the + Firewall, and Other Applications Relays", Digital Equipment + Corporation, Cambridge Research Laboratory, CRL 93/10, May 3, 1993. + + [Trible, 1986] P. Trible, "The Computer Fraud and Abuse Act of 1986", + U.S. Senate Committee on the Judiciary, 1986. + + [Venema] W. Venema, "TCP WRAPPER: Network monitoring, access control, + and booby traps", Mathematics and Computing Science, Eindhoven + University of Technology, The Netherlands. + + [USENIX, 1988] USENIX, "USENIX Proceedings: UNIX Security Workshop", + Portland, OR, August 29-30, 1988. + + [USENIX, 1990] USENIX, "USENIX Proceedings: UNIX Security II + Workshop", Portland, OR, August 27-28, 1990. + + + + + +Fraser, Ed. Informational [Page 74] + +RFC 2196 Site Security Handbook September 1997 + + + [USENIX, 1992] USENIX, "USENIX Symposium Proceedings: UNIX Security + III", Baltimore, MD, September 14-16, 1992. + + [USENIX, 1993] USENIX, "USENIX Symposium Proceedings: UNIX Security + IV", Santa Clara, CA, October 4-6, 1993. + + [USENIX, 1995] USENIX, "The Fifth USENIX UNIX Security Symposium", + Salt Lake City, UT, June 5-7, 1995. + + [Wood, et.al., 1987] C. Wood, W. Banks, S. Guarro, A. Garcia, V. + Hampel, and H. Sartorio, "Computer Security: A Comprehensive + Controls Checklist", John Wiley and Sons, Interscience Publication, + 1987. + + [Wrobel, 1993] L. Wrobel, "Writing Disaster Recovery Plans for + Telecommunications Networks and LANS", Artech House, 1993. + + [Vallabhaneni, 1989] S. Vallabhaneni, "Auditing Computer Security: A + Manual with Case Studies", Wiley, New York, NY, 1989. + +Security Considerations + + This entire document discusses security issues. + +Editor Information + + Barbara Y. Fraser + Software Engineering Institute + Carnegie Mellon University + 5000 Forbes Avenue + Pittsburgh, PA 15213 + + Phone: (412) 268-5010 + Fax: (412) 268-6989 + EMail: byf@cert.org + + + + + + + + + + + + + + + + +Fraser, Ed. Informational [Page 75] + |