RFC relevance of computer

As per Relevance of the word computer, we have this rfc below:

Network Working Group B.
Request for Comments: 2196
FYI: 8 SEI/
Obsoletes: 1244 September 1997
Category:

Site Security

Status of this

This memo provides information for the Internet community. It
not specify an Internet standard of any kind. Distribution of
memo is unlimited

This handbook is a guide to developing computer security policies
procedures for sites that have systems on the Internet. The
of this handbook is to provide practical guidance to
trying to secure their information and services. The
covered include policy content and formation, a broad range
technical system and network security topics, and security
response

Table of

1. Introduction.................................................... 2
1.1 Purpose of this Work............................................ 3
1.2 Audience........................................................ 3
1.3 Definitions..................................................... 3
1.4 Related Work.................................................... 4
1.5 Basic Approach.................................................. 4
1.6 Risk Assessment................................................. 5
2. Security Policies............................................... 6
2.1 What is a Security Policy and Why Have One?..................... 6
2.2 What Makes a Good Security Policy?.............................. 9
2.3 Keeping the Policy Flexible..................................... 11
3. Architecture.................................................... 11
3.1 Objectives...................................................... 11
3.2 Network and Service Configuration............................... 14
3.3 Firewalls....................................................... 20
4. Security Services and Procedures................................ 24
4.1 Authentication.................................................. 24
4.2 Confidentiality................................................. 28
4.3 Integrity....................................................... 28

Fraser, Ed. Informational [Page 1]

RFC 2196 Site Security Handbook September 1997

4.4 Authorization................................................... 29
4.5 Access.......................................................... 30
4.6 Auditing........................................................ 34
4.7 Securing Backups................................................ 37
5. Security Incident Handling...................................... 37
5.1 Preparing and Planning for Incident Handling.................... 39
5.2 Notification and Points of Contact.............................. 42
5.3 Identifying an Incident......................................... 50
5.4 Handling an Incident............................................ 52
5.5 Aftermath of an Incident........................................ 58
5.6 Responsibilities................................................ 59
6. Ongoing Activities.............................................. 60
7. Tools and Locations............................................. 60
8. Mailing Lists and Other Resources............................... 62
9. References...................................................... 64

1.

This document provides guidance to system and network
on how to address security issues within the Internet community.
builds on the foundation provided in RFC 1244 and is the
work of a number of contributing authors. Those authors include
Jules P. Aronson (aronson@nlm.nih.gov), Nevil
(n.brownlee@auckland.ac.nz), Frank Byrum (byrum@norfolk.infi.net),
Joao Nuno Ferreira (ferreira@rccn.net), Barbara
(byf@cert.org), Steve Glass (glass@ftp.com), Erik
(erik.guttman@eng.sun.com), Tom Killalea (tomk@nwnet.net), Klaus
Peter Kossakowski (kossakowski@cert.dfn.de), Lorna
(lorna@staff.singnet.com.sg), Edward.P.
(Edward.P.Lewis.1@gsfc.nasa.gov), Gary Malkin (gmalkin@xylogics.com),
Russ Mundy (mundy@tis.com), Philip J.
(pjnesser@martigny.ai.mit.edu), and Michael S.
(msr@interpath.net).

In addition to the principle writers, a number of reviewers
valuable comments. Those reviewers include: Eric
(luiijf@fel.tno.nl), Marijke Kaat (marijke.kaat@sec.nl), Ray
(plzak@nic.mil) and Han Pronk (h.m.pronk@vka.nl).

A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook
CICnet, for their vision, leadership, and effort in the creation
the first version of this handbook. It is the working group's
hope that this version will be as helpful to the community as
earlier one was

Fraser, Ed. Informational [Page 2]

RFC 2196 Site Security Handbook September 1997

1.1 Purpose of This

This handbook is a guide to setting computer security policies
procedures for sites that have systems on the Internet (however,
information provided should also be useful to sites not yet
to the Internet). This guide lists issues and factors that a
must consider when setting their own policies. It makes a number
recommendations and provides discussions of relevant areas

This guide is only a framework for setting security policies
procedures. In order to have an effective set of policies
procedures, a site will have to make many decisions, gain agreement
and then communicate and implement these policies

1.2

The audience for this document are system and network administrators
and decision makers (typically "middle management") at sites.
brevity, we will use the term "administrator" throughout
document to refer to system and network administrators

This document is not directed at programmers or those trying
create secure programs or systems. The focus of this document is
the policies and procedures that need to be in place to support
technical security features that a site may be implementing

The primary audience for this work are sites that are members of
Internet community. However, this document should be useful to
site that allows communication with other sites. As a general
to security policies, this document may also be useful to sites
isolated systems

1.3

For the purposes of this guide, a "site" is any organization
owns computers or network-related resources. These resources
include host computers that users use, routers, terminal servers,
or other devices that have access to the Internet. A site may be
end user of Internet services or a service provider such as a mid
level network. However, most of the focus of this guide is on
end users of Internet services. We assume that the site has
ability to set policies and procedures for itself with
concurrence and support from those who actually own the resources.
will be assumed that sites that are parts of larger
will know when they need to consult, collaborate, or
recommendations from, the larger entity

Fraser, Ed. Informational [Page 3]

RFC 2196 Site Security Handbook September 1997

The "Internet" is a collection of thousands of networks linked by
common set of technical protocols which make it possible for users
any one of the networks to communicate with, or use the
located on, any of the other networks (FYI4, RFC 1594).

The term "administrator" is used to cover all those people who
responsible for the day-to-day operation of system and
resources. This may be a number of individuals or an organization

The term "security administrator" is used to cover all those
who are responsible for the security of information and
technology. At some sites this function may be combined
administrator (above); at others, this will be a separate position

The term "decision maker" refers to those people at a site who set
approve policy. These are often (but not always) the people who
the resources

1.4 Related

The Site Security Handbook Working Group is working on a User's
to Internet Security. It will provide practical guidance to end
to help them protect their information and the resources they use

1.5 Basic

This guide is written to provide basic guidance in developing
security plan for your site. One generally accepted approach
follow is suggested by Fites, et. al. [Fites 1989] and includes
following steps

(1) Identify what you are trying to protect
(2) Determine what you are trying to protect it from
(3) Determine how likely the threats are
(4) Implement measures which will protect your assets in a cost
effective manner
(5) Review the process continuously and make improvements each
a weakness is found

Most of this document is focused on item 4 above, but the other
cannot be avoided if an effective plan is to be established at
site. One old truism in security is that the cost of
yourself against a threat should be less than the cost of
if the threat were to strike you. Cost in this context should
remembered to include losses expressed in real currency, reputation
trustworthiness, and other less obvious measures. Without
knowledge of what you are protecting and what the likely threats are
following this rule could be difficult

Fraser, Ed. Informational [Page 4]

RFC 2196 Site Security Handbook September 1997

1.6 Risk

1.6.1 General

One of the most important reasons for creating a computer
policy is to ensure that efforts spent on security yield
effective benefits. Although this may seem obvious, it is
to be mislead about where the effort is needed. As an example,
is a great deal of publicity about intruders on computers systems
yet most surveys of computer security show that, for
organizations, the actual loss from "insiders" is much greater

Risk analysis involves determining what you need to protect, what
need to protect it from, and how to protect it. It is the process
examining all of your risks, then ranking those risks by level
severity. This process involves making cost-effective decisions
what you want to protect. As mentioned above, you should
not spend more to protect something than it is actually worth

A full treatment of risk analysis is outside the scope of
document. [Fites 1989] and [Pfleeger 1989] provide introductions
this topic. However, there are two elements of a risk analysis
will be briefly covered in the next two sections

(1) Identifying the
(2) Identifying the

For each asset, the basic goals of security are availability
confidentiality, and integrity. Each threat should be examined
an eye to how the threat could affect these areas

1.6.2 Identifying the

One step in a risk analysis is to identify all the things that
to be protected. Some things are obvious, like valuable
information, intellectual property, and all the various pieces
hardware; but, some are overlooked, such as the people who
use the systems. The essential point is to list all things that
be affected by a security problem

One list of categories is suggested by Pfleeger [Pfleeger 1989];
list is adapted from that source

(1) Hardware: CPUs, boards, keyboards, terminals
workstations, personal computers, printers,
drives, communication lines, terminal servers, routers

Fraser, Ed. Informational [Page 5]

RFC 2196 Site Security Handbook September 1997

(2) Software: source programs, object programs
utilities, diagnostic programs, operating systems
communication programs

(3) Data: during execution, stored on-line, archived off-line
backups, audit logs, databases, in transit
communication media

(4) People: users, administrators, hardware maintainers

(5) Documentation: on programs, hardware, systems,
administrative procedures

(6) Supplies: paper, forms, ribbons, magnetic media

1.6.3 Identifying the

Once the assets requiring protection are identified, it is
to identify threats to those assets. The threats can then
examined to determine what potential for loss exists. It helps
consider from what threats you are trying to protect your assets
The following are classic threats that should be considered
Depending on your site, there will be more specific threats
should be identified and addressed

(1) Unauthorized access to resources and/or
(2) Unintented and/or unauthorized Disclosure of
(3) Denial of

2. Security

Throughout this document there will be many references to policies
Often these references will include recommendations for
policies. Rather than repeat guidance in how to create
communicate such a policy, the reader should apply the
presented in this chapter when developing any policy
later in this book

2.1 What is a Security Policy and Why Have One

The security-related decisions you make, or fail to make,
administrator largely determines how secure or insecure your
is, how much functionality your network offers, and how easy
network is to use. However, you cannot make good decisions
security without first determining what your security goals are
Until you determine what your security goals are, you cannot
effective use of any collection of security tools because you
will not know what to check for and what restrictions to impose

Fraser, Ed. Informational [Page 6]

RFC 2196 Site Security Handbook September 1997

For example, your goals will probably be very different from
goals of a product vendor. Vendors are trying to make
and operation of their products as simple as possible, which
that the default configurations will often be as open (i.e.,
insecure) as possible. While this does make it easier to install
products, it also leaves access to those systems, and other
through them, open to any user who wanders by

Your goals will be largely determined by the following key tradeoffs

(1) services offered versus security provided -
Each service offered to users carries its own security risks
For some services the risk outweighs the benefit of the
and the administrator may choose to eliminate the service
than try to secure it

(2) ease of use versus security -
The easiest system to use would allow access to any user
require no passwords; that is, there would be no security
Requiring passwords makes the system a little less convenient
but more secure. Requiring device-generated one-time
makes the system even more difficult to use, but much
secure

(3) cost of security versus risk of loss -
There are many different costs to security: monetary (i.e.,
cost of purchasing security hardware and software like
and one-time password generators), performance (i.e.,
and decryption take time), and ease of use (as mentioned above).
There are also many levels of risk: loss of privacy (i.e.,
reading of information by unauthorized individuals), loss
data (i.e., the corruption or erasure of information), and
loss of service (e.g., the filling of data storage space,
of computational resources, and denial of network access).
type of cost must be weighed against each type of loss

Your goals should be communicated to all users, operations staff,
managers through a set of security rules, called a "security policy."
We are using this term, rather than the narrower "computer
policy" since the scope includes all types of information
and the information stored and manipulated by the technology

2.1.1 Definition of a Security

A security policy is a formal statement of the rules by which
who are given access to an organization's technology and
assets must abide

Fraser, Ed. Informational [Page 7]

RFC 2196 Site Security Handbook September 1997

2.1.2 Purposes of a Security

The main purpose of a security policy is to inform users, staff
managers of their obligatory requirements for protecting
and information assets. The policy should specify the
through which these requirements can be met. Another purpose is
provide a baseline from which to acquire, configure and
computer systems and networks for compliance with the policy
Therefore an attempt to use a set of security tools in the absence
at least an implied security policy is meaningless

An Appropriate Use Policy (AUP) may also be part of a
policy. It should spell out what users shall and shall not do on
various components of the system, including the type of
allowed on the networks. The AUP should be as explicit as
to avoid ambiguity or misunderstanding. For example, an AUP
list any prohibited USENET newsgroups. (Note: Appropriate Use
is referred to as Acceptable Use Policy by some sites.)

2.1.3 Who Should be Involved When Forming Policy

In order for a security policy to be appropriate and effective,
needs to have the acceptance and support of all levels of
within the organization. It is especially important that
management fully support the security policy process otherwise
is little chance that they will have the intended impact.
following is a list of individuals who should be involved in
creation and review of security policy documents

(1) site security
(2) information technology technical staff (e.g., staff
computing center
(3) administrators of large user groups within the
(e.g., business divisions, computer science department within
university, etc.)
(4) security incident response
(5) representatives of the user groups affected by the

(6) responsible
(7) legal counsel (if appropriate

The list above is representative of many organizations, but is
necessarily comprehensive. The idea is to bring in
from key stakeholders, management who have budget and
authority, technical staff who know what can and cannot be supported
and legal counsel who know the legal ramifications of various

Fraser, Ed. Informational [Page 8]

RFC 2196 Site Security Handbook September 1997

choices. In some organizations, it may be appropriate to include
audit personnel. Involving this group is important if
policy statements are to reach the broadest possible acceptance.
is also relevant to mention that the role of legal counsel will
vary from country to country

2.2 What Makes a Good Security Policy

The characteristics of a good security policy are

(1) It must be implementable through system
procedures, publishing of acceptable use guidelines, or
appropriate methods

(2) It must be enforcible with security tools, where appropriate
and with sanctions, where actual prevention is not
feasible

(3) It must clearly define the areas of responsibility for
users, administrators, and management

The components of a good security policy include

(1) Computer Technology Purchasing Guidelines which
required, or preferred, security features. These
supplement existing purchasing policies and guidelines

(2) A Privacy Policy which defines reasonable expectations
privacy regarding such issues as monitoring of electronic mail
logging of keystrokes, and access to users' files

(3) An Access Policy which defines access rights and privileges
protect assets from loss or disclosure by specifying
use guidelines for users, operations staff, and management.
should provide guidelines for external connections,
communications, connecting devices to a network, and adding
software to systems. It should also specify any
notification messages (e.g., connect messages should
warnings about authorized usage and line monitoring, and
simply say "Welcome").

(4) An Accountability Policy which defines the responsibilities
users, operations staff, and management. It should specify
audit capability, and provide incident handling
(i.e., what to do and who to contact if a possible intrusion
detected).

Fraser, Ed. Informational [Page 9]

RFC 2196 Site Security Handbook September 1997

(5) An Authentication Policy which establishes trust through
effective password policy, and by setting guidelines for
location authentication and the use of authentication
(e.g., one-time passwords and the devices that generate them).

(6) An Availability statement which sets users' expectations for
availability of resources. It should address redundancy
recovery issues, as well as specify operating hours
maintenance down-time periods. It should also include
information for reporting system and network failures

(7) An Information Technology System & Network Maintenance
which describes how both internal and external
people are allowed to handle and access technology.
important topic to be addressed here is whether
maintenance is allowed and how such access is controlled
Another area for consideration here is outsourcing and how it
managed

(8) A Violations Reporting Policy that indicates which types
violations (e.g., privacy and security, internal and external
must be reported and to whom the reports are made. A non
threatening atmosphere and the possibility of
reporting will result in a greater probability that a
will be reported if it is detected

(9) Supporting Information which provides users, staff,
management with contact information for each type of
violation; guidelines on how to handle outside queries about
security incident, or information which may be
confidential or proprietary; and cross-references to
procedures and related information, such as company policies
governmental laws and regulations

There may be regulatory requirements that affect some aspects of
security policy (e.g., line monitoring). The creators of
security policy should consider seeking legal assistance in
creation of the policy. At a minimum, the policy should be
by legal counsel

Once your security policy has been established it should be
communicated to users, staff, and management. Having all
sign a statement indicating that they have read, understood,
agreed to abide by the policy is an important part of the process
Finally, your policy should be reviewed on a regular basis to see
it is successfully supporting your security needs

Fraser, Ed. Informational [Page 10]

RFC 2196 Site Security Handbook September 1997

2.3 Keeping the Policy

In order for a security policy to be viable for the long term,
requires a lot of flexibility based upon an architectural
concept. A security policy should be (largely) independent
specific hardware and software situations (as specific systems
to be replaced or moved overnight). The mechanisms for updating
policy should be clearly spelled out. This includes the process,
people involved, and the people who must sign-off on the changes

It is also important to recognize that there are exceptions to
rule. Whenever possible, the policy should spell out what
to the general policy exist. For example, under what conditions is
system administrator allowed to go through a user's files. Also
there may be some cases when multiple users will have access to
same userid. For example, on systems with a "root" user,
system administrators may know the password and use the root account

Another consideration is called the "Garbage Truck Syndrome."
refers to what would happen to a site if a key person was
unavailable for his/her job function (e.g., was suddenly ill or
the company unexpectedly). While the greatest security resides
the minimum dissemination of information, the risk of losing
information increases when that information is not shared. It
important to determine what the proper balance is for your site

3.

3.1

3.1.1 Completely Defined Security

All sites should define a comprehensive security plan. This
should be at a higher level than the specific policies discussed
chapter 2, and it should be crafted as a framework of
guidelines into which specific policies will fit

It is important to have this framework in place so that
policies can be consistent with the overall site
architecture. For example, having a strong policy with regard
Internet access and having weak restrictions on modem usage
inconsistent with an overall philosophy of strong
restrictions on external access

A security plan should define: the list of network services that
be provided; which areas of the organization will provide
services; who will have access to those services; how access will
provided; who will administer those services; etc

Fraser, Ed. Informational [Page 11]

RFC 2196 Site Security Handbook September 1997

The plan should also address how incident will be handled. Chapter 5
provides an in-depth discussion of this topic, but it is
for each site to define classes of incidents and
responses. For example, sites with firewalls should set a
on the number of attempts made to foil the firewall before
a response? Escallation levels should be defined for both
and responses. Sites without firewalls will have to determine if
single attempt to connect to a host constitutes an incident?
about a systematic scan of systems

For sites connected to the Internet, the rampant media
of Internet related security incidents can overshadow a (potentially
more serious internal security problem. Likewise, companies who
never been connected to the Internet may have strong, well defined
internal policies but fail to adequately address an
connection policy

3.1.2 Separation of

There are many services which a site may wish to provide for
users, some of which may be external. There are a variety
security reasons to attempt to isolate services onto dedicated
computers. There are also performance reasons in most cases, but
detailed discussion is beyond to scope of this document

The services which a site may provide will, in most cases,
different levels of access needs and models of trust. Services
are essential to the security or smooth operation of a site would
better off being placed on a dedicated machine with very
access (see Section 3.1.3 "deny all" model), rather than on a
that provides a service (or services) which has traditionally
less secure, or requires greater accessability by users who
accidentally suborn security

It is also important to distinguish between hosts which
within different models of trust (e.g., all the hosts inside of
firewall and any host on an exposed network).

Some of the services which should be examined for
separation are outlined in section 3.2.3. It is important to
that security is only as strong as the weakest link in the chain
Several of the most publicized penetrations in recent years have
through the exploitation of vulnerabilities in electronic
systems. The intruders were not trying to steal electronic mail,
they used the vulnerability in that service to gain access to
systems

Fraser, Ed. Informational [Page 12]

RFC 2196 Site Security Handbook September 1997

If possible, each service should be running on a different
whose only duty is to provide a specific service. This helps
isolate intruders and limit potential harm

3.1.3 Deny all/ Allow

There are two diametrically opposed underlying philosophies which
be adopted when defining a security plan. Both alternatives
legitimate models to adopt, and the choice between them will
on the site and its needs for security

The first option is to turn off all services and then
enable services on a case by case basis as they are needed. This
be done at the host or network level as appropriate. This model
which will here after be referred to as the "deny all" model,
generally more secure than the other model described in the
paragraph. More work is required to successfully implement a "
all" configuration as well as a better understanding of services
Allowing only known services provides for a better analysis of
particular service/protocol and the design of a security
suited to the security level of the site

The other model, which will here after be referred to as the "
all" model, is much easier to implement, but is generally less
than the "deny all" model. Simply turn on all services, usually
default at the host level, and allow all protocols to travel
network boundaries, usually the default at the router level.
security holes become apparent, they are restricted or patched
either the host or network level

Each of these models can be applied to different portions of
site, depending on functionality requirements,
control, site policy, etc. For example, the policy may be to use
"allow all" model when setting up workstations for general use,
adopt a "deny all" model when setting up information servers, like
email hub. Likewise, an "allow all" policy may be adopted
traffic between LAN's internal to the site, but a "deny all"
can be adopted between the site and the Internet

Be careful when mixing philosophies as in the examples above.
sites adopt the theory of a hard "crunchy" shell and a soft "squishy
middle. They are willing to pay the cost of security for
external traffic and require strong security measures, but
unwilling or unable to provide similar protections internally.
works fine as long as the outer defenses are never breached and
internal users can be trusted. Once the outer shell (firewall)
breached, subverting the internal network is trivial

Fraser, Ed. Informational [Page 13]

RFC 2196 Site Security Handbook September 1997

3.1.4 Identify Real Needs for

There is a large variety of services which may be provided,
internally and on the Internet at large. Managing security is,
many ways, managing access to services internal to the site
managing how internal users access information at remote sites

Services tend to rush like waves over the Internet. Over the
many sites have established anonymous FTP servers, gopher servers
wais servers, WWW servers, etc. as they became popular, but
particularly needed, at all sites. Evaluate all new services
are established with a skeptical attitude to determine if they
actually needed or just the current fad sweeping the Internet

Bear in mind that security complexity can grow exponentially with
number of services provided. Filtering routers need to be
to support the new protocols. Some protocols are
difficult to filter safely (e.g., RPC and UDP services),
providing more openings to the internal network. Services
on the same machine can interact in catastrophic ways. For example
allowing anonymous FTP on the same machine as the WWW server
allow an intruder to place a file in the anonymous FTP area and
the HTTP server to execute it

3.2 Network and Service

3.2.1 Protecting the

Many network administrators go to great lengths to protect the
on their networks. Few administrators make any effort to protect
networks themselves. There is some rationale to this. For example
it is far easier to protect a host than a network. Also,
are likely to be after data on the hosts; damaging the network
not serve their purposes. That said, there are still reasons
protect the networks. For example, an intruder might divert
traffic through an outside host in order to examine the data (i.e.,
to search for passwords). Also, infrastructure includes more
the networks and the routers which interconnect them.
also includes network management (e.g., SNMP), services (e.g., DNS
NFS, NTP, WWW), and security (i.e., user authentication and
restrictions).

The infrastructure also needs protection against human error.
an administrator misconfigures a host, that host may offer
service. This only affects users who require that host and,

Fraser, Ed. Informational [Page 14]

RFC 2196 Site Security Handbook September 1997

that host is a primary server, the number of affected users
therefore be limited. However, if a router is misconfigured,
users who require the network will be affected. Obviously, this is
far larger number of users than those depending on any one host

3.2.2 Protecting the

There are several problems to which networks are vulnerable.
classic problem is a "denial of service" attack. In this case,
network is brought to a state in which it can no longer
legitimate users' data. There are two common ways this can be done
by attacking the routers and by flooding the network with
traffic. Please note that the term "router" in this section is
as an example of a larger class of active network
components that also includes components like firewalls, proxy
servers, etc

An attack on the router is designed to cause it to stop
packets, or to forward them improperly. The former case may be
to a misconfiguration, the injection of a spurious routing update,
a "flood attack" (i.e., the router is bombarded with
packets, causing its performance to degrade). A flood attack on
network is similar to a flood attack on a router, except that
flood packets are usually broadcast. An ideal flood attack would
the injection of a single packet which exploits some known flaw
the network nodes and causes them to retransmit the packet,
generate error packets, each of which is picked up and repeated
another host. A well chosen attack packet can even generate
exponential explosion of transmissions

Another classic problem is "spoofing." In this case,
routing updates are sent to one or more routers causing them
misroute packets. This differs from a denial of service attack
in the purpose behind the spurious route. In denial of service,
object is to make the router unusable; a state which will be
detected by network users. In spoofing, the spurious route
cause packets to be routed to a host from which an intruder
monitor the data in the packets. These packets are then re-routed
their correct destinations. However, the intruder may or may
have altered the contents of the packets

The solution to most of these problems is to protect the
update packets sent by the routing protocols in use (e.g., RIP-2,
OSPF). There are three levels of protection: clear-text password
cryptographic checksum, and encryption. Passwords offer only
protection against intruders who do not have direct access to
physical networks. Passwords also offer some protection
misconfigured routers (i.e, routers which, out of the box, attempt

Fraser, Ed. Informational [Page 15]

RFC 2196 Site Security Handbook September 1997

route packets). The advantage of passwords is that they have a
low overhead, in both bandwidth and CPU consumption.
protect against the injection of spurious packets, even if
intruder has direct access to the physical network. Combined with
sequence number, or other unique identifier, a checksum can
protect again "replay" attacks, wherein an old (but valid at
time) routing update is retransmitted by either an intruder or
misbehaving router. The most security is provided by
encryption of sequenced, or uniquely identified, routing updates
This prevents an intruder from determining the topology of
network. The disadvantage to encryption is the overhead involved
processing the updates

RIP-2 (RFC 1723) and OSPF (RFC 1583) both support clear-
passwords in their base design specifications. In addition,
are extensions to each base protocol to support MD5 encryption

Unfortunately, there is no adequate protection against a
attack, or a misbehaving host or router which is flooding
network. Fortunately, this type of attack is obvious when it
and can usually be terminated relatively simply

3.2.3 Protecting the

There are many types of services and each has its own
requirements. These requirements will vary based on the intended
of the service. For example, a service which should only be
within a site (e.g., NFS) may require different protection
than a service provided for external use. It may be sufficient
protect the internal server from external access. However, a
server, which provides a home page intended for viewing by
anywhere on the Internet, requires built-in protection. That is,
service/protocol/server must provide whatever security may
required to prevent unauthorized access and modification of the
database

Internal services (i.e., services meant to be used only by
within a site) and external services (i.e., services
made available to users outside a site) will, in general,
protection requirements which differ as previously described. It
therefore wise to isolate the internal services to one set of
host computers and the external services to another set of
host computers. That is, internal and external servers should not
co-located on the same host computer. In fact, many sites go so

Fraser, Ed. Informational [Page 16]

RFC 2196 Site Security Handbook September 1997

as to have one set of subnets (or even different networks) which
accessible from the outside and another set which may be
only within the site. Of course, there is usually a firewall
connects these partitions. Great care must be taken to ensure
such a firewall is operating properly

There is increasing interest in using intranets to connect
parts of a organization (e.g., divisions of a company). While
document generally differentiates between external and
(public and private), sites using intranets should be aware that
will need to consider three separations and take appropriate
when designing and offering services. A service offered to
intranet would be neither public, nor as completely private as
service to a single organizational subunit. Therefore, the
would need its own supporting system, separated from both
and internal services and networks

One form of external service deserves some special consideration,
that is anonymous, or guest, access. This may be either
FTP or guest (unauthenticated) login. It is extremely important
ensure that anonymous FTP servers and guest login userids
carefully isolated from any hosts and file systems from which
users should be kept. Another area to which special attention
be paid concerns anonymous, writable access. A site may be
responsible for the content of publicly available information,
careful monitoring of the information deposited by anonymous users
advised

Now we shall consider some of the most popular services:
service, password/key service, authentication/proxy service
electronic mail, WWW, file transfer, and NFS. Since these are
most frequently used services, they are the most obvious points
attack. Also, a successful attack on one of these services
produce disaster all out of proportion to the innocence of the
service

3.2.3.1 Name Servers (DNS and NIS(+))

The Internet uses the Domain Name System (DNS) to perform
resolution for host and network names. The Network
Service (NIS) and NIS+ are not used on the global Internet, but
subject to the same risks as a DNS server. Name-to-
resolution is critical to the secure operation of any network.
attacker who can successfully control or impersonate a DNS server
re-route traffic to subvert security protections. For example
routine traffic can be diverted to a compromised system to
monitored; or, users can be tricked into providing
secrets. An organization should create well known, protected

Fraser, Ed. Informational [Page 17]

RFC 2196 Site Security Handbook September 1997

to act as secondary name servers and protect their DNS masters
denial of service attacks using filtering routers

Traditionally, DNS has had no security capabilities. In particular
the information returned from a query could not be checked
modification or verified that it had come from the name server
question. Work has been done to incorporate digital signatures
the protocol which, when deployed, will allow the integrity of
information to be cryptographically verified (see RFC 2065).

3.2.3.2 Password/Key Servers (NIS(+) and KDC

Password and key servers generally protect their vital
(i.e., the passwords and keys) with encryption algorithms. However
even a one-way encrypted password can be determined by a
attack (wherein common words are encrypted to see if they match
stored encryption). It is therefore necessary to ensure that
servers are not accessable by hosts which do not plan to use them
the service, and even those hosts should only be able to access
service (i.e., general services, such as Telnet and FTP, should
be allowed by anyone other than administrators).

3.2.3.3 Authentication/Proxy Servers (SOCKS, FWTK

A proxy server provides a number of security enhancements. It
sites to concentrate services through a specific host to
monitoring, hiding of internal structure, etc. This funnelling
services creates an attractive target for a potential intruder.
type of protection required for a proxy server depends greatly on
proxy protocol in use and the services being proxied. The
rule of limiting access only to those hosts which need the services
and limiting access by those hosts to only those services, is a
starting point

3.2.3.4 Electronic

Electronic mail (email) systems have long been a source for
break-ins because email protocols are among the oldest and
widely deployed services. Also, by it's very nature, an email
requires access to the outside world; most email servers accept
from any source. An email server generally consists of two parts:
receiving/sending agent and a processing agent. Since email
delivered to all users, and is usually private, the processing
typically requires system (root) privileges to deliver the mail
Most email implementations perform both portions of the service
which means the receiving agent also has system privileges.
opens several security holes which this document will not describe
There are some implementations available which allow a separation

Fraser, Ed. Informational [Page 18]

RFC 2196 Site Security Handbook September 1997

the two agents. Such implementations are generally considered
secure, but still require careful installation to avoid creating
security problem

3.2.3.5 World Wide Web (WWW

The Web is growing in popularity exponentially because of its ease
use and the powerful ability to concentrate information services
Most WWW servers accept some type of direction and action from
persons accessing their services. The most common example is
a request from a remote user and passing the provided information
a program running on the server to process the request. Some
these programs are not written with security in mind and can
security holes. If a Web server is available to the
community, it is especially important that confidential
not be co-located on the same host as that server. In fact, it
recommended that the server have a dedicated host which is
"trusted" by other internal hosts

Many sites may want to co-locate FTP service with their WWW service
But this should only occur for anon-ftp servers that only
information (ftp-get). Anon-ftp puts, in combination with WWW,
be dangerous (e.g., they could result in modifications to
information your site is publishing to the web) and in
make the security considerations for each service different

3.2.3.6 File Transfer (FTP, TFTP

FTP and TFTP both allow users to receive and send electronic files
a point-to-point manner. However, FTP requires authentication
TFTP requires none. For this reason, TFTP should be avoided as
as possible

Improperly configured FTP servers can allow intruders to copy
replace and delete files at will, anywhere on a host, so it is
important to configure this service correctly. Access to
passwords and proprietary data, and the introduction of Trojan
are just a few of the potential security holes that can occur
the service is configured incorrectly. FTP servers should reside
their own host. Some sites choose to co-locate FTP with a
server, since the two protocols share common security
However, the the practice isn't recommended, especially when the
service allows the deposit of files (see section on WWW above).
mentioned in the opening paragraphs of section 3.2.3,
offered internally to your site should not be co-located
services offered externally. Each should have its own host

Fraser, Ed. Informational [Page 19]

RFC 2196 Site Security Handbook September 1997

TFTP does not support the same range of functions as FTP, and has
security whatsoever. This service should only be considered
internal use, and then it should be configured in a restricted way
that the server only has access to a set of predetermined
(instead of every world-readable file on the system). Probably
most common usage of TFTP is for downloading router
files to a router. TFTP should reside on its own host, and
not be installed on hosts supporting external FTP or Web access

3.2.3.7

The Network File Service allows hosts to share common disks. NFS
frequently used by diskless hosts who depend on a disk server for
of their storage needs. Unfortunately, NFS has no built-in security
It is therefore necessary that the NFS server be accessable only
those hosts which are using it for service. This is achieved
specifying which hosts the file system is being exported to and
what manner (e.g., read-only, read-write, etc.). Filesystems
not be exported to any hosts outside the local network since
will require that the NFS service be accessible externally. Ideally
external access to NFS service should be stopped by a firewall

3.2.4 Protecting the

It is amazing how often a site will overlook the most
weakness in its security by leaving the security server itself
to attack. Based on considerations previously discussed, it
be clear that: the security server should not be accessible
off-site; should offer minimum access, except for the
function, to users on-site; and should not be co-located with
other servers. Further, all access to the node, including access
the service itself, should be logged to provide a "paper trail"
the event of a security breach

3.3

One of the most widely deployed and publicized security measures
use on the Internet is a "firewall." Firewalls have been given
reputation of a general panacea for many, if not all, of the
security issues. They are not. Firewalls are just another tool
the quest for system security. They provide a certain level
protection and are, in general, a way of implementing security
at the network level. The level of security that a firewall
can vary as much as the level of security on a particular machine
There are the traditional trade-offs between security, ease of use
cost, complexity, etc

Fraser, Ed. Informational [Page 20]

RFC 2196 Site Security Handbook September 1997

A firewall is any one of several mechanisms used to control and
access to and from a network for the purpose of protecting it.
firewall acts as a gateway through which all traffic to and from
protected network and/or systems passes. Firewalls help to
limitations on the amount and type of communication that takes
between the protected network and the another network (e.g.,
Internet, or another piece of the site's network).

A firewall is generally a way to build a wall between one part of
network, a company's internal network, for example, and another part
the global Internet, for example. The unique feature about this
is that there needs to be ways for some traffic with
characteristics to pass through carefully monitored
("gateways"). The difficult part is establishing the criteria
which the packets are allowed or denied access through the doors
Books written on firewalls use different terminology to describe
various forms of firewalls. This can be confusing to
administrators who are not familiar with firewalls. The thing to
here is that there is no fixed terminology for the description
firewalls

Firewalls are not always, or even typically, a single machine
Rather, firewalls are often a combination of routers,
segments, and host computers. Therefore, for the purposes of
discussion, the term "firewall" can consist of more than one
device. Firewalls are typically built using two
components, filtering routers and proxy servers

Filtering routers are the easiest component to conceptualize in
firewall. A router moves data back and forth between two (or more
different networks. A "normal" router takes a packet from network
and "routes" it to its destination on network B. A filtering
does the same thing but decides not only how to route the packet,
whether it should route the packet. This is done by installing
series of filters by which the router decides what to do with
given packet of data

A discussion concerning capabilities of a particular brand of router
running a particular software version is outside the scope of
document. However, when evaluating a router to be used for
packets, the following criteria can be important when implementing
filtering policy: source and destination IP address, source
destination TCP port numbers, state of the TCP "ack" bit, UDP
and destination port numbers, and direction of packet flow (i.e.. A
>B or B->A). Other information necessary to construct a
filtering scheme are whether the router reorders filter
(designed to optimize filters, this can sometimes change the
and cause unintended access), and whether it is possible to

Fraser, Ed. Informational [Page 21]

RFC 2196 Site Security Handbook September 1997

filters for inbound and outbound packets on each interface (if
router filters only outbound packets then the router is "outside"
its filters and may be more vulnerable to attack). In addition
the router being vulnerable, this distinction between
filters on inbound or outbound packets is especially relevant
routers with more than 2 interfaces. Other important issues are
ability to create filters based on IP header options and the
state of a packet. Building a good filter can be very difficult
requires a good understanding of the type of services (protocols
that will be filtered

For better security, the filters usually restrict access between
two connected nets to just one host, the bastion host. It is
possible to access the other network via this bastion host. As
this host, rather than a few hundred hosts, can get attacked, it
easier to maintain a certain level of security because only this
has to be protected very carefully. To make resources available
legitimate users across this firewall, services have to be
by the bastion host. Some servers have forwarding built in (
DNS-servers or SMTP-servers), for other services (e.g., Telnet, FTP
etc.), proxy servers can be used to allow access to the
across the firewall in a secure way

A proxy server is way to concentrate application services through
single machine. There is typically a single machine (the
host) that acts as a proxy server for a variety of protocols (Telnet
SMTP, FTP, HTTP, etc.) but there can be individual host computers
each service. Instead of connecting directly to an external server
the client connects to the proxy server which in turn initiates
connection to the requested external server. Depending on the
of proxy server used, it is possible to configure internal clients
perform this redirection automatically, without knowledge to
user, others might require that the user connect directly to
proxy server and then initiate the connection through a
format

There are significant security benefits which can be derived
using proxy servers. It is possible to add access control lists
protocols, requiring users or systems to provide some level
authentication before access is granted. Smarter proxy servers
sometimes called Application Layer Gateways (ALGs), can be
which understand specific protocols and can be configured to
only subsections of the protocol. For example, an ALG for FTP
tell the difference between the "put" command and the "get" command
an organization may wish to allow users to "get" files from
Internet, but not be able to "put" internal files on a remote server
By contrast, a filtering router could either block all FTP access,
none, but not a subset

Fraser, Ed. Informational [Page 22]

RFC 2196 Site Security Handbook September 1997

Proxy servers can also be configured to encrypt data streams based
a variety of parameters. An organization might use this feature
allow encrypted connections between two locations whose sole
points are on the Internet

Firewalls are typically thought of as a way to keep intruders out
but they are also often used as a way to let legitimate users into
site. There are many examples where a valid user might need
regularly access the "home" site while on travel to trade shows
conferences, etc. Access to the Internet is often available but
be through an untrusted machine or network. A correctly
proxy server can allow the correct users into the site while
denying access to other users

The current best effort in firewall techniques is found using
combination of a pair of screening routers with one or more
servers on a network between the two routers. This setup allows
external router to block off any attempts to use the underlying
layer to break security (IP spoofing, source routing,
fragments), while allowing the proxy server to handle
security holes in the higher layer protocols. The internal router'
purpose is to block all traffic except to the proxy server. If
setup is rigidly implemented, a high level of security can
achieved

Most firewalls provide logging which can be tuned to make
administration of the network more convenient. Logging may
centralized and the system may be configured to send out alerts
abnormal conditions. It is important to regularly monitor these
for any signs of intrusions or break-in attempts. Since
intruders will attempt to cover their tracks by editing logs, it
desirable to protect these logs. A variety of methods is available
including: write once, read many (WORM) drives; papers logs;
centralized logging via the "syslog" utility. Another technique
to use a "fake" serial printer, but have the serial port connected
an isolated machine or PC which keeps the logs

Firewalls are available in a wide range of quality and strengths
Commercial packages start at approximately $10,000US and go up
over $250,000US. "Home grown" firewalls can be built for
amounts of capital. It should be remembered that the correct
of a firewall (commercial or homegrown) requires a significant
of skill and knowledge of TCP/IP. Both types require
maintenance, installation of software patches and updates,
regular monitoring. When budgeting for a firewall, these
costs should be considered in addition to the cost of the
elements of the firewall

Fraser, Ed. Informational [Page 23]

RFC 2196 Site Security Handbook September 1997

As an aside, building a "home grown" firewall requires a
amount of skill and knowledge of TCP/IP. It should not be
attempted because a perceived sense of security is worse in the
run than knowing that there is no security. As with all
measures, it is important to decide on the threat, the value of
assets to be protected, and the costs to implement security

A final note about firewalls. They can be a great aid
implementing security for a site and they protect against a
variety of attacks. But it is important to keep in mind that
are only one part of the solution. They cannot protect your
against all types of attack

4. Security Services and

This chapter guides the reader through a number of topics that
be addressed when securing a site. Each section touches on
security service or capability that may be required to protect
information and systems at a site. The topics are presented at
fairly high-level to introduce the reader to the concepts

Throughout the chapter, you will find significant mention
cryptography. It is outside the scope of this document to delve
details concerning cryptography, but the interested reader can
more information from books and articles listed in the
section of this document

4.1

For many years, the prescribed method for authenticating users
been through the use of standard, reusable passwords. Originally
these passwords were used by users at terminals to
themselves to a central computer. At the time, there were
networks (internally or externally), so the risk of disclosure of
clear text password was minimal. Today, systems are
together through local networks, and these local networks are
connected together and to the Internet. Users are logging in
all over the globe; their reusable passwords are often
across those same networks in clear text, ripe for anyone in-
to capture. And indeed, the CERT* Coordination Center and
response teams are seeing a tremendous number of incidents
packet sniffers which are capturing the clear text passwords

With the advent of newer technologies like one-time passwords (e.g.,
S/Key), PGP, and token-based authentication devices, people are
password-like strings as secret tokens and pins. If these
tokens and pins are not properly selected and protected,
authentication will be easily subverted

Fraser, Ed. Informational [Page 24]

RFC 2196 Site Security Handbook September 1997

4.1.1 One-Time

As mentioned above, given today's networked environments, it
recommended that sites concerned about the security and integrity
their systems and networks consider moving away from standard
reusable passwords. There have been many incidents involving
network programs (e.g., telnet and rlogin) and network
sniffing programs. These programs capture clear
hostname/account name/password triplets. Intruders can use
captured information for subsequent access to those hosts
accounts. This is possible because 1) the password is used over
over (hence the term "reusable"), and 2) the password passes
the network in clear text

Several authentication techniques have been developed that
this problem. Among these techniques are challenge-
technologies that provide passwords that are only used once (
called one-time passwords). There are a number of products
that sites should consider using. The decision to use a product
the responsibility of each organization, and each organization
perform its own evaluation and selection

4.1.2

Kerberos is a distributed network security system which provides
authentication across