Network Working Group B
Page Tools
Network Working Group B. Fraser
Request for Comments: 2196 Editor
FYI: 8 SEI/CMU
Obsoletes: 1244 September 1997
Category: Informational
Site Security Handbook
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This handbook is a guide to developing computer security policies and
procedures for sites that have systems on the Internet. The purpose
of this handbook is to provide practical guidance to administrators
trying to secure their information and services. The subjects
covered include policy content and formation, a broad range of
technical system and network security topics, and security incident
response.
Table of Contents
1. Introduction.................................................... 2
1.1 Purpose of this Work............................................ 3
1.2 Audience........................................................ 3
1.3 Definitions..................................................... 3
1.4 Related Work.................................................... 4
1.5 Basic Approach.................................................. 4
1.6 Risk Assessment................................................. 5
2. Security Policies............................................... 6
2.1 What is a Security Policy and Why Have One?..................... 6
2.2 What Makes a Good Security Policy?.............................. 9
2.3 Keeping the Policy Flexible..................................... 11
3. Architecture.................................................... 11
3.1 Objectives...................................................... 11
3.2 Network and Service Configuration............................... 14
3.3 Firewalls....................................................... 20
4. Security Services and Procedures................................ 24
4.1 Authentication.................................................. 24
4.2 Confidentiality................................................. 28
4.3 Integrity....................................................... 28
Fraser, Ed. Informational [Page 1]
RFC 2196 Site Security Handbook September 1997
4.4 Authorization................................................... 29
4.5 Access.......................................................... 30
4.6 Auditing........................................................ 34
4.7 Securing Backups................................................ 37
5. Security Incident Handling...................................... 37
5.1 Preparing and Planning for Incident Handling.................... 39
5.2 Notification and Points of Contact.............................. 42
5.3 Identifying an Incident......................................... 50
5.4 Handling an Incident............................................ 52
5.5 Aftermath of an Incident........................................ 58
5.6 Responsibilities................................................ 59
6. Ongoing Activities.............................................. 60
7. Tools and Locations............................................. 60
8. Mailing Lists and Other Resources............................... 62
9. References...................................................... 64
1. Introduction
This document provides guidance to system and network administrators
on how to address security issues within the Internet community. It
builds on the foundation provided in RFC 1244 and is the collective
work of a number of contributing authors. Those authors include:
Jules P. Aronson (aronson@nlm.nih.gov), Nevil Brownlee
(n.brownlee@auckland.ac.nz), Frank Byrum (byrum@norfolk.infi.net),
Joao Nuno Ferreira (ferreira@rccn.net), Barbara Fraser
(byf@cert.org), Steve Glass (glass@ftp.com), Erik Guttman
(erik.guttman@eng.sun.com), Tom Killalea (tomk@nwnet.net), Klaus-
Peter Kossakowski (kossakowski@cert.dfn.de), Lorna Leone
(lorna@staff.singnet.com.sg), Edward.P.Lewis
(Edward.P.Lewis.1@gsfc.nasa.gov), Gary Malkin (gmalkin@xylogics.com),
Russ Mundy (mundy@tis.com), Philip J. Nesser
(pjnesser@martigny.ai.mit.edu), and Michael S. Ramsey
(msr@interpath.net).
In addition to the principle writers, a number of reviewers provided
valuable comments. Those reviewers include: Eric Luiijf
(luiijf@fel.tno.nl), Marijke Kaat (marijke.kaat@sec.nl), Ray Plzak
(plzak@nic.mil) and Han Pronk (h.m.pronk@vka.nl).
A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook,
CICnet, for their vision, leadership, and effort in the creation of
the first version of this handbook. It is the working group's sincere
hope that this version will be as helpful to the community as the
earlier one was.
Fraser, Ed. Informational [Page 2]
RFC 2196 Site Security Handbook September 1997
1.1 Purpose of This Work
This handbook is a guide to setting computer security policies and
procedures for sites that have systems on the Internet (however, the
information provided should also be useful to sites not yet connected
to the Internet). This guide lists issues and factors that a site
must consider when setting their own policies. It makes a number of
recommendations and provides discussions of relevant areas.
This guide is only a framework for setting security policies and
procedures. In order to have an effective set of policies and
procedures, a site will have to make many decisions, gain agreement,
and then communicate and implement these policies.
1.2 Audience
The audience for this document are system and network administrators,
and decision makers (typically "middle management") at sites. For
brevity, we will use the term "administrator" throughout this
document to refer to system and network administrators.
This document is not directed at programmers or those trying to
create secure programs or systems. The focus of this document is on
the policies and procedures that need to be in place to support the
technical security features that a site may be implementing.
The primary audience for this work are sites that are members of the
Internet community. However, this document should be useful to any
site that allows communication with other sites. As a general guide
to security policies, this document may also be useful to sites with
isolated systems.
1.3 Definitions
For the purposes of this guide, a "site" is any organization that
owns computers or network-related resources. These resources may
include host computers that users use, routers, terminal servers, PCs
or other devices that have access to the Internet. A site may be an
end user of Internet services or a service provider such as a mid-
level network. However, most of the focus of this guide is on those
end users of Internet services. We assume that the site has the
ability to set policies and procedures for itself with the
concurrence and support from those who actually own the resources. It
will be assumed that sites that are parts of larger organizations
will know when they need to consult, collaborate, or take
recommendations from, the larger entity.
Fraser, Ed. Informational [Page 3]
RFC 2196 Site Security Handbook September 1997
The "Internet" is a collection of thousands of networks linked by a
common set of technical protocols which make it possible for users of
any one of the networks to communicate with, or use the services
located on, any of the other networks (FYI4, RFC 1594).
The term "administrator" is used to cover all those people who are
responsible for the day-to-day operation of system and network
resources. This may be a number of individuals or an organization.
The term "security administrator" is used to cover all those people
who are responsible for the security of information and information
technology. At some sites this function may be combined with
administrator (above); at others, this will be a separate position.
The term "decision maker" refers to those people at a site who set or
approve policy. These are often (but not always) the people who own
the resources.
1.4 Related Work
The Site Security Handbook Working Group is working on a User's Guide
to Internet Security. It will provide practical guidance to end users
to help them protect their information and the resources they use.
1.5 Basic Approach
This guide is written to provide basic guidance in developing a
security plan for your site. One generally accepted approach to
follow is suggested by Fites, et. al. [Fites 1989] and includes the
following steps:
(1) Identify what you are trying to protect.
(2) Determine what you are trying to protect it from.
(3) Determine how likely the threats are.
(4) Implement measures which will protect your assets in a cost-
effective manner.
(5) Review the process continuously and make improvements each time
a weakness is found.
Most of this document is focused on item 4 above, but the other steps
cannot be avoided if an effective plan is to be established at your
site. One old truism in security is that the cost of protecting
yourself against a threat should be less than the cost of recovering
if the threat were to strike you. Cost in this context should be
remembered to include losses expressed in real currency, reputation,
trustworthiness, and other less obvious measures. Without reasonable
knowledge of what you are protecting and what the likely threats are,
following this rule could be difficult.
Fraser, Ed. Informational [Page 4]
RFC 2196 Site Security Handbook September 1997
1.6 Risk Assessment
1.6.1 General Discussion
One of the most important reasons for creating a computer security
policy is to ensure that efforts spent on security yield cost
effective benefits. Although this may seem obvious, it is possible
to be mislead about where the effort is needed. As an example, there
is a great deal of publicity about intruders on computers systems;
yet most surveys of computer security show that, for most
organizations, the actual loss from "insiders" is much greater.
Risk analysis involves determining what you need to protect, what you
need to protect it from, and how to protect it. It is the process of
examining all of your risks, then ranking those risks by level of
severity. This process involves making cost-effective decisions on
what you want to protect. As mentioned above, you should probably
not spend more to protect something than it is actually worth.
A full treatment of risk analysis is outside the scope of this
document. [Fites 1989] and [Pfleeger 1989] provide introductions to
this topic. However, there are two elements of a risk analysis that
will be briefly covered in the next two sections:
(1) Identifying the assets
(2) Identifying the threats
For each asset, the basic goals of security are availability,
confidentiality, and integrity. Each threat should be examined with
an eye to how the threat could affect these areas.
1.6.2 Identifying the Assets
One step in a risk analysis is to identify all the things that need
to be protected. Some things are obvious, like valuable proprietary
information, intellectual property, and all the various pieces of
hardware; but, some are overlooked, such as the people who actually
use the systems. The essential point is to list all things that could
be affected by a security problem.
One list of categories is suggested by Pfleeger [Pfleeger 1989]; this
list is adapted from that source:
(1) Hardware: CPUs, boards, keyboards, terminals,
workstations, personal computers, printers, disk
drives, communication lines, terminal servers, routers.
Fraser, Ed. Informational [Page 5]
RFC 2196 Site Security Handbook September 1997
(2) Software: source programs, object programs,
utilities, diagnostic programs, operating systems,
communication programs.
(3) Data: during execution, stored on-line, archived off-line,
backups, audit logs, databases, in transit over
communication media.
(4) People: users, administrators, hardware maintainers.
(5) Documentation: on programs, hardware, systems, local
administrative procedures.
(6) Supplies: paper, forms, ribbons, magnetic media.
1.6.3 Identifying the Threats
Once the assets requiring protection are identified, it is necessary
to identify threats to those assets. The threats can then be
examined to determine what potential for loss exists. It helps to
consider from what threats you are trying to protect your assets.
The following are classic threats that should be considered.
Depending on your site, there will be more specific threats that
should be identified and addressed.
(1) Unauthorized access to resources and/or information
(2) Unintented and/or unauthorized Disclosure of information
(3) Denial of service
2. Security Policies
Throughout this document there will be many references to policies.
Often these references will include recommendations for specific
policies. Rather than repeat guidance in how to create and
communicate such a policy, the reader should apply the advice
presented in this chapter when developing any policy recommended
later in this book.
2.1 What is a Security Policy and Why Have One?
The security-related decisions you make, or fail to make, as
administrator largely determines how secure or insecure your network
is, how much functionality your network offers, and how easy your
network is to use. However, you cannot make good decisions about
security without first determining what your security goals are.
Until you determine what your security goals are, you cannot make
effective use of any collection of security tools because you simply
will not know what to check for and what restrictions to impose.
Fraser, Ed. Informational [Page 6]
RFC 2196 Site Security Handbook September 1997
For example, your goals will probably be very different from the
goals of a product vendor. Vendors are trying to make configuration
and operation of their products as simple as possible, which implies
that the default configurations will often be as open (i.e.,
insecure) as possible. While this does make it easier to install new
products, it also leaves access to those systems, and other systems
through them, open to any user who wanders by.
Your goals will be largely determined by the following key tradeoffs:
(1) services offered versus security provided -
Each service offered to users carries its own security risks.
For some services the risk outweighs the benefit of the service
and the administrator may choose to eliminate the service rather
than try to secure it.
(2) ease of use versus security -
The easiest system to use would allow access to any user and
require no passwords; that is, there would be no security.
Requiring passwords makes the system a little less convenient,
but more secure. Requiring device-generated one-time passwords
makes the system even more difficult to use, but much more
secure.
(3) cost of security versus risk of loss -
There are many different costs to security: monetary (i.e., the
cost of purchasing security hardware and software like firewalls
and one-time password generators), performance (i.e., encryption
and decryption take time), and ease of use (as mentioned above).
There are also many levels of risk: loss of privacy (i.e., the
reading of information by unauthorized individuals), loss of
data (i.e., the corruption or erasure of information), and the
loss of service (e.g., the filling of data storage space, usage
of computational resources, and denial of network access). Each
type of cost must be weighed against each type of loss.
Your goals should be communicated to all users, operations staff, and
managers through a set of security rules, called a "security policy."
We are using this term, rather than the narrower "computer security
policy" since the scope includes all types of information technology
and the information stored and manipulated by the technology.
2.1.1 Definition of a Security Policy
A security policy is a formal statement of the rules by which people
who are given access to an organization's technology and information
assets must abide.
Fraser, Ed. Informational [Page 7]
RFC 2196 Site Security Handbook September 1997
2.1.2 Purposes of a Security Policy
The main purpose of a security policy is to inform users, staff and
managers of their obligatory requirements for protecting technology
and information assets. The policy should specify the mechanisms
through which these requirements can be met. Another purpose is to
provide a baseline from which to acquire, configure and audit
computer systems and networks for compliance with the policy.
Therefore an attempt to use a set of security tools in the absence of
at least an implied security policy is meaningless.
An Appropriate Use Policy (AUP) may also be part of a security
policy. It should spell out what users shall and shall not do on the
various components of the system, including the type of traffic
allowed on the networks. The AUP should be as explicit as possible
to avoid ambiguity or misunderstanding. For example, an AUP might
list any prohibited USENET newsgroups. (Note: Appropriate Use Policy
is referred to as Acceptable Use Policy by some sites.)
2.1.3 Who Should be Involved When Forming Policy?
In order for a security policy to be appropriate and effective, it
needs to have the acceptance and support of all levels of employees
within the organization. It is especially important that corporate
management fully support the security policy process otherwise there
is little chance that they will have the intended impact. The
following is a list of individuals who should be involved in the
creation and review of security policy documents:
(1) site security administrator
(2) information technology technical staff (e.g., staff from
computing center)
(3) administrators of large user groups within the organization
(e.g., business divisions, computer science department within a
university, etc.)
(4) security incident response team
(5) representatives of the user groups affected by the security
policy
(6) responsible management
(7) legal counsel (if appropriate)
The list above is representative of many organizations, but is not
necessarily comprehensive. The idea is to bring in representation
from key stakeholders, management who have budget and policy
authority, technical staff who know what can and cannot be supported,
and legal counsel who know the legal ramifications of various policy
Fraser, Ed. Informational [Page 8]
RFC 2196 Site Security Handbook September 1997
choices. In some organizations, it may be appropriate to include EDP
audit personnel. Involving this group is important if resulting
policy statements are to reach the broadest possible acceptance. It
is also relevant to mention that the role of legal counsel will also
vary from country to country.
2.2 What Makes a Good Security Policy?
The characteristics of a good security policy are:
(1) It must be implementable through system administration
procedures, publishing of acceptable use guidelines, or other
appropriate methods.
(2) It must be enforcible with security tools, where appropriate,
and with sanctions, where actual prevention is not technically
feasible.
(3) It must clearly define the areas of responsibility for the
users, administrators, and management.
The components of a good security policy include:
(1) Computer Technology Purchasing Guidelines which specify
required, or preferred, security features. These should
supplement existing purchasing policies and guidelines.
(2) A Privacy Policy which defines reasonable expectations of
privacy regarding such issues as monitoring of electronic mail,
logging of keystrokes, and access to users' files.
(3) An Access Policy which defines access rights and privileges to
protect assets from loss or disclosure by specifying acceptable
use guidelines for users, operations staff, and management. It
should provide guidelines for external connections, data
communications, connecting devices to a network, and adding new
software to systems. It should also specify any required
notification messages (e.g., connect messages should provide
warnings about authorized usage and line monitoring, and not
simply say "Welcome").
(4) An Accountability Policy which defines the responsibilities of
users, operations staff, and management. It should specify an
audit capability, and provide incident handling guidelines
(i.e., what to do and who to contact if a possible intrusion is
detected).
Fraser, Ed. Informational [Page 9]
RFC 2196 Site Security Handbook September 1997
(5) An Authentication Policy which establishes trust through an
effective password policy, and by setting guidelines for remote
location authentication and the use of authentication devices
(e.g., one-time passwords and the devices that generate them).
(6) An Availability statement which sets users' expectations for the
availability of resources. It should address redundancy and
recovery issues, as well as specify operating hours and
maintenance down-time periods. It should also include contact
information for reporting system and network failures.
(7) An Information Technology System & Network Maintenance Policy
which describes how both internal and external maintenance
people are allowed to handle and access technology. One
important topic to be addressed here is whether remote
maintenance is allowed and how such access is controlled.
Another area for consideration here is outsourcing and how it is
managed.
(8) A Violations Reporting Policy that indicates which types of
violations (e.g., privacy and security, internal and external)
must be reported and to whom the reports are made. A non-
threatening atmosphere and the possibility of anonymous
reporting will result in a greater probability that a violation
will be reported if it is detected.
(9) Supporting Information which provides users, staff, and
management with contact information for each type of policy
violation; guidelines on how to handle outside queries about a
security incident, or information which may be considered
confidential or proprietary; and cross-references to security
procedures and related information, such as company policies and
governmental laws and regulations.
There may be regulatory requirements that affect some aspects of your
security policy (e.g., line monitoring). The creators of the
security policy should consider seeking legal assistance in the
creation of the policy. At a minimum, the policy should be reviewed
by legal counsel.
Once your security policy has been established it should be clearly
communicated to users, staff, and management. Having all personnel
sign a statement indicating that they have read, understood, and
agreed to abide by the policy is an important part of the process.
Finally, your policy should be reviewed on a regular basis to see if
it is successfully supporting your security needs.
Fraser, Ed. Informational [Page 10]
RFC 2196 Site Security Handbook September 1997
2.3 Keeping the Policy Flexible
In order for a security policy to be viable for the long term, it
requires a lot of flexibility based upon an architectural security
concept. A security policy should be (largely) independent from
specific hardware and software situations (as specific systems tend
to be replaced or moved overnight). The mechanisms for updating the
policy should be clearly spelled out. This includes the process, the
people involved, and the people who must sign-off on the changes.
It is also important to recognize that there are exceptions to every
rule. Whenever possible, the policy should spell out what exceptions
to the general policy exist. For example, under what conditions is a
system administrator allowed to go through a user's files. Also,
there may be some cases when multiple users will have access to the
same userid. For example, on systems with a "root" user, multiple
system administrators may know the password and use the root account.
Another consideration is called the "Garbage Truck Syndrome." This
refers to what would happen to a site if a key person was suddenly
unavailable for his/her job function (e.g., was suddenly ill or left
the company unexpectedly). While the greatest security resides in
the minimum dissemination of information, the risk of losing critical
information increases when that information is not shared. It is
important to determine what the proper balance is for your site.
3. Architecture
3.1 Objectives
3.1.1 Completely Defined Security Plans
All sites should define a comprehensive security plan. This plan
should be at a higher level than the specific policies discussed in
chapter 2, and it should be crafted as a framework of broad
guidelines into which specific policies will fit.
It is important to have this framework in place so that individual
policies can be consistent with the overall site security
architecture. For example, having a strong policy with regard to
Internet access and having weak restrictions on modem usage is
inconsistent with an overall philosophy of strong security
restrictions on external access.
A security plan should define: the list of network services that will
be provided; which areas of the organization will provide the
services; who will have access to those services; how access will be
provided; who will administer those services; etc.
Fraser, Ed. Informational [Page 11]
RFC 2196 Site Security Handbook September 1997
The plan should also address how incident will be handled. Chapter 5
provides an in-depth discussion of this topic, but it is important
for each site to define classes of incidents and corresponding
responses. For example, sites with firewalls should set a threshold
on the number of attempts made to foil the firewall before triggering
a response? Escallation levels should be defined for both attacks
and responses. Sites without firewalls will have to determine if a
single attempt to connect to a host constitutes an incident? What
about a systematic scan of systems?
For sites connected to the Internet, the rampant media magnification
of Internet related security incidents can overshadow a (potentially)
more serious internal security problem. Likewise, companies who have
never been connected to the Internet may have strong, well defined,
internal policies but fail to adequately address an external
connection policy.
3.1.2 Separation of Services
There are many services which a site may wish to provide for its
users, some of which may be external. There are a variety of
security reasons to attempt to isolate services onto dedicated host
computers. There are also performance reasons in most cases, but a
detailed discussion is beyond to scope of this document.
The services which a site may provide will, in most cases, have
different levels of access needs and models of trust. Services which
are essential to the security or smooth operation of a site would be
better off being placed on a dedicated machine with very limited
access (see Section 3.1.3 "deny all" model), rather than on a machine
that provides a service (or services) which has traditionally been
less secure, or requires greater accessability by users who may
accidentally suborn security.
It is also important to distinguish between hosts which operate
within different models of trust (e.g., all the hosts inside of a
firewall and any host on an exposed network).
Some of the services which should be examined for potential
separation are outlined in section 3.2.3. It is important to remember
that security is only as strong as the weakest link in the chain.
Several of the most publicized penetrations in recent years have been
through the exploitation of vulnerabilities in electronic mail
systems. The intruders were not trying to steal electronic mail, but
they used the vulnerability in that service to gain access to other
systems.
Fraser, Ed. Informational [Page 12]
RFC 2196 Site Security Handbook September 1997
If possible, each service should be running on a different machine
whose only duty is to provide a specific service. This helps to
isolate intruders and limit potential harm.
3.1.3 Deny all/ Allow all
There are two diametrically opposed underlying philosophies which can
be adopted when defining a security plan. Both alternatives are
legitimate models to adopt, and the choice between them will depend
on the site and its needs for security.
The first option is to turn off all services and then selectively
enable services on a case by case basis as they are needed. This can
be done at the host or network level as appropriate. This model,
which will here after be referred to as the "deny all" model, is
generally more secure than the other model described in the next
paragraph. More work is required to successfully implement a "deny
all" configuration as well as a better understanding of services.
Allowing only known services provides for a better analysis of a
particular service/protocol and the design of a security mechanism
suited to the security level of the site.
The other model, which will here after be referred to as the "allow
all" model, is much easier to implement, but is generally less secure
than the "deny all" model. Simply turn on all services, usually the
default at the host level, and allow all protocols to travel across
network boundaries, usually the default at the router level. As
security holes become apparent, they are restricted or patched at
either the host or network level.
Each of these models can be applied to different portions of the
site, depending on functionality requirements, administrative
control, site policy, etc. For example, the policy may be to use the
"allow all" model when setting up workstations for general use, but
adopt a "deny all" model when setting up information servers, like an
email hub. Likewise, an "allow all" policy may be adopted for
traffic between LAN's internal to the site, but a "deny all" policy
can be adopted between the site and the Internet.
Be careful when mixing philosophies as in the examples above. Many
sites adopt the theory of a hard "crunchy" shell and a soft "squishy"
middle. They are willing to pay the cost of security for their
external traffic and require strong security measures, but are
unwilling or unable to provide similar protections internally. This
works fine as long as the outer defenses are never breached and the
internal users can be trusted. Once the outer shell (firewall) is
breached, subverting the internal network is trivial.
Fraser, Ed. Informational [Page 13]
RFC 2196 Site Security Handbook September 1997
3.1.4 Identify Real Needs for Services
There is a large variety of services which may be provided, both
internally and on the Internet at large. Managing security is, in
many ways, managing access to services internal to the site and
managing how internal users access information at remote sites.
Services tend to rush like waves over the Internet. Over the years
many sites have established anonymous FTP servers, gopher servers,
wais servers, WWW servers, etc. as they became popular, but not
particularly needed, at all sites. Evaluate all new services that
are established with a skeptical attitude to determine if they are
actually needed or just the current fad sweeping the Internet.
Bear in mind that security complexity can grow exponentially with the
number of services provided. Filtering routers need to be modified
to support the new protocols. Some protocols are inherently
difficult to filter safely (e.g., RPC and UDP services), thus
providing more openings to the internal network. Services provided
on the same machine can interact in catastrophic ways. For example,
allowing anonymous FTP on the same machine as the WWW server may
allow an intruder to place a file in the anonymous FTP area and cause
the HTTP server to execute it.
3.2 Network and Service Configuration
3.2.1 Protecting the Infrastructure
Many network administrators go to great lengths to protect the hosts
on their networks. Few administrators make any effort to protect the
networks themselves. There is some rationale to this. For example,
it is far easier to protect a host than a network. Also, intruders
are likely to be after data on the hosts; damaging the network would
not serve their purposes. That said, there are still reasons to
protect the networks. For example, an intruder might divert network
traffic through an outside host in order to examine the data (i.e.,
to search for passwords). Also, infrastructure includes more than
the networks and the routers which interconnect them. Infrastructure
also includes network management (e.g., SNMP), services (e.g., DNS,
NFS, NTP, WWW), and security (i.e., user authentication and access
restrictions).
The infrastructure also needs protection against human error. When
an administrator misconfigures a host, that host may offer degraded
service. This only affects users who require that host and, unless
Fraser, Ed. Informational [Page 14]
RFC 2196 Site Security Handbook September 1997
that host is a primary server, the number of affected users will
therefore be limited. However, if a router is misconfigured, all
users who require the network will be affected. Obviously, this is a
far larger number of users than those depending on any one host.
3.2.2 Protecting the Network
There are several problems to which networks are vulnerable. The
classic problem is a "denial of service" attack. In this case, the
network is brought to a state in which it can no longer carry
legitimate users' data. There are two common ways this can be done:
by attacking the routers and by flooding the network with extraneous
traffic. Please note that the term "router" in this section is used
as an example of a larger class of active network interconnection
components that also includes components like firewalls, proxy-
servers, etc.
An attack on the router is designed to cause it to stop forwarding
packets, or to forward them improperly. The former case may be due
to a misconfiguration, the injection of a spurious routing update, or
a "flood attack" (i.e., the router is bombarded with unroutable
packets, causing its performance to degrade). A flood attack on a
network is similar to a flood attack on a router, except that the
flood packets are usually broadcast. An ideal flood attack would be
the injection of a single packet which exploits some known flaw in
the network nodes and causes them to retransmit the packet, or
generate error packets, each of which is picked up and repeated by
another host. A well chosen attack packet can even generate an
exponential explosion of transmissions.
Another classic problem is "spoofing." In this case, spurious
routing updates are sent to one or more routers causing them to
misroute packets. This differs from a denial of service attack only
in the purpose behind the spurious route. In denial of service, the
object is to make the router unusable; a state which will be quickly
detected by network users. In spoofing, the spurious route will
cause packets to be routed to a host from which an intruder may
monitor the data in the packets. These packets are then re-routed to
their correct destinations. However, the intruder may or may not
have altered the contents of the packets.
The solution to most of these problems is to protect the routing
update packets sent by the routing protocols in use (e.g., RIP-2,
OSPF). There are three levels of protection: clear-text password,
cryptographic checksum, and encryption. Passwords offer only minimal
protection against intruders who do not have direct access to the
physical networks. Passwords also offer some protection against
misconfigured routers (i.e, routers which, out of the box, attempt to
Fraser, Ed. Informational [Page 15]
RFC 2196 Site Security Handbook September 1997
route packets). The advantage of passwords is that they have a very
low overhead, in both bandwidth and CPU consumption. Checksums
protect against the injection of spurious packets, even if the
intruder has direct access to the physical network. Combined with a
sequence number, or other unique identifier, a checksum can also
protect again "replay" attacks, wherein an old (but valid at the
time) routing update is retransmitted by either an intruder or a
misbehaving router. The most security is provided by complete
encryption of sequenced, or uniquely identified, routing updates.
This prevents an intruder from determining the topology of the
network. The disadvantage to encryption is the overhead involved in
processing the updates.
RIP-2 (RFC 1723) and OSPF (RFC 1583) both support clear-text
passwords in their base design specifications. In addition, there
are extensions to each base protocol to support MD5 encryption.
Unfortunately, there is no adequate protection against a flooding
attack, or a misbehaving host or router which is flooding the
network. Fortunately, this type of attack is obvious when it occurs
and can usually be terminated relatively simply.
3.2.3 Protecting the Services
There are many types of services and each has its own security
requirements. These requirements will vary based on the intended use
of the service. For example, a service which should only be usable
within a site (e.g., NFS) may require different protection mechanisms
than a service provided for external use. It may be sufficient to
protect the internal server from external access. However, a WWW
server, which provides a home page intended for viewing by users
anywhere on the Internet, requires built-in protection. That is, the
service/protocol/server must provide whatever security may be
required to prevent unauthorized access and modification of the Web
database.
Internal services (i.e., services meant to be used only by users
within a site) and external services (i.e., services deliberately
made available to users outside a site) will, in general, have
protection requirements which differ as previously described. It is
therefore wise to isolate the internal services to one set of server
host computers and the external services to another set of server
host computers. That is, internal and external servers should not be
co-located on the same host computer. In fact, many sites go so far
Fraser, Ed. Informational [Page 16]
RFC 2196 Site Security Handbook September 1997
as to have one set of subnets (or even different networks) which are
accessible from the outside and another set which may be accessed
only within the site. Of course, there is usually a firewall which
connects these partitions. Great care must be taken to ensure that
such a firewall is operating properly.
There is increasing interest in using intranets to connect different
parts of a organization (e.g., divisions of a company). While this
document generally differentiates between external and internal
(public and private), sites using intranets should be aware that they
will need to consider three separations and take appropriate actions
when designing and offering services. A service offered to an
intranet would be neither public, nor as completely private as a
service to a single organizational subunit. Therefore, the service
would need its own supporting system, separated from both external
and internal services and networks.
One form of external service deserves some special consideration, and
that is anonymous, or guest, access. This may be either anonymous
FTP or guest (unauthenticated) login. It is extremely important to
ensure that anonymous FTP servers and guest login userids are
carefully isolated from any hosts and file systems from which outside
users should be kept. Another area to which special attention must
be paid concerns anonymous, writable access. A site may be legally
responsible for the content of publicly available information, so
careful monitoring of the information deposited by anonymous users is
advised.
Now we shall consider some of the most popular services: name
service, password/key service, authentication/proxy service,
electronic mail, WWW, file transfer, and NFS. Since these are the
most frequently used services, they are the most obvious points of
attack. Also, a successful attack on one of these services can
produce disaster all out of proportion to the innocence of the basic
service.
3.2.3.1 Name Servers (DNS and NIS(+))
The Internet uses the Domain Name System (DNS) to perform address
resolution for host and network names. The Network Information
Service (NIS) and NIS+ are not used on the global Internet, but are
subject to the same risks as a DNS server. Name-to-address
resolution is critical to the secure operation of any network. An
attacker who can successfully control or impersonate a DNS server can
re-route traffic to subvert security protections. For example,
routine traffic can be diverted to a compromised system to be
monitored; or, users can be tricked into providing authentication
secrets. An organization should create well known, protected sites
Fraser, Ed. Informational [Page 17]
RFC 2196 Site Security Handbook September 1997
to act as secondary name servers and protect their DNS masters from
denial of service attacks using filtering routers.
Traditionally, DNS has had no security capabilities. In particular,
the information returned from a query could not be checked for
modification or verified that it had come from the name server in
question. Work has been done to incorporate digital signatures into
the protocol which, when deployed, will allow the integrity of the
information to be cryptographically verified (see RFC 2065).
3.2.3.2 Password/Key Servers (NIS(+) and KDC)
Password and key servers generally protect their vital information
(i.e., the passwords and keys) with encryption algorithms. However,
even a one-way encrypted password can be determined by a dictionary
attack (wherein common words are encrypted to see if they match the
stored encryption). It is therefore necessary to ensure that these
servers are not accessable by hosts which do not plan to use them for
the service, and even those hosts should only be able to access the
service (i.e., general services, such as Telnet and FTP, should not
be allowed by anyone other than administrators).
3.2.3.3 Authentication/Proxy Servers (SOCKS, FWTK)
A proxy server provides a number of security enhancements. It allows
sites to concentrate services through a specific host to allow
monitoring, hiding of internal structure, etc. This funnelling of
services creates an attractive target for a potential intruder. The
type of protection required for a proxy server depends greatly on the
proxy protocol in use and the services being proxied. The general
rule of limiting access only to those hosts which need the services,
and limiting access by those hosts to only those services, is a good
starting point.
3.2.3.4 Electronic Mail
Electronic mail (email) systems have long been a source for intruder
break-ins because email protocols are among the oldest and most
widely deployed services. Also, by it's very nature, an email server
requires access to the outside world; most email servers accept input
from any source. An email server generally consists of two parts: a
receiving/sending agent and a processing agent. Since email is
delivered to all users, and is usually private, the processing agent
typically requires system (root) privileges to deliver the mail.
Most email implementations perform both portions of the service,
which means the receiving agent also has system privileges. This
opens several security holes which this document will not describe.
There are some implementations available which allow a separation of
Fraser, Ed. Informational [Page 18]
RFC 2196 Site Security Handbook September 1997
the two agents. Such implementations are generally considered more
secure, but still require careful installation to avoid creating a
security problem.
3.2.3.5 World Wide Web (WWW)
The Web is growing in popularity exponentially because of its ease of
use and the powerful ability to concentrate information services.
Most WWW servers accept some type of direction and action from the
persons accessing their services. The most common example is taking
a request from a remote user and passing the provided information to
a program running on the server to process the request. Some of
these programs are not written with security in mind and can create
security holes. If a Web server is available to the Internet
community, it is especially important that confidential information
not be co-located on the same host as that server. In fact, it is
recommended that the server have a dedicated host which is not
"trusted" by other internal hosts.
Many sites may want to co-locate FTP service with their WWW service.
But this should only occur for anon-ftp servers that only provide
information (ftp-get). Anon-ftp puts, in combination with WWW, might
be dangerous (e.g., they could result in modifications to the
information your site is publishing to the web) and in themselves
make the security considerations for each service different.
3.2.3.6 File Transfer (FTP, TFTP)
FTP and TFTP both allow users to receive and send electronic files in
a point-to-point manner. However, FTP requires authentication while
TFTP requires none. For this reason, TFTP should be avoided as much
as possible.
Improperly configured FTP servers can allow intruders to copy,
replace and delete files at will, anywhere on a host, so it is very
important to configure this service correctly. Access to encrypted
passwords and proprietary data, and the introduction of Trojan horses
are just a few of the potential security holes that can occur when
the service is configured incorrectly. FTP servers should reside on
their own host. Some sites choose to co-locate FTP with a Web
server, since the two protocols share common security considerations
However, the the practice isn't recommended, especially when the FTP
service allows the deposit of files (see section on WWW above). As
mentioned in the opening paragraphs of section 3.2.3, services
offered internally to your site should not be co-located with
services offered externally. Each should have its own host.
Fraser, Ed. Informational [Page 19]
RFC 2196 Site Security Handbook September 1997
TFTP does not support the same range of functions as FTP, and has no
security whatsoever. This service should only be considered for
internal use, and then it should be configured in a restricted way so
that the server only has access to a set of predetermined files
(instead of every world-readable file on the system). Probably the
most common usage of TFTP is for downloading router configuration
files to a router. TFTP should reside on its own host, and should
not be installed on hosts supporting external FTP or Web access.
3.2.3.7 NFS
The Network File Service allows hosts to share common disks. NFS is
frequently used by diskless hosts who depend on a disk server for all
of their storage needs. Unfortunately, NFS has no built-in security.
It is therefore necessary that the NFS server be accessable only by
those hosts which are using it for service. This is achieved by
specifying which hosts the file system is being exported to and in
what manner (e.g., read-only, read-write, etc.). Filesystems should
not be exported to any hosts outside the local network since this
will require that the NFS service be accessible externally. Ideally,
external access to NFS service should be stopped by a firewall.
3.2.4 Protecting the Protection
It is amazing how often a site will overlook the most obvious
weakness in its security by leaving the security server itself open
to attack. Based on considerations previously discussed, it should
be clear that: the security server should not be accessible from
off-site; should offer minimum access, except for the authentication
function, to users on-site; and should not be co-located with any
other servers. Further, all access to the node, including access to
the service itself, should be logged to provide a "paper trail" in
the event of a security breach.
3.3 Firewalls
One of the most widely deployed and publicized security measures in
use on the Internet is a "firewall." Firewalls have been given the
reputation of a general panacea for many, if not all, of the Internet
security issues. They are not. Firewalls are just another tool in
the quest for system security. They provide a certain level of
protection and are, in general, a way of implementing security policy
at the network level. The level of security that a firewall provides
can vary as much as the level of security on a particular machine.
There are the traditional trade-offs between security, ease of use,
cost, complexity, etc.
Fraser, Ed. Informational [Page 20]
RFC 2196 Site Security Handbook September 1997
A firewall is any one of several mechanisms used to control and watch
access to and from a network for the purpose of protecting it. A
firewall acts as a gateway through which all traffic to and from the
protected network and/or systems passes. Firewalls help to place
limitations on the amount and type of communication that takes place
between the protected network and the another network (e.g., the
Internet, or another piece of the site's network).
A firewall is generally a way to build a wall between one part of a
network, a company's internal network, for example, and another part,
the global Internet, for example. The unique feature about this wall
is that there needs to be ways for some traffic with particular
characteristics to pass through carefully monitored doors
("gateways"). The difficult part is establishing the criteria by
which the packets are allowed or denied access through the doors.
Books written on firewalls use different terminology to describe the
various forms of firewalls. This can be confusing to system
administrators who are not familiar with firewalls. The thing to note
here is that there is no fixed terminology for the description of
firewalls.
Firewalls are not always, or even typically, a single machine.
Rather, firewalls are often a combination of routers, network
segments, and host computers. Therefore, for the purposes of this
discussion, the term "firewall" can consist of more than one physical
device. Firewalls are typically built using two different
components, filtering routers and proxy servers.
Filtering routers are the easiest component to conceptualize in a
firewall. A router moves data back and forth between two (or more)
different networks. A "normal" router takes a packet from network A
and "routes" it to its destination on network B. A filtering router
does the same thing but decides not only how to route the packet, but
whether it should route the packet. This is done by installing a
series of filters by which the router decides what to do with any
given packet of data.
A discussion concerning capabilities of a particular brand of router,
running a particular software version is outside the scope of this
document. However, when evaluating a router to be used for filtering
packets, the following criteria can be important when implementing a
filtering policy: source and destination IP address, source and
destination TCP port numbers, state of the TCP "ack" bit, UDP source
and destination port numbers, and direction of packet flow (i.e.. A-
>B or B->A). Other information necessary to construct a secure
filtering scheme are whether the router reorders filter instructions
(designed to optimize filters, this can sometimes change the meaning
and cause unintended access), and whether it is possible to apply
Fraser, Ed. Informational [Page 21]
RFC 2196 Site Security Handbook September 1997
filters for inbound and outbound packets on each interface (if the
router filters only outbound packets then the router is "outside" of
its filters and may be more vulnerable to attack). In addition to
the router being vulnerable, this distinction between applying
filters on inbound or outbound packets is especially relevant for
routers with more than 2 interfaces. Other important issues are the
ability to create filters based on IP header options and the fragment
state of a packet. Building a good filter can be very difficult and
requires a good understanding of the type of services (protocols)
that will be filtered.
For better security, the filters usually restrict access between the
two connected nets to just one host, the bastion host. It is only
possible to access the other network via this bastion host. As only
this host, rather than a few hundred hosts, can get attacked, it is
easier to maintain a certain level of security because only this host
has to be protected very carefully. To make resources available to
legitimate users across this firewall, services have to be forwarded
by the bastion host. Some servers have forwarding built in (like
DNS-servers or SMTP-servers), for other services (e.g., Telnet, FTP,
etc.), proxy servers can be used to allow access to the resources
across the firewall in a secure way.
A proxy server is way to concentrate application services through a
single machine. There is typically a single machine (the bastion
host) that acts as a proxy server for a variety of protocols (Telnet,
SMTP, FTP, HTTP, etc.) but there can be individual host computers for
each service. Instead of connecting directly to an external server,
the client connects to the proxy server which in turn initiates a
connection to the requested external server. Depending on the type
of proxy server used, it is possible to configure internal clients to
perform this redirection automatically, without knowledge to the
user, others might require that the user connect directly to the
proxy server and then initiate the connection through a specified
format.
There are significant security benefits which can be derived from
using proxy servers. It is possible to add access control lists to
protocols, requiring users or systems to provide some level of
authentication before access is granted. Smarter proxy servers,
sometimes called Application Layer Gateways (ALGs), can be written
which understand specific protocols and can be configured to block
only subsections of the protocol. For example, an ALG for FTP can
tell the difference between the "put" command and the "get" command;
an organization may wish to allow users to "get" files from the
Internet, but not be able to "put" internal files on a remote server.
By contrast, a filtering router could either block all FTP access, or
none, but not a subset.
Fraser, Ed. Informational [Page 22]
RFC 2196 Site Security Handbook September 1997
Proxy servers can also be configured to encrypt data streams based on
a variety of parameters. An organization might use this feature to
allow encrypted connections between two locations whose sole access
points are on the Internet.
Firewalls are typically thought of as a way to keep intruders out,
but they are also often used as a way to let legitimate users into a
site. There are many examples where a valid user might need to
regularly access the "home" site while on travel to trade shows and
conferences, etc. Access to the Internet is often available but may
be through an untrusted machine or network. A correctly configured
proxy server can allow the correct users into the site while still
denying access to other users.
The current best effort in firewall techniques is found using a
combination of a pair of screening routers with one or more proxy
servers on a network between the two routers. This setup allows the
external router to block off any attempts to use the underlying IP
layer to break security (IP spoofing, source routing, packet
fragments), while allowing the proxy server to handle potential
security holes in the higher layer protocols. The internal router's
purpose is to block all traffic except to the proxy server. If this
setup is rigidly implemented, a high level of security can be
achieved.
Most firewalls provide logging which can be tuned to make security
administration of the network more convenient. Logging may be
centralized and the system may be configured to send out alerts for
abnormal conditions. It is important to regularly monitor these logs
for any signs of intrusions or break-in attempts. Since some
intruders will attempt to cover their tracks by editing logs, it is
desirable to protect these logs. A variety of methods is available,
including: write once, read many (WORM) drives; papers logs; and
centralized logging via the "syslog" utility. Another technique is
to use a "fake" serial printer, but have the serial port connected to
an isolated machine or PC which keeps the logs.
Firewalls are available in a wide range of quality and strengths.
Commercial packages start at approximately $10,000US and go up to
over $250,000US. "Home grown" firewalls can be built for smaller
amounts of capital. It should be remembered that the correct setup
of a firewall (commercial or homegrown) requires a significant amount
of skill and knowledge of TCP/IP. Both types require regular
maintenance, installation of software patches and updates, and
regular monitoring. When budgeting for a firewall, these additional
costs should be considered in addition to the cost of the physical
elements of the firewall.
Fraser, Ed. Informational [Page 23]
RFC 2196 Site Security Handbook September 1997
As an aside, building a "home grown" firewall requires a significant
amount of skill and knowledge of TCP/IP. It should not be trivially
attempted because a perceived sense of security is worse in the long
run than knowing that there is no security. As with all security
measures, it is important to decide on the threat, the value of the
assets to be protected, and the costs to implement security.
A final note about firewalls. They can be a great aid when
implementing security for a site and they protect against a large
variety of attacks. But it is important to keep in mind that they
are only one part of the solution. They cannot protect your site
against all types of attack.
4. Security Services and Procedures
This chapter guides the reader through a number of topics that should
be addressed when securing a site. Each section touches on a
security service or capability that may be required to protect the
information and systems at a site. The topics are presented at a
fairly high-level to introduce the reader to the concepts.
Throughout the chapter, you will find significant mention of
cryptography. It is outside the scope of this document to delve into
details concerning cryptography, but the interested reader can obtain
more information from books and articles listed in the reference
section of this document.
4.1 Authentication
For many years, the prescribed method for authenticating users has
been through the use of standard, reusable passwords. Originally,
these passwords were used by users at terminals to authenticate
themselves to a central computer. At the time, there were no
networks (internally or externally), so the risk of disclosure of the
clear text password was minimal. Today, systems are connected
together through local networks, and these local networks are further
connected together and to the Internet. Users are logging in from
all over the globe; their reusable passwords are often transmitted
across those same networks in clear text, ripe for anyone in-between
to capture. And indeed, the CERT* Coordination Center and other
response teams are seeing a tremendous number of incidents involving
packet sniffers which are capturing the clear text passwords.
With the advent of newer technologies like one-time passwords (e.g.,
S/Key), PGP, and token-based authentication devices, people are using
password-like strings as secret tokens and pins. If these secret
tokens and pins are not properly selected and protected, the
authentication will be easily subverted.
Fraser, Ed. Informational [Page 24]
RFC 2196 Site Security Handbook September 1997
4.1.1 One-Time passwords
As mentioned above, given today's networked environments, it is
recommended that sites concerned about the security and integrity of
their systems and networks consider moving away from standard,
reusable passwords. There have been many incidents involving Trojan
network programs (e.g., telnet and rlogin) and network packet
sniffing programs. These programs capture clear text
hostname/account name/password triplets. Intruders can use the
captured information for subsequent access to those hosts and
accounts. This is possible because 1) the password is used over and
over (hence the term "reusable"), and 2) the password passes across
the network in clear text.
Several authentication techniques have been developed that address
this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly
called one-time passwords). There are a number of products available
that sites should consider using. The decision to use a product is
the responsibility of each organization, and each organization should
perform its own evaluation and selection.
4.1.2 Kerberos
Kerberos is a distributed network security system which provides for
authentication across unsecured networks. If requested by the
application, integrity and encryption can also be provided. Kerberos
was originally developed at the Massachusetts Institute of Technology
(MIT) in the mid 1980s. There are two major releases of Kerberos,
version 4 and 5, which are for practical purposes, incompatible.
Kerberos relies on a symmetric key database using a key distribution
center (KDC) which is known as the Kerberos server. A user or
service (known as "principals") are granted electronic "tickets"
after properly communicating with the KDC. These tickets are used
for authentication between principals. All tickets include a time
stamp which limits the time period for which the ticket is valid.
Therefore, Kerberos clients and server must have a secure time
source, and be able to keep time accurately.
The practical side of Kerberos is its integration with the
application level. Typical applications like FTP, telnet, POP, and
NFS have been integrated with the Kerberos system. There are a
variety of implementations which have varying levels of integration.
Please see the Kerberos FAQ available at http://www.ov.com/misc/krb-
faq.html for the latest information.
Fraser, Ed. Informational [Page 25]
RFC 2196 Site Security Handbook September 1997
4.1.3 Choosing and Protecting Secret Tokens and PINs
When selecting secret tokens, take care to choose them carefully.
Like the selection of passwords, they should be robust against brute
force efforts to guess them. That is, they should not be single
words in any language, any common, industry, or cultural acronyms,
etc. Ideally, they will be longer rather than shorter and consist of
pass phrases that combine upper and lower case character, digits, and
other characters.
Once chosen, the protection of these secret tokens is very important.
Some are used as pins to hardware devices (like token cards) and
these should not be written down or placed in the same location as
the device with which they are associated. Others, such as a secret
Pretty Good Privacy (PGP) key, should be protected from unauthorized
access.
One final word on this subject. When using cryptography products,
like PGP, take care to determine the proper key length and ensure
that your users are trained to do likewise. As technology advances,
the minimum safe key length continues to grow. Make sure your site
keeps up with the latest knowledge on the technology so that you can
ensure that any cryptography in use is providing the protection you
believe it is.
4.1.4 Password Assurance
While the need to eliminate the use of standard, reusable passwords
cannot be overstated, it is recognized that some organizations may
still be using them. While it's recommended that these organizations
transition to the use of better technology, in the mean time, we have
the following advice to help with the selection and maintenance of
traditional passwords. But remember, none of these measures provides
protection against disclosure due to sniffer programs.
(1) The importance of robust passwords - In many (if not most) cases
of system penetration, the intruder needs to gain access to an
account on the system. One way that goal is typically
accomplished is through guessing the password of a legitimate
user. This is often accomplished by running an automated
password cracking program, which utilizes a very large
dictionary, against the system's password file. The only way to
guard against passwords being disclosed in this manner is
through the careful selection of passwords which cannot be
easily guessed (i.e., combinations of numbers, letters, and
punctuation characters). Passwords should also be as long as
the system supports and users can tolerate.
Fraser, Ed. Informational [Page 26]
RFC 2196 Site Security Handbook September 1997
(2) Changing default passwords - Many operating systems and
application programs are installed with default accounts and
passwords. These must be changed immediately to something that
cannot be guessed or cracked.
(3) Restricting access to the password file - In particular, a site
wants to protect the encrypted password portion of the file so
that would-be intruders don't have them available for cracking.
One effective technique is to use shadow passwords where the
password field of the standard file contains a dummy or false
password. The file containing the legitimate passwords are
protected elsewhere on the system.
(4) Password aging - When and how to expire passwords is still a
subject of controversy among the security community. It is
generally accepted that a password should not be maintained once
an account is no longer in use, but it is hotly debated whether
a user should be forced to change a good password that's in
active use. The arguments for changing passwords relate to the
prevention of the continued use of penetrated accounts.
However, the opposition claims that frequent password changes
lead to users writing down their passwords in visible areas
(such as pasting them to a terminal), or to users selecting very
simple passwords that are easy to guess. It should also be
stated that an intruder will probably use a captured or guessed
password sooner rather than later, in which case password aging
provides little if any protection.
While there is no definitive answer to this dilemma, a password
policy should directly address the issue and provide guidelines
for how often a user should change the password. Certainly, an
annual change in their password is usually not difficult for
most users, and you should consider requiring it. It is
recommended that passwords be changed at least whenever a
privileged account is compromised, there is a critical change in
personnel (especially if it is an administrator!), or when an
account has been compromised. In addition, if a privileged
account password is compromised, all passwords on the system
should be changed.
(5) Password/account blocking - Some sites find it useful to disable
accounts after a predefined number of failed attempts to
authenticate. If your site decides to employ this mechanism, it
is recommended that the mechanism not "advertise" itself. After
Fraser, Ed. Informational [Page 27]
RFC 2196 Site Security Handbook September 1997
disabling, even if the correct password is presented, the
message displayed should remain that of a failed login attempt.
Implementing this mechanism will require that legitimate users
contact their system administrator to request that their account
be reactivated.
(6) A word about the finger daemon - By default, the finger daemon
displays considerable system and user information. For example,
it can display a list of all users currently using a system, or
all the contents of a specific user's .plan file. This
information can be used by would-be intruders to identify
usernames and guess their passwords. It is recommended that
sites consider modifying finger to restrict the information
displayed.
4.2 Confidentiality
There will be information assets that your site will want to protect
from disclosure to unauthorized entities. Operating systems often
have built-in file protection mechanisms that allow an administrator
to control who on the system can access, or "see," the contents of a
given file. A stronger way to provide confidentiality is through
encryption. Encryption is accomplished by scrambling data so that it
is very difficult and time consuming for anyone other than the
authorized recipients or owners to obtain the plain text. Authorized
recipients and the owner of the information will possess the
corresponding decryption keys that allow them to easily unscramble
the text to a readable (clear text) form. We recommend that sites
use encryption to provide confidentiality and protect valuable
information.
The use of encryption is sometimes controlled by governmental and
site regulations, so we encourage administrators to become informed
of laws or policies that regulate its use before employing it. It is
outside the scope of this document to discuss the various algorithms
and programs available for this purpose, but we do caution against
the casual use of the UNIX crypt program as it has been found to be
easily broken. We also encourage everyone to take time to understand
the strength of the encryption in any given algorithm/product before
using it. Most well-known products are well-documented in the
literature, so this should be a fairly easy task.
4.3 Integrity
As an administrator, you will want to make sure that information
(e.g., operating system files, company data, etc.) has not been
altered in an unauthorized fashion. This means you will want to
provide some assurance as to the integrity of the information on your
Fraser, Ed. Informational [Page 28]
RFC 2196 Site Security Handbook September 1997
systems. One way to provide this is to produce a checksum of the
unaltered file, store that checksum offline, and periodically (or
when desired) check to make sure the checksum of the online file
hasn't changed (which would indicate the data has been modified).
Some operating systems come with checksumming programs, such as the
UNIX sum program. However, these may not provide the protection you
actually need. Files can be modified in such a way as to preserve
the result of the UNIX sum program! Therefore, we suggest that you
use a cryptographically strong program, such as the message digesting
program MD5 [ref], to produce the checksums you will be using to
assure integrity.
There are other applications where integrity will need to be assured,
such as when transmitting an email message between two parties. There
are products available that can provide this capability. Once you
identify that this is a capability you need, you can go about
identifying technologies that will provide it.
4.4 Authorization
Authorization refers to the process of granting privileges to
processes and, ultimately, users. This differs from authentication
in that authentication is the process used to identify a user. Once
identified (reliably), the privileges, rights, property, and
permissible actions of the user are determined by authorization.
Explicitly listing the authorized activities of each user (and user
process) with respect to all resources (objects) is impossible in a
reasonable system. In a real system certain techniques are used to
simplify the process of granting and checking authorization(s).
One approach, popularized in UNIX systems, is to assign to each
object three classes of user: owner, group and world. The owner is
either the creator of the object or the user assigned as owner by the
super-user. The owner permissions (read, write and execute) apply
only to the owner. A group is a collection of users which share
access rights to an object. The group permissions (read, write and
execute) apply to all users in the group (except the owner). The
world refers to everybody else with access to the system. The world
permissions (read, write and execute) apply to all users (except the
owner and members of the group).
Another approach is to attach to an object a list which explicitly
contains the identity of all permitted users (or groups). This is an
Access Control List (ACL). The advantage of ACLs are that they are
Fraser, Ed. Informational [Page 29]
RFC 2196 Site Security Handbook September 1997
easily maintained (one central list per object) and it's very easy to
visually check who has access to what. The disadvantages are the
extra resources required to store such lists, as well as the vast
number of such lists required for large systems.
4.5 Access
4.5.1 Physical Access
Restrict physical access to hosts, allowing access only to those
people who are supposed to use the hosts. Hosts include "trusted"
terminals (i.e., terminals which allow unauthenticated use such as
system consoles, operator terminals and terminals dedicated to
special tasks), and individual microcomputers and workstations,
especially those connected to your network. Make sure people's work
areas mesh well with access restrictions; otherwise they will find
ways to circumvent your physical security (e.g., jamming doors open).
Keep original and backup copies of data and programs safe. Apart
from keeping them in good condition for backup purposes, they must be
protected from theft. It is important to keep backups in a separate
location from the originals, not only for damage considerations, but
also to guard against thefts.
Portable hosts are a particular risk. Make sure it won't cause
problems if one of your staff's portable computer is stolen.
Consider developing guidelines for the kinds of data that should be
allowed to reside on the disks of portable computers as well as how
the data should be protected (e.g., encryption) when it is on a
portable computer.
Other areas where physical access should be restricted is the wiring
closets and important network elements like file servers, name server
hosts, and routers.
4.5.2 Walk-up Network Connections
By "walk-up" connections, we mean network connection points located
to provide a convenient way for users to connect a portable host to
your network.
Consider whether you need to provide this service, bearing in mind
that it allows any user to attach an unauthorized host to your
network. This increases the risk of attacks via techniques such as
Fraser, Ed. Informational [Page 30]
RFC 2196 Site Security Handbook September 1997
IP address spoofing, packet sniffing, etc. Users and site management
must appreciate the risks involved. If you decide to provide walk-up
connections, plan the service carefully and define precisely where
you will provide it so that you can ensure the necessary physical
access security.
A walk-up host should be authenticated before its user is permitted
to access resources on your network. As an alternative, it may be
possible to control physical access. For example, if the service is
to be used by students, you might only provide walk-up connection
sockets in student laboratories.
If you are providing walk-up access for visitors to connect back to
their home networks (e.g., to read e-mail, etc.) in your facility,
consider using a separate subnet that has no connectivity to the
internal network.
Keep an eye on any area that contains unmonitored access to the
network, such as vacant offices. It may be sensible to disconnect
such areas at the wiring closet, and consider using secure hubs and
monitoring attempts to connect unauthorized hosts.
4.5.3 Other Network Technologies
Technologies considered here include X.25, ISDN, SMDS, DDS and Frame
Relay. All are provided via physical links which go through
telephone exchanges, providing the potential for them to be diverted.
Crackers are certainly interested in telephone switches as well as in
data networks!
With switched technologies, use Permanent Virtual Circuits or Closed
User Groups whenever this is possible. Technologies which provide
authentication and/or encryption (such as IPv6) are evolving rapidly;
consider using them on links where security is important.
4.5.4 Modems
4.5.4.1 Modem Lines Must Be Managed
Although they provide convenient access to a site for its users, they
can also provide an effective detour around the site's firewalls.
For this reason it is essential to maintain proper control of modems.
Don't allow users to install a modem line without proper
authorization. This includes temporary installations (e.g., plugging
a modem into a facsimile or telephone line overnight).
Fraser, Ed. Informational [Page 31]
RFC 2196 Site Security Handbook September 1997
Maintain a register of all your modem lines and keep your register up
to date. Conduct regular (ideally automated) site checks for
unauthorized modems.
4.5.4.2 Dial-in Users Must Be Authenticated
A username and password check should be completed before a user can
access anything on your network. Normal password security
considerations are particularly important (see section 4.1.1).
Remember that telephone lines can be tapped, and that it is quite
easy to intercept messages to cellular phones. Modern high-speed
modems use more sophisticated modulation techniques, which makes them
somewhat more difficult to monitor, but it is prudent to assume that
hackers know how to eavesdrop on your lines. For this reason, you
should use one-time passwords if at all possible.
It is helpful to have a single dial-in point (e.g., a single large
modem pool) so that all users are authenticated in the same way.
Users will occasionally mis-type a password. Set a short delay - say
two seconds - after the first and second failed logins, and force a
disconnect after the third. This will slow down automated password
attacks. Don't tell the user whether the username, the password, or
both, were incorrect.
4.5.4.3 Call-back Capability
Some dial-in servers offer call-back facilities (i.e., the user dials
in and is authenticated, then the system disconnects the call and
calls back on a specified number). Call-back is useful since if
someone were to guess a username and password, they are disconnected,
and the system then calls back the actual user whose password was
cracked; random calls from a server are suspicious, at best. This
does mean users may only log in from one location (where the server
is configured to dial them back), and of course there may be phone
charges associated with there call-back location.
This feature should be used with caution; it can easily be bypassed.
At a minimum, make sure that the return call is never made from the
same modem as the incoming one. Overall, although call-back can
improve modem security, you should not depend on it alone.
4.5.4.4 All Logins Should Be Logged
All logins, whether successful or unsuccessful should be logged.
However, do not keep correct passwords in the log. Rather, log them
simply as a successful login attempt. Since most bad passwords are
Fraser, Ed. Informational [Page 32]
RFC 2196 Site Security Handbook September 1997
mistyped by authorized users, they only vary by a single character
from the actual password. Therefore if you can't keep such a log
secure, don't log it at all.
If Calling Line Identification is available, take advantage of it by
recording the calling number for each login attempt. Be sensitive to
the privacy issues raised by Calling Line Identification. Also be
aware that Calling Line Identification is not to be trusted (since
intruders have been known to break into phone switches and forward
phone numbers or make other changes); use the data for informational
purposes only, not for authentication.
4.5.4.5 Choose Your Opening Banner Carefully
Many sites use a system default contained in a message of the day
file for their opening banner. Unfortunately, this often includes the
type of host hardware or operating system present on the host. This
can provide valuable information to a would-be intruder. Instead,
each site should create its own specific login banner, taking care to
only include necessary information.
Display a short banner, but don't offer an "inviting" name (e.g.,
University of XYZ, Student Records System). Instead, give your site
name, a short warning that sessions may be monitored, and a
username/password prompt. Verify possible legal issues related to
the text you put into the banner.
For high-security applications, consider using a "blind" password
(i.e., give no response to an incoming call until the user has typed
in a password). This effectively simulates a dead modem.
4.5.4.6 Dial-out Authentication
Dial-out users should also be authenticated, particularly since your
site will have to pay their telephone charges.
Never allow dial-out from an unauthenticated dial-in call, and
consider whether you will allow it from an authenticated one. The
goal here is to prevent callers using your modem pool as part of a
chain of logins. This can be hard to detect, particularly if a
hacker sets up a path through several hosts on your site.
At a minimum, don't allow the same modems and phone lines to be used
for both dial-in and dial-out. This can be implemented easily if you
run separate dial-in and dial-out modem pools.
Fraser, Ed. Informational [Page 33]
RFC 2196 Site Security Handbook September 1997
4.5.4.7 Make Your Modem Programming as "Bullet-proof" as Possible
Be sure modems can't be reprogrammed while they're in service. At a
minimum, make sure that three plus signs won't put your dial-in
modems into command mode!
Program your modems to reset to your standard configuration at the
start of each new call. Failing this, make them reset at the end of
each call. This precaution will protect you against accidental
reprogramming of your modems. Resetting at both the end and the
beginning of each call will assure an even higher level of confidence
that a new caller will not inherit a previous caller's session.
Check that your modems terminate calls cleanly. When a user logs out
from an access server, verify that the server hangs up the phone line
properly. It is equally important that the server forces logouts
from whatever sessions were active if the user hangs up unexpectedly.
4.6 Auditing
This section covers the procedures for collecting data generated by
network activity, which may be useful in analyzing the security of a
network and responding to security incidents.
4.6.1 What to Collect
Audit data should include any attempt to achieve a different security
level by any person, process, or other entity in the network. This
includes login and logout, super user access (or the non-UNIX
equivalent), ticket generation (for Kerberos, for example), and any
other change of access or status. It is especially important to note
"anonymous" or "guest" access to public servers.
The actual data to collect will differ for different sites and for
different types of access changes within a site. In general, the
information you want to collect includes: username and hostname, for
login and logout; previous and new access rights, for a change of
access rights; and a timestamp. Of course, there is much more
information which might be gathered, depending on what the system
makes available and how much space is available to store that
information.
One very important note: do not gather passwords. This creates an
enormous potential security breach if the audit records should be
improperly accessed. Do not gather incorrect passwords either, as
they often differ from valid passwords by only a single character or
transposition.
Fraser, Ed. Informational [Page 34]
RFC 2196 Site Security Handbook September 1997
4.6.2 Collection Process
The collection process should be enacted by the host or resource
being accessed. Depending on the importance of the data and the need
to have it local in instances in which services are being denied,
data could be kept local to the resource until needed or be
transmitted to storage after each event.
There are basically three ways to store audit records: in a
read/write file on a host, on a write-once/read-many device (e.g., a
CD-ROM or a specially configured tape drive), or on a write-only
device (e.g., a line printer). Each method has advantages and
disadvantages.
File system logging is the least resource intensive of the three
methods and the easiest to configure. It allows instant access to
the records for analysis, which may be important if an attack is in
progress. File system logging is also the least reliable method. If
the logging host has been compromised, the file system is usually the
first thing to go; an intruder could easily cover up traces of the
intrusion.
Collecting audit data on a write-once device is slightly more effort
to configure than a simple file, but it has the significant advantage
of greatly increased security because an intruder could not alter the
data showing that an intrusion has occurred. The disadvantage of
this method is the need to maintain a supply of storage media and the
cost of that media. Also, the data may not be instantly available.
Line printer logging is useful in system where permanent and
immediate logs are required. A real time system is an example of
this, where the exact point of a failure or attack must be recorded.
A laser printer, or other device which buffers data (e.g., a print
server), may suffer from lost data if buffers contain the needed data
at a critical instant. The disadvantage of, literally, "paper
trails" is the need to keep the printer fed and the need to scan
records by hand. There is also the issue of where to store the,
potentially, enormous volume of paper which may be generated.
For each of the logging methods described, there is also the issue of
securing the path between the device generating the log and actual
logging device (i.e., the file server, tape/CD-ROM drive, printer).
If that path is compromised, logging can be stopped or spoofed or
both. In an ideal world, the logging device would be directly
Fraser, Ed. Informational [Page 35]
RFC 2196 Site Security Handbook September 1997
attached by a single, simple, point-to-point cable. Since that is
usually impractical, the path should pass through the minimum number
of networks and routers. Even if logs can be blocked, spoofing can
be prevented with cryptographic checksums (it probably isn't
necessary to encrypt the logs because they should not contain
sensitive information in the first place).
4.6.3 Collection Load
Collecting audit data may result in a rapid accumulation of bytes so
storage availability for this information must be considered in
advance. There are a few ways to reduce the required storage space.
First, data can be compressed, using one of many methods. Or, the
required space can be minimized by keeping data for a shorter period
of time with only summaries of that data kept in long-term archives.
One major drawback to the latter method involves incident response.
Often, an incident has been ongoing for some period of time when a
site notices it and begins to investigate. At that point in time,
it's very helpful to have detailed audit logs available. If these are
just summaries, there may not be sufficient detail to fully handle
the incident.
4.6.4 Handling and Preserving Audit Data
Audit data should be some of the most carefully secured data at the
site and in the backups. If an intruder were to gain access to audit
logs, the systems themselves, in addition to the data, would be at
risk.
Audit data may also become key to the investigation, apprehension,
and prosecution of the perpetrator of an incident. For this reason,
it is advisable to seek the advice of legal council when deciding how
audit data should be treated. This should happen before an incident
occurs.
If a data handling plan is not adequately defined prior to an
incident, it may mean that there is no recourse in the aftermath of
an event, and it may create liability resulting from improper
treatment of the data.
4.6.5 Legal Considerations
Due to the content of audit data, there are a number of legal
questions that arise which might need to be addressed by your legal
counsel. If you collect and save audit data, you need to be prepared
for consequences resulting both from its existence and its content.
Fraser, Ed. Informational [Page 36]
RFC 2196 Site Security Handbook September 1997
One area concerns the privacy of individuals. In certain instances,
audit data may contain personal information. Searching through the
data, even for a routine check of the system's security, could
represent an invasion of privacy.
A second area of concern involves knowledge of intrusive behavior
originating from your site. If an organization keeps audit data, is
it responsible for examining it to search for incidents? If a host
in one organization is used as a launching point for an attack
against another organization, can the second organization use the
audit data of the first organization to prove negligence on the part
of that organization?
The above examples are meant to be comprehensive, but should motivate
your organization to consider the legal issues involved with audit
data.
4.7 Securing Backups
The procedure of creating backups is a classic part of operating a
computer system. Within the context of this document, backups are
addressed as part of the overall security plan of a site. There are
several aspects to backups that are important within this context:
(1) Make sure your site is creating backups
(2) Make sure your site is using offsite storage for backups. The
storage site should be carefully selected for both its security
and its availability.
(3) Consider encrypting your backups to provide additional protection
of the information once it is off-site. However, be aware that
you will need a good key management scheme so that you'll be
able to recover data at any point in the future. Also, make
sure you will have access to the necessary decryption programs
at such time in the future as you need to perform the
decryption.
(4) Don't always assume that your backups are good. There have been
many instances of computer security incidents that have gone on
for long periods of time before a site has noticed the incident.
In such cases, backups of the affected systems are also tainted.
(5) Periodically verify the correctness and completeness of your
backups.
5. Security Incident Handling
This chapter of the document will supply guidance to be used before,
during, and after a computer security incident occurs on a host,
network, site, or multi-site environment. The operative philosophy
in the event of a breach of computer security is to react according
Fraser, Ed. Informational [Page 37]
RFC 2196 Site Security Handbook September 1997
to a plan. This is true whether the breach is the result of an
external intruder attack, unintentional damage, a student testing
some new program to exploit a software vulnerability, or a
disgruntled employee. Each of the possible types of events, such as
those just listed, should be addressed in advance by adequate
contingency plans.
Traditional computer security, while quite important in the overall
site security plan, usually pays little attention to how to actually
handle an attack once one occurs. The result is that when an attack
is in progress, many decisions are made in haste and can be damaging
to tracking down the source of the incident, collecting evidence to
be used in prosecution efforts, preparing for the recovery of the
system, and protecting the valuable data contained on the system.
One of the most important, but often overlooked, benefits for
efficient incident handling is an economic one. Having both
technical and managerial personnel respond to an incident requires
considerable resources. If trained to handle incidents efficiently,
less staff time is required when one occurs.
Due to the world-wide network most incidents are not restricted to a
single site. Operating systems vulnerabilities apply (in some cases)
to several millions of systems, and many vulnerabilities are
exploited within the network itself. Therefore, it is vital that all
sites with involved parties be informed as soon as possible.
Another benefit is related to public relations. News about computer
security incidents tends to be damaging to an organization's stature
among current or potential clients. Efficient incident handling
minimizes the potential for negative exposure.
A final benefit of efficient incident handling is related to legal
issues. It is possible that in the near future organizations may be
held responsible because one of their nodes was used to launch a
network attack. In a similar vein, people who develop patches or
workarounds may be sued if the patches or workarounds are
ineffective, resulting in compromise of the systems, or, if the
patches or workarounds themselves damage systems. Knowing about
operating system vulnerabilities and patterns of attacks, and then
taking appropriate measures to counter these potential threats, is
critical to circumventing possible legal problems.
Fraser, Ed. Informational [Page 38]
RFC 2196 Site Secur