As per Relevance of the word computer, we have this rfc below:
Network Working Group R.
Request for Comments: 1281 Software Engineering
S.
Trusted Information Systems, Inc
B.
Software Engineering
November 1991
Guidelines for the Secure Operation of the
Status of this
This memo provides information for the Internet community. It
not specify an Internet standard. Distribution of this memo
unlimited
The purpose of this document is to provide a set of guidelines to
in the secure operation of the Internet. During its history,
Internet has grown significantly and is now quite diverse.
participants include government institutions and agencies,
and research institutions, commercial network and electronic
carriers, non-profit research centers and an increasing array
industrial organizations who are primarily users of the technology
Despite this dramatic growth, the system is still operated on
purely collaborative basis. Each participating network
responsibility for its own operation. Service providers,
network operators, users and vendors all cooperate to keep the
functioning
It is important to recognize that the voluntary nature of
Internet system is both its strength and, perhaps, its most
aspect. Rules of operation, like the rules of etiquette,
voluntary and, largely, unenforceable, except where they happen
coincide with national laws, violation of which can lead
prosecution. A common set of rules for the successful
increasingly secure operation of the Internet can, at best,
voluntary, since the laws of various countries are not
regarding data networking. Indeed, the guidelines outlined
also can be only voluntary. However, since joining the Internet
optional, it is also fair to argue that any Internet rules
behavior are part of the bargain for joining and that failure
observe them, apart from any legal infrastructure available,
grounds for sanctions
Pethia, Crocker, & Fraser [Page 1]
RFC 1281 Guidelines for the Secure Operation November 1991
These guidelines address the entire Internet community, consisting
users, hosts, local, regional, domestic and international
networks, and vendors who supply operating systems, routers,
management tools, workstations and other network components
Security is understood to include protection of the privacy
information, protection of information against
modification, protection of systems against denial of service,
protection of systems against unauthorized access
These guidelines encompass six main points. These points
repeated and elaborated in the next section. In addition,
bibliography of computer and network related references has
provided at the end of this document for use by the reader
Security
(1) Users are individually responsible for understanding
respecting the security policies of the systems (computers
networks) they are using. Users are individually
for their own behavior
(2) Users have a responsibility to employ available
mechanisms and procedures for protecting their own data.
also have a responsibility for assisting in the protection
the systems they use
(3) Computer and network service providers are responsible
maintaining the security of the systems they operate. They
further responsible for notifying users of their
policies and any changes to these policies
(4) Vendors and system developers are responsible for
systems which are sound and which embody adequate
controls
(5) Users, service providers, and hardware and software vendors
responsible for cooperating to provide security
(6) Technical improvements in Internet security protocols should
sought on a continuing basis. At the same time,
developing new protocols, hardware or software for the
are expected to include security considerations as part of
design and development process
Pethia, Crocker, & Fraser [Page 2]
RFC 1281 Guidelines for the Secure Operation November 1991
(1) Users are individually responsible for understanding
respecting the security policies of the systems (computers
networks) they are using. Users are individually
for their own behavior
Users are responsible for their own behavior. Weaknesses
the security of a system are not a license to penetrate
abuse a system. Users are expected to be aware of the
policies of computers and networks which they access and
adhere to these policies. One clear consequence of
guideline is that unauthorized access to a computer or use of
network is explicitly a violation of Internet rules of conduct
no matter how weak the protection of those computers or networks
There is growing international attention to legal
against unauthorized access to computer systems, and
countries have recently passed legislation that addresses
area (e.g., United Kingdom, Australia). In the United States
the Computer Fraud and Abuse Act of 1986, Title 18 U.S.C
section 1030 makes it a crime, in certain situations, to
a Federal interest computer (federal government computers
financial institution computers, and a computer which is one
two or more computers used in committing the offense, not all
which are located in the same state) without authorization
Most of the 50 states in the U.S have similar laws
Another aspect of this part of the policy is that users
individually responsible for all use of resources assigned
them, and hence sharing of accounts and access to resources
strongly discouraged. However, since access to resources
assigned by individual sites and network operators,
specific rules governing sharing of accounts and protection
access is necessarily a local matter
(2) Users have a responsibility to employ available
mechanisms and procedures for protecting their own data.
also have a responsibility for assisting in the protection
the systems they use
Users are expected to handle account privileges in
responsible manner and to follow site procedures for
security of their data as well as that of the system.
systems which rely upon password protection, users
select good passwords and periodically change them.
use of file protection mechanisms (e.g., access control lists
so as to define and maintain appropriate file access
Pethia, Crocker, & Fraser [Page 3]
RFC 1281 Guidelines for the Secure Operation November 1991
is also part of this responsibility
(3) Computer and network service providers are responsible
maintaining the security of the systems they operate. They
further responsible for notifying users of their
policies and any changes to these policies
A computer or network service provider may manage resources
behalf of users within an organization (e.g., provision
network and computer services with a university) or it
provide services to a larger, external community (e.g.,
regional network provider). These resources may include
computers employed by users, routers, terminal servers,
computers or other devices that have access to the Internet
Because the Internet itself is neither centrally managed
operated, responsibility for security rests with the owners
operators of the subscriber components of the Internet
Moreover, even if there were a central authority for
infrastructure, security necessarily is the responsibility
the owners and operators of the systems which are the
data and processing resources of the Internet
There are tradeoffs between stringent security measures at
site and ease of use of systems (e.g., stringent
measures may complicate user access to the Internet). If a
elects to operate an unprotected, open system, it may
providing a platform for attacks on other Internet hosts
concealing the attacker's identity. Sites which do
open systems are nonetheless responsible for the behavior
the systems' users and should be prepared to render
to other sites when needed. Whenever possible, sites
try to ensure authenticated Internet access. The readers
directed to appendix A for a brief descriptive list of
of good security
Sites (including network service providers) are encouraged
develop security policies. These policies should be
communicated to users and subscribers. The Site
Handbook (FYI 8, RFC 1244) provides useful information
guidance on developing good security policies and
at both the site and network level
(4) Vendors and system developers are responsible for
systems which are sound and which embody adequate
controls
Pethia, Crocker, & Fraser [Page 4]
RFC 1281 Guidelines for the Secure Operation November 1991
A vendor or system developer should evaluate each system
terms of security controls prior to the introduction of
system into the Internet community. Each product (
offered for sale or freely distributed) should describe
security features it incorporates
Vendors and system developers have an obligation to
flaws in the security relevant portions of the systems
sell (or freely provide) for use in the Internet. They
expected to cooperate with the Internet community
establishing mechanisms for the reporting of security flaws
in making security-related fixes available to the community
a timely fashion
(5) Users, service providers, and hardware and software vendors
responsible for cooperating to provide security
The Internet is a cooperative venture. The culture
practice in the Internet is to render assistance in
matters to other sites and networks. Each site is expected
notify other sites if it detects a penetration in progress
the other sites, and all sites are expected to help one
respond to security violations. This assistance may
tracing connections, tracking violators and assisting
enforcement efforts
There is a growing appreciation within the Internet
that security violators should be identified and
accountable. This means that once a violation has been detected
sites are encouraged to cooperate in finding the violator
assisting in enforcement efforts. It is recognized that
sites will face a trade-off between securing their sites
rapidly as possible versus leaving their site open in the
of identifying the violator. Sites will also be faced with
dilemma of limiting the knowledge of a penetration
exposing the fact that a penetration has occurred. This
does not dictate that a site must expose either its system
its reputation if it decides not to, but sites are
to render as much assistance as they can
(6) Technical improvements in Internet security protocols should
sought on a continuing basis. At the same time,
developing new protocols, hardware or software for the
are expected to include security considerations as part of
design and development process
The points discussed above are all administrative in nature
but technical advances are also important. Existing
Pethia, Crocker, & Fraser [Page 5]
RFC 1281 Guidelines for the Secure Operation November 1991
and operating systems do not provide the level of security
is desired and feasible today. Three types of advances
encouraged
(a) Improvements should be made in the basic
mechanisms already in place. Password security
generally poor throughout the Internet and can
improved markedly through the use of tools to
password assignment and through the use of
authentication technology. At the same time,
Internet user population is expanding to include
larger percentage of technically unsophisticated users
Security defaults on delivered systems and the
for administering security must be geared to this
population
(b) Security extensions to the protocol suite are needed
Candidate protocols which should be augmented to
security include network management, routing,
transfer, telnet, and mail
(c) The design and implementation of operating systems
be improved to place more emphasis on security and
more attention to the quality of the implementation
security within systems on the Internet
APPENDIX
Five areas should be addressed in improving local security
(1) There must be a clear statement of the local security policy
and this policy must be communicated to the users and
relevant parties. The policy should be on file and
to users at all times, and should be communicated to users
part of providing access to the system
(2) Adequate security controls must be implemented. At a minimum
this means controlling access to systems via passwords
instituting sound password management, and configuring
system to protect itself and the information within it
(3) There must be a capability to monitor security compliance
respond to incidents involving violation of security. Logs
logins, attempted logins, and other security-relevant
are strongly advised, as well as regular audit of these logs
Also recommended is a capability to trace connections and
events in response to penetrations. However, it is
for service providers to have a well thought out and
Pethia, Crocker, & Fraser [Page 6]
RFC 1281 Guidelines for the Secure Operation November 1991
policy about what information they gather, who has access to
and for what purposes. Maintaining the privacy of
users should be kept in mind when developing such a policy
(4) There must be an established chain of communication and
to handle security matters. A responsible person should
identified as the security contact. The means for reaching
security contact should be made known to all users and
be registered in public directories, and it should be easy
computer emergency response centers to find contact
at any time
The security contact should be familiar with the technology
configuration of all systems at the site or should be able
get in touch with those who have this knowledge at any time
Likewise, the security contact should be pre-authorized to
a best effort to deal with a security incident, or should
able to contact those with the authority at any time
(5) Sites and networks which are notified of security
should respond in a timely and effective manner. In the
of penetrations or other violations, sites and networks
allocate resources and capabilities to identify the nature
the incident and limit the damage. A site or network cannot
considered to have good security if it does not respond
incidents in a timely and effective fashion
If a violator can be identified, appropriate action should
taken to ensure that no further violations are caused.
what sanctions should be brought against a violator depend
the nature of the incident and the site environment.
example, a university may choose to bring internal
action against a student violator
Similarly, sites and networks should respond when notified
security flaws in their systems. Sites and networks have
responsibility to install fixes in their systems as they
available
Pethia, Crocker, & Fraser [Page 7]
RFC 1281 Guidelines for the Secure Operation November 1991
A Bibliography of Computer and Network Security Related
United States Public Laws (PL) and Federal
[1] P.L. 100-235, "The Computer Security Act of 1987", (Contained
Appendix C of Citation No. 12, Vol II.), Jan. 8, 1988.
[2] P.L. 99-474 (H.R. 4718), "Computer Fraud and Abuse Act of 1986",
Oct. 16, 1986.
[3] P.L. 99-508 (H.R. 4952), "Electronic Communications Privacy
of 1986", Oct. 21, 1986.
[4] P.L. 99-591, "Paperwork Reduction Reauthorization Act of 1986",
Oct. 30, 1986.
[5] P.L. 93-579, "Privacy Act of 1984", Dec. 31, 1984.
[6] "National Security Decision Directive 145", (Contained
Appendix C of Citation No. 12, Vol II.).
[7] "Security of Federal Automated Information Systems", (
in Appendix C of Citation No. 12, Vol II.), Appendix III of
Management of Federal Information Resources, Office of
and Budget (OMB), Circular A-130.
[8] "Protection of Government Contractor Telecommunications",
(Contained in Appendix C of Citation No. 12, Vol II.),
Communications Security Instruction (NACSI) 6002.
Other
[9] Secure Systems Study Committee, "Computers at Risk:
Computing in the Information Age", Computer Science
Technology Board, National Research Council, 2101
Avenue, Washington, DC 20418, December 1990.
[10] Curry, D., "Improving the Security of Your UNIX System",
No. ITSTD-721-FR-90-21, SRI International, 333 Ravenswood Ave.,
Menlo Park, CA, 94025-3493, April 1990.
[11] Holbrook P., and J. Reynolds, Editors, "Site Security Handbook",
FYI 8, RFC 1244, CICNet, ISI, July 1991.
[12] "Industry Information Protection, Vols. I,II,III",
Information Security Task Force, President's
Telecommunications Advisory Committee, June 1988.
Pethia, Crocker, & Fraser [Page 8]
RFC 1281 Guidelines for the Secure Operation November 1991
[13] Jelen, G., "Information Security: An Elusive Goal", Report No
P-85-8, Harvard University, Center for Information
Research, 200 Akin, Cambridge, MA. 02138, June 1985.
[14] "Electronic Record Systems and Individual Privacy", OTA-CIT-296,
Congress of the United States, Office of Technology Assessment
Washington, D.C. 20510, June 1986.
[15] "Defending Secrets, Sharing Data", OTA-CIT-310, Congress of
United States, Office of Technology Assessment, Washington, D.C
20510, October 1987.
[16] "Summary of General Legislation Relating to Privacy and
Security", Appendix 1 of, COMPUTERS and PRIVACY: How
Government Obtains, Verifies, Uses and Protects Personal Data
GAO/IMTEC-90-70BR, United States General Accounting Office
Washington, DC 20548, pp. 36-40, August 1990.
[17] Stout, E., "U.S. Geological Survey System Security Plan -
1990", U.S. Geological Survey ISD, MS809, Reston, VA, 22092,
1990.
Security
If security considerations had not been so widely ignored in
Internet, this memo would not have been possible
Pethia, Crocker, & Fraser [Page 9]
RFC 1281 Guidelines for the Secure Operation November 1991
Authors'
Richard D.
Software Engineering
Carnegie Mellon
Pittsburgh, Pennsylvania 15213-3890
Phone: (412) 268-7739
FAX: (412) 268-6989
EMail: rdp@cert.sei.cmu.
Stephen D.
Trusted Information Systems, Inc
3060 Washington
Glenwood, Maryland 21738
Phone: (301) 854-6889
FAX: (301) 854-5363
EMail: crocker@tis.
Barbara Y.
Software Engineering
Carnegie Mellon
Pittsburgh, Pennsylvania 15213-3890
Phone: (412) 268-5010
FAX: (412) 268-6989
EMail: byf@cert.sei.cmu.
Pethia, Crocker, & Fraser [Page 10]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
