RFC 2196:Site Security Handbook
RFC-Ref

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

security

Click on the red underlined text to get to the source

1. Introduction
... network administrators on how to address security issues within the Internet community. It builds on the foundation provided in RFC 1244(-> 2196fyi8) ...
... This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet (however, the information provided should also be useful to sites not yet connected ...
... This guide is only a framework for setting security policies and procedures. In order to have an effective set of policies and procedures, a site will have to make many decisions, gain agreement ...
... create secure programs or systems. The focus of this document is on the policies and procedures that need to be in place to support the technical security features that a site may be implementing. ...
... Internet community. However, this document should be useful to any site that allows communication with other sites. As a general guide to security policies, this document may also be useful to sites with isolated systems. ...
... The term "security administrator" is used to cover all those people who are responsible for the security ...
... security administrator" is used to cover all those people who are responsible for the security of information and information technology. At some sites this function may be combined with administrator ...
... The Site Security Handbook Working Group is working on a User's Guide to Internet ...
... Working Group is working on a User's Guide to Internet Security. It will provide practical guidance to end users to help them protect their information and the resources they use. ...
... This guide is written to provide basic guidance in developing a security plan for your site. One generally accepted approach to follow is suggested by Fites, et. al. [Fites 1989] and includes the ...
... Most of this document is focused on item 4 above, but the other steps cannot be avoided if an effective plan is to be established at your site. One old truism in security is that the cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you. Cost in this context ...
... One of the most important reasons for creating a computer security policy is to ensure that efforts spent on security yield cost effective benefits. Although this may seem obvious, it is possible ...
... One of the most important reasons for creating a computer security policy is to ensure that efforts spent on security yield cost effective benefits. Although this may seem obvious, it is possible to be mislead about where the effort is needed. As an example, there ...
... to be mislead about where the effort is needed. As an example, there is a great deal of publicity about intruders on computers systems; yet most surveys of computer security show that, for most organizations, the actual loss from "insiders" is much greater. ...
... For each asset, the basic goals of security are availability, confidentiality, and integrity ...
... hardware; but, some are overlooked, such as the people who actually use the systems. The essential point is to list all things that could be affected by a security problem. ...


2. Security Policies
... Security Policies ...
... What is a Security Policy and Why Have One? ...
... The security-related decisions you make, or fail to make, as administrator largely determines how secure or insecure your network ...
... network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until you determine what your security goals ...
... network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until you determine what your security goals are, you cannot make ...
... security without first determining what your security goals are. Until you determine what your security goals are, you cannot make effective use of any collection of security tools ...
... Until you determine what your security goals are, you cannot make effective use of any collection of security tools because you simply will not know what to check for and what restrictions to impose. ...
... services offered versus security provided - Each service offered to users carries its own security risks ...
... security provided - Each service offered to users carries its own security risks. For some services the risk outweighs the benefit of the service ...
... ease of use versus security - The easiest system to use would allow access to any user and require no passwords ...
... The easiest system to use would allow access to any user and require no passwords; that is, there would be no security. Requiring passwords makes the system a little less convenient, ...
... cost of security versus risk of loss - There are many different costs to security: monetary (i.e., the ...
... cost of security versus risk of loss - There are many different costs to security: monetary (i.e., the cost of purchasing security hardware ...
... There are many different costs to security: monetary (i.e., the cost of purchasing security hardware and software like firewalls ...
... Your goals should be communicated to all users, operations staff, and managers through a set of security rules, called a "security policy." We are using this term, rather than the narrower "computer security policy ...
... Your goals should be communicated to all users, operations staff, and managers through a set of security rules, called a "security policy." We are using this term, rather than the narrower "computer security policy" since the scope includes all types of information technology ...
... security rules, called a "security policy." We are using this term, rather than the narrower "computer security policy" since the scope includes all types of information technology and the information stored and manipulated by the technology. ...
... Definition of a Security Policy ...
... A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. ...
... Purposes of a Security Policy ...
... The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology ...
... computer systems and networks for compliance with the policy. Therefore an attempt to use a set of security tools in the absence of at least an implied security policy ...
... security tools in the absence of at least an implied security policy is meaningless. ...
... An Appropriate Use Policy (AUP) may also be part of a security policy. It should spell out what users shall and shall not do on the various components of the system, including the type of traffic ...
... In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization. It is especially important that corporate ...
... within the organization. It is especially important that corporate management fully support the security policy process otherwise there is little chance that they will have the intended impact. The following is a list of individuals who should be involved in the ...
... is little chance that they will have the intended impact. The following is a list of individuals who should be involved in the creation and review of security policy documents: ...
... site security administrator ...
... security incident response team ...
... representatives of the user groups affected by the security policy ...
... What Makes a Good Security Policy? ...
... The characteristics of a good security policy are: ...
... It must be enforcible with security tools, where appropriate, and with sanctions, where actual prevention is not technically ...
... The components of a good security policy include: ...
... Computer Technology Purchasing Guidelines which specify required, or preferred, security features. These should supplement existing purchasing policies and guidelines. ...
... A Violations Reporting Policy that indicates which types of violations (e.g., privacy and security, internal and external) must be reported and to whom the reports are made. A non- threatening atmosphere and the possibility of anonymous ...
... violation; guidelines on how to handle outside queries about a security incident, or information which may be considered confidential or proprietary; and cross-references to security ...
... security incident, or information which may be considered confidential or proprietary; and cross-references to security procedures and related information, such as company policies and ...
... There may be regulatory requirements that affect some aspects of your security policy (e.g., line monitoring). The creators of the security policy should consider seeking legal assistance in the ...
... security policy (e.g., line monitoring). The creators of the security policy should consider seeking legal assistance in the creation of the policy. At a minimum, the policy should be reviewed by legal counsel. ...
... Once your security policy has been established it should be clearly communicated to users, staff, and management. Having all personnel ...
... agreed to abide by the policy is an important part of the process. Finally, your policy should be reviewed on a regular basis to see if it is successfully supporting your security needs. ...
... In order for a security policy to be viable for the long term, it requires a lot of flexibility based upon an architectural security ...
... In order for a security policy to be viable for the long term, it requires a lot of flexibility based upon an architectural security concept. A security policy should be (largely) independent from ...
... requires a lot of flexibility based upon an architectural security concept. A security policy should be (largely) independent from specific hardware and software situations (as specific systems tend ...
... unavailable for his/her job function (e.g., was suddenly ill or left the company unexpectedly). While the greatest security resides in the minimum dissemination of information, the risk of losing critical ...


3. Architecture
... Completely Defined Security Plans ...
... All sites should define a comprehensive security plan. This plan should be at a higher level than the specific policies discussed in chapter 2, and it should be crafted as a framework ...
... It is important to have this framework in place so that individual policies can be consistent with the overall site security architecture. For example, having a strong policy with regard to Internet access and having weak restrictions on modem ...
... Internet access and having weak restrictions on modem usage is inconsistent with an overall philosophy of strong security restrictions on external access. ...
... A security plan should define: the list of network services that will be provided; which areas of the organization will provide the ...
... Internet, the rampant media magnification of Internet related security incidents can overshadow a (potentially) more serious internal security problem. Likewise, companies ...
... Internet related security incidents can overshadow a (potentially) more serious internal security problem. Likewise, companies who have never been connected to the Internet ...
... services which a site may wish to provide for its users, some of which may be external. There are a variety of security reasons to attempt to isolate services onto dedicated host ...
... trust. Services which are essential to the security or smooth operation of a site would be better off being placed on a dedicated machine with very limited access (see Section 3.1.3 "deny all" model), rather than on a machine ...
... services) which has traditionally been less secure, or requires greater accessability by users who may accidentally suborn security. ...
... services which should be examined for potential separation are outlined in section 3.2.3. It is important to remember that security is only as strong as the weakest link in the chain. Several of the most publicized penetrations in recent years have been ...
... There are two diametrically opposed underlying philosophies which can be adopted when defining a security plan. Both alternatives are legitimate models to adopt, and the choice between them will depend on the site and its needs for security ...
... security plan. Both alternatives are legitimate models to adopt, and the choice between them will depend on the site and its needs for security. ...
... services provides for a better analysis of a particular service/protocol and the design of a security mechanism suited to the security level of the site. ...
... service/protocol and the design of a security mechanism suited to the security level of the site. ...
... network boundaries, usually the default at the router level. As security holes become apparent, they are restricted or patched at either the host or network ...
... Be careful when mixing philosophies as in the examples above. Many sites adopt the theory of a hard "crunchy" shell and a soft "squishy" middle. They are willing to pay the cost of security for their external traffic and require strong security measures ...
... security for their external traffic and require strong security measures, but are unwilling or unable to provide similar protections internally. This works fine as long as the outer defenses are never breached and the ...
... services which may be provided, both internally and on the Internet at large. Managing security is, in many ways, managing access to services internal to the site and ...
... Bear in mind that security complexity can grow exponentially with the number of services provided. Filtering ...
... NFS, NTP, WWW), and security (i.e., user authentication and access restrictions). ...
... update is retransmitted by either an intruder or a misbehaving router. The most security is provided by complete encryption of sequenced, or uniquely identified, routing ...
... There are many types of services and each has its own security requirements. These requirements will vary based on the intended use of the service ...
... Internet, requires built-in protection. That is, the service/protocol/server must provide whatever security may be required to prevent unauthorized access and modification of the Web ...
... re-route traffic to subvert security protections. For example, routine traffic can be diverted to a compromised system to be ...
... Traditionally, DNS has had no security capabilities. In particular, the information returned from a query could not be checked for ...
... A proxy server provides a number of security enhancements. It allows sites to concentrate services through a specific host ...
... receiving agent also has system privileges. This opens several security holes which this document will not describe. There are some implementations available which allow a separation of the two agents ...
... agents. Such implementations are generally considered more secure, but still require careful installation to avoid creating a security problem. ...
... a request from a remote user and passing the provided information to a program running on the server to process the request. Some of these programs are not written with security in mind and can create security holes ...
... security in mind and can create security holes. If a Web server is available to the Internet community, it is especially important that confidential information ...
... be dangerous (e.g., they could result in modifications to the information your site is publishing to the web) and in themselves make the security considerations for each service different. ...
... passwords and proprietary data, and the introduction of Trojan horses are just a few of the potential security holes that can occur when the service is configured incorrectly. FTP ...
... host. Some sites choose to co-locate FTP with a Web server, since the two protocols share common security considerations However, the the practice isn't recommended, especially when the FTP ...
... range of functions as FTP, and has no security whatsoever. This service should only be considered for internal use, and then it should be configured in a restricted way so ...
... hosts who depend on a disk server for all of their storage needs. Unfortunately, NFS has no built-in security. It is therefore necessary that the NFS server be accessable only by ...
... It is amazing how often a site will overlook the most obvious weakness in its security by leaving the security server itself open to attack ...
... It is amazing how often a site will overlook the most obvious weakness in its security by leaving the security server itself open to attack. Based on considerations previously discussed, it should ...
... to attack. Based on considerations previously discussed, it should be clear that: the security server should not be accessible from off-site; should offer minimum access, except for the authentication ...
... the service itself, should be logged to provide a "paper trail" in the event of a security breach. ...
... One of the most widely deployed and publicized security measures in use on the Internet is a "firewall ...
... reputation of a general panacea for many, if not all, of the Internet security issues. They are not. Firewalls are just another tool in ...
... Firewalls are just another tool in the quest for system security. They provide a certain level of protection and are, in general, a way of implementing security policy ...
... the quest for system security. They provide a certain level of protection and are, in general, a way of implementing security policy at the network level. The level of security ...
... security policy at the network level. The level of security that a firewall provides can vary as much as the level of security ...
... security that a firewall provides can vary as much as the level of security on a particular machine. There are the traditional trade-offs between security, ease of use, ...
... can vary as much as the level of security on a particular machine. There are the traditional trade-offs between security, ease of use, cost, complexity, etc. ...
... For better security, the filters usually restrict access between the two connected nets to just one host ...
... host, rather than a few hundred hosts, can get attacked, it is easier to maintain a certain level of security because only this host has to be protected very carefully. To make resources available to ...
... There are significant security benefits which can be derived from using proxy servers. It is possible to add access control lists ...
... external router to block off any attempts to use the underlying IP layer to break security (IP spoofing, source routing ...
... fragments), while allowing the proxy server to handle potential security holes in the higher layer protocols. The internal router's ...
... proxy server. If this setup is rigidly implemented, a high level of security can be achieved. ...
... Most firewalls provide logging which can be tuned to make security administration of the network more convenient. Logging may be centralized and the system may be configured to send out alerts ...
... amount of skill and knowledge of TCP/IP. It should not be trivially attempted because a perceived sense of security is worse in the long run than knowing that there is no security. As with all security measures ...
... attempted because a perceived sense of security is worse in the long run than knowing that there is no security. As with all security measures, it is important to decide on the threat, the value of the assets to be protected, and the costs to implement security ...
... security is worse in the long run than knowing that there is no security. As with all security measures, it is important to decide on the threat, the value of the assets to be protected, and the costs to implement security. ...
... security. As with all security measures, it is important to decide on the threat, the value of the assets to be protected, and the costs to implement security. ...
... A final note about firewalls. They can be a great aid when implementing security for a site and they protect against a large variety of attacks. But it is important to keep in mind that they ...


4. Security Services and Procedures
... Security Services and Procedures ...
... This chapter guides the reader through a number of topics that should be addressed when securing a site. Each section touches on a security service or capability that may be required to protect the information and systems at a site. The topics are presented at a fairly high-level ...
... As mentioned above, given today's networked environments, it is recommended that sites concerned about the security and integrity of their systems and networks ...
... Kerberos is a distributed network security system which provides for authentication across unsecured networks ...
... passwords is still a subject of controversy among the security community. It is generally accepted that a password should not be maintained once ...
... areas mesh well with access restrictions; otherwise they will find ways to circumvent your physical security (e.g., jamming doors open). ...
... you will provide it so that you can ensure the necessary physical access security. ...
... IPv6) are evolving rapidly; consider using them on links where security is important. ...
... access anything on your network. Normal password security considerations are particularly important (see section 4.1.1). ...
... modem as the incoming one. Overall, although call-back can improve modem security, you should not depend on it alone. ...
... For high-security applications, consider using a "blind" password (i.e., give no response to an incoming call ...
... This section covers the procedures for collecting data generated by network activity, which may be useful in analyzing the security of a network and responding to security ...
... security of a network and responding to security incidents. ...
... Audit data should include any attempt to achieve a different security level by any person, process, or other entity in the network ...
... passwords. This creates an enormous potential security breach if the audit records should be improperly accessed. Do not gather incorrect passwords either, as ...
... audit data on a write-once device is slightly more effort to configure than a simple file, but it has the significant advantage of greatly increased security because an intruder could not alter the data showing that an intrusion has occurred. The disadvantage of this method ...
... audit data may contain personal information. Searching through the data, even for a routine check of the system's security, could represent an invasion of privacy. ...
... computer system. Within the context of this document, backups are addressed as part of the overall security plan of a site. There are several aspects to backups that are important within this context: ...
... Make sure your site is using offsite storage for backups. The storage site should be carefully selected for both its security and its availability. ...
... Don't always assume that your backups are good. There have been many instances of computer security incidents that have gone on for long periods of time before a site has noticed the incident. In such cases, backups of the affected systems are also tainted. ...


5. Security Incident Handling
... Security Incident Handling ...
... This chapter of the document will supply guidance to be used before, during, and after a computer security incident occurs on a host, network ...
... network, site, or multi-site environment. The operative philosophy in the event of a breach of computer security is to react according to a plan. This is true whether the breach is the result of an external intruder attack ...
... Traditional computer security, while quite important in the overall site security plan, usually pays little attention to how to actually ...
... Traditional computer security, while quite important in the overall site security plan, usually pays little attention to how to actually handle an attack once one occurs. The result is that when an attack ...
... Another benefit is related to public relations. News about computer security incidents tends to be damaging to an organization's stature among current or potential clients. Efficient incident handling ...
... The sections in this chapter provide an outline and starting point for creating your site's policy for handling security incidents. The sections are: ...
... Computer security incidents handling teams ...
... might even consider hiring a tiger team to act in parallel with the dry run. (Note: a tiger team is a team of specialists that try to penetrate the security of a system.) ...
... An important implication for defining priorities is that once human life and national security considerations have been addressed, it is generally more important to save data than system software and hardware ...
... Any plan for responding to security incidents should be guided by local policies and regulations. Government and private sites that deal with classified material have specific rules that they must ...
... addresses and fax numbers) be included in the site security policy. The names and contact information of all individuals who will be directly involved in the handling of an incident should be placed at the top of this list. ...
... FBI and Secret Service in the U.S.) as soon as possible. Local law enforcement, local security offices, and campus police departments should also be informed as appropriate. This section describes many of the issues that will be confronted, but it is acknowledged that ...
... Unfortunately, there are no clear precedents yet on the liabilities or responsibilities of organizations involved in a security incident or who might be involved in supporting an investigative effort. Investigators will often encourage organizations to help trace ...
... Computer Security Incident Handling Teams ...
... There are currently a number of of Computer Security Incident Response teams (CSIRTs) such as the CERT Coordination Center, the ...
... team is available, notifying it should be of primary consideration during the early stages of an incident. These teams are responsible for coordinating computer security incidents over a range of sites and larger entities. Even if the incident is believed to be ...
... hardware or software, the vendor (or supplier) and a Computer Security Incident Handling team should be notified as soon as possible. This is especially important because many other systems are vulnerable, and these vendor ...
... desirable to create a subgroup, much like those teams that already exist, that will be responsible for handling computer security incidents for the site (or organization). If such a team is created, ...
... The legal and liability issues arising from a security incident will differ from site to site. It is important to define a policy for the sharing and logging of information about other sites before an ...
... remaining information should be included. A clear statement of how this information is to be used is essential. No one who informs a site of a security incident wants to read about it in the public press. Incident response teams are valuable in this respect. When they pass information to responsible POCs, they are able to protect ...
... All the problems discussed above should be not taken as reasons not to involve other sites. In fact, the experiences of existing teams reveal that most sites informed about security problems are not even aware that their site had been compromised. Without timely information, other sites are often unable to take action against ...
... There has been a tremendous growth in the amount of media coverage dedicated to computer security incidents in the United States. Such press coverage is bound to extend to other countries as the Internet ...
... By no means is this list comprehensive; we have just listed a number of common indicators. It is best to collaborate with other technical and computer security personnel to make a decision as a group about whether an incident is occurring. ...
... Certain steps are necessary to take during the handling of an incident. In all security related activities, the most important point to be made is that all sites should have policies in place. Without defined policies and goals, activities undertaken will remain ...
... Due to this fact, misunderstandings and delay may arise, especially if it is a multi-national incident. Other international concerns include differing legal implications of a security incident and cultural differences. However, cultural differences do not only exist between countries. They even exist within countries, between ...
... As discussed in section 5.4.2, a security log can be most valuable during this phase of removing vulnerabilities ...
... steps taken can be used in the future to make sure the problem does not resurface. Ideally, one should automate and regularly apply the same test as was used to detect the security incident. ...
... vulnerability is isolated as having been exploited, the next step is to find a mechanism to protect your system. The security mailing lists and bulletins would be a good place to search ...
... files, reconfigure affected systems, and so forth. This estimate may become the basis for subsequent prosecution activity. The report can also help justify an organization's computer security effort to management. ...
... The lessons learned as a result of the incident should be included in revised security plan to prevent the incident from re-occurring. ...
... The whole purpose of this post mortem process is to improve all security measures to protect the site against future attacks. As a result of an incident, a site or organization should gain practical ...
... aftermath may be end user and administrator education to prevent a reoccurrence of the security problem. ...
... session) which is not expressly permitted. This may be very tempting; after a breach of security is detected, a system administrator may have the means to "follow it up," to ascertain what damage is being done to the remote ...
... During a security incident there are two choices one can make. First, a site can choose to watch the intruder in the hopes of catching him; or, the site can go about cleaning up after the ...
... When a security incident involves a user, the site's security policy should describe what action is to be taken. The transgression should ...
... When a security incident involves a user, the site's security policy should describe what action is to be taken. The transgression should be taken seriously, but it is very important to be sure of the role ...
... role the user played. Was the user naive? Could there be a mistake in attributing the security breach to the user? Applying administrative action that assumes the user intentionally caused the incident may not be appropriate for a user who simply made a mistake. It may be ...


6. Ongoing Activities
... At this point in time, your site has hopefully developed a complete security policy and has developed procedures to assist in the configuration and management of your technology in support of those ...
... management of your technology in support of those policies. How nice it would be if you could sit back and relax at this point and know that you were finished with the job of security. Unfortunately, that isn't possible. Your systems and networks are ...
... Subscribe to advisories that are issued by various security incident response teams, like those of the CERT Coordination Center, and ...
... Monitor security patches that are produced by the vendors of your equipment, and obtain and install all that apply. ...
... Review all security policies and procedures annually (at a minimum). ...


7. Tools and Locations
... This chapter provides a brief list of publicly available security technology which can be downloaded from the Internet. Many of the ...
... but may be used by applications, or by administrators to troubleshoot security problems or to guard against intruders. ...
... A sad fact is that there are very few security conscious applications currently available. Primarily, this is caused by the need for a security ...
... security conscious applications currently available. Primarily, this is caused by the need for a security infrastructure which must first be put into place for most applications to operate securely. There is considerable effort currently taking place to build this infrastructure so that ...
... Computer Operations, Audit, and Security Tools (COAST): ftp://coast.cs.purdue.edu:/pub/tools ...
... checksums, etc.) to validate that software. A clever cracker might advertise security software that has intentionally been designed to provide access to data or systems. ...
... DES Drawbridge identd (not really a security tool) ISS ...


8. Mailing Lists and Other Resources
... It would be impossible to list all of the mail-lists and other resources dealing with site security. However, these are some "jump- points" from which the reader can begin. All of these references are for the "INTERNET ...
... A CERT advisory provides information on how to obtain a patch or details of a workaround for a known computer security problem. The CERT Coordination Center works with vendors ...
... comp.security.announce ...
... comp.security.announce ...
... The comp.security.announce newsgroup is moderated and is used solely for the distribution of CERT ...
... comp.security.misc ...
... The comp.security.misc is a forum for the discussion of computer security ...
... security.misc is a forum for the discussion of computer security, especially as it relates to the UNIX(r) Operating System ...
... alt.security ...
... The alt.security newsgroup is also a forum for the discussion ...
... newsgroup is also a forum for the discussion of computer security, as well as other issues such as car locks and alarm systems. ...
... Computer Security Resource Clearinghouse. The main focus is on crisis response information; information on computer security ...
... Security Resource Clearinghouse. The main focus is on crisis response information; information on computer security-related threats, vulnerabilities, and solutions. At the same time, the Clearinghouse strives to be a general index to ...
... vulnerabilities, and solutions. At the same time, the Clearinghouse strives to be a general index to computer security information on a broad variety of subjects, including general risks, privacy ...
... http://www.telstra.com.au/info/security.html ...
... links to information sources on Network and Computer Security. There is no implied fitness to the Tools, Techniques and Documents contained within this ...
... archive. Many if not all of these items work well, but we do not guarantee that this will be so. This information is for the education and legitimate use of computer security techniques only. ...
... http://www.alw.nih.gov/Security/security.html ...
... http://www.alw.nih.gov/Security/security.html ...
... This page features general information about computer security. Information is organized by source and each section is organized by topic. Recent modifications are noted in What's New page. ...
... archive at the National Institute of Standards and Technology's Computer Security Resource Clearinghouse page contains a number of announcements, programs, and documents related to computer security. ...
... Computer Security Resource Clearinghouse page contains a number of announcements, programs, and documents related to computer security. ...


9. References
... S. Bellovin, "Security Problems in the TCP/IP Protocol Suite", Computer Communication Review, Vol 19, 2, pp. 32-48, April 1989. ...
... S. Bellovin, "There Be Dragon", USENIX: Proceedings of the Third Usenix Security Symposium, Baltimore, MD. September, 1992. ...
... R. Brand, "Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery", R. Brand, 8 June 1990. ...
... British Standard, BS Tech Cttee BSFD/12, Info. Sec. Mgmt, "BS 7799 : 1995 Code of Practice for Information Security Management", British Standards Institution, London, 54, Effective 15 February 1995. ...
... W. Caelli, Editor, "Computer Security in the Age of Information", Proceedings of the Fifth IFIP International Conference on Computer Security, IFIP/Sec '88. ...
... W. Caelli, Editor, "Computer Security in the Age of Information", Proceedings of the Fifth IFIP International Conference on Computer Security, IFIP/Sec '88. ...
... J. Carroll, "Computer Security", 2nd Edition, Butterworth Publishers, Stoneham, MA, 1987. ...
... B. Chapman, "Network(In) Security Through IP Packet Filtering", USENIX: Proceedings of the Third UNIX ...
... IP Packet Filtering", USENIX: Proceedings of the Third UNIX Security Symposium, Baltimore, MD, September 1992. ...
... W. Cheswick and S. Bellovin, "Firewalls and Internet Security: Repelling the Wily Hacker", Addison-Wesley, Reading, MA, 1994. ...
... J. Cooper, "Computer and Communications Security: Strategies for the 1990s", McGraw-Hill, 1989. ...
... D. Curry, "Improving the Security of Your UNIX System", SRI International Report ITSTD-721-FR-90-21, April 1990. ...
... D. Curry, "UNIX System Security: A Guide for Users and Systems Administrators", Addision-Wesley, Reading, MA, 1992. ...
... DCA DDN Defense Communications System, "DDN Security Bulletin 03", DDN Security Coordination Center, 17 October 1989. ...
... DCA DDN Defense Communications System, "DDN Security Bulletin 03", DDN Security Coordination Center, 17 October 1989. ...
... D. Farmer and E. Spafford, "The COPS Security Checker System", Proceedings of the Summer 1990 USENIX Conference, Anaheim, CA, Pgs. 165-170, June 1990. ...
... Rik Farrow, "UNIX Systems Security", Addison-Wesley, Reading, MA, 1991. ...
... M. Fites, P. Kratz, and A. Brebner, "Control and Security of Computer Information Systems", Computer Science Press, 1989. ...
... U.S. General Accounting Office, "Computer Security - Virus Highlights Need for Improved Internet Management ...
... S. Garfinkel, and E. Spafford, "Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2, May 1991. ...
... S. Garfinkel and E. Spafford, "Practical UNIX and Internet Security", O'Reilly & Associates, Sebastopol, CA, 1996. ...
... M. Greenia, "Computer Security Information Sourcebook", Lexikon Services, Sacramento, CA, 1989. ...
... D. Hess, D. Safford, and U. Pooch, "A Unix Network Protocol Security Study: Network Information Service", Texas A&M University. ...
... G. Howard, "Introduction to Internet Security: From Basics to Beyond", Prima Publishing, Rocklin, CA, 1995. ...
... L. Hughes Jr., "Actually Useful Internet Security Techniques", New Riders Publishing, Indianapolis, IN, 1995. ...
... P. Kane, "PC Security and Virus Protection Handbook: The Ongoing War Against Information Sabotage", M&T Books, 1994. ...
... C. Kaufman, R. Perlman, and M. Speciner, "Network Security: PRIVATE Communication in a PUBLIC World", Prentice Hall, Englewood Cliffs, NJ, 1995. ...
... W. Lu and M. Sundareshan, "A Model for Multilevel Security in Computer Networks", IEEE Transactions ...
... NCSA, "Firewalls & Internet Security Conference '96 Proceedings", 1996. ...
... National Computer Security Center, "Guidelines for Formal Verification Systems", Shipping list no.: 89-660-P, The Center, Fort George G. Meade, MD, 1 April 1990. ...
... National Computer Security Center, "Glossary of Computer Security Terms", Shipping list no.: 89-254-P, The Center, Fort George G. Meade, MD, 21 October 1988. ...
... National Computer Security Center, "Glossary of Computer Security Terms", Shipping list no.: 89-254-P, The Center, Fort George G. Meade, MD, 21 October 1988. ...
... Tinto, M., "Computer Viruses: Prevention, Detection, and Treatment", National Computer Security Center C1 Technical Report C1-001-89, June 1989. ...
... National Computer Security Conference, "12th National Computer Security Conference: Baltimore Convention Center, Baltimore, MD, 10-13 October, 1989: Information Systems Security ...
... National Computer Security Conference, "12th National Computer Security Conference: Baltimore Convention Center, Baltimore, MD, 10-13 October, 1989: Information Systems Security, Solutions for Today - Concepts for Tomorrow", National Institute of Standards and National Computer Security ...
... Security Conference, "12th National Computer Security Conference: Baltimore Convention Center, Baltimore, MD, 10-13 October, 1989: Information Systems Security, Solutions for Today - Concepts for Tomorrow", National Institute of Standards and National Computer Security Center, 1989. ...
... Security Conference: Baltimore Convention Center, Baltimore, MD, 10-13 October, 1989: Information Systems Security, Solutions for Today - Concepts for Tomorrow", National Institute of Standards and National Computer Security Center, 1989. ...
... National Computer Security Center, "Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments", CSC-STD-003-85, NCSC, 25 June 1985. ...
... National Computer Security Center, "Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements", CSC-STD ...
... National Computer Security Center, "Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements", CSC-STD-004-85, NCSC, 25 June 1985. ...
... National Computer Security Center, "Magnetic Remanence Security Guideline", CSC-STD-005-85, NCSC, 15 November 1985. ...
... National Computer Security Center, "Magnetic Remanence Security Guideline", CSC-STD-005-85, NCSC, 15 November 1985. ...
... National Computer Security Center, "Trusted Computer System Evaluation Criteria", DoD 5200.28-STD, CSC-STD-001- 83, NCSC, December 1985. ...
... National Computer Security Center, "Glossary of Computer Security Terms", NCSC-TG-004, NCSC, 21 October 1988. ...
... National Computer Security Center, "Glossary of Computer Security Terms", NCSC-TG-004, NCSC, 21 October 1988. ...
... National Computer Security Center, "Trusted Network Interpretation", NCSC-TG-005, NCSC, 31 July 1987. ...
... National Computer Security Center, "Trusted UNIX Working Group (TRUSIX) rationale for selecting access control list ...
... National Security Agency, "Information Systems Security Products and Services Catalog", NSA, Quarterly Publication. ...
... National Security Agency, "Information Systems Security Products and Services Catalog", NSA, Quarterly Publication. ...
... NTISS, "Advisory Memorandum on Office Automation Security Guideline", NTISSAM COMPUSEC/1-87, 16 January 1987, 58 pages. ...
... Congress of the United States, Office of Technology Assessment, "Information Security and Privacy in Network Environments", OTA-TCT-606, September 1994. ...
... I. Palmer, and G. Potter, "Computer Security Risk Management", Van Nostrand Reinhold, NY, 1989. ...
... C. Pfleeger, "Security in Computing", Prentice-Hall, Englewood Cliffs, NJ, 1989. ...
... Internet Firewall", Proceedings of World Conference on Systems Management and Security, 1992. ...
... R. Reinhardt, "An Architectural Overview of UNIX Network Security" ...
... R. Reinhardt, "An Architectural Overview of UNIX Network Security", ARINC Research Corporation, February 18, 1993. ...
... D. Russell and G. Gangemi, "Computer Security Basics" O'Reilly & Associates, Sebastopol, CA, 1991. ...
... R. Shirey, "Defense Data Network Security Architecture", Computer Communication Review, Vol. 20, No. 2, Page 66, 1 April 1990. ...
... M. Smith, "Commonsense Computer Security: Your Practical Guide to Preventing Accidental and Deliberate Electronic Data Loss", McGraw-Hill, New York, NY, 1989. ...
... D. Smith, "Forming an Incident Response Team", Sixth Annual Computer Security Incident Handling Workshop, Boston, MA, July 25-29, 1995. ...
... W. Stallings, "Internet Security Handbook", IDG Books, Foster City CA, 1995. ...
... W. Stallings, "Network and InterNetwork Security", Prentice Hall, , 1995. ...
... USENIX, "USENIX Proceedings: UNIX Security Workshop", Portland, OR, August 29-30, 1988. ...
... USENIX, "USENIX Proceedings: UNIX Security II Workshop", Portland, OR, August 27-28, 1990. ...
... USENIX, "USENIX Symposium Proceedings: UNIX Security III", Baltimore, MD, September 14-16, 1992. ...
... USENIX, "USENIX Symposium Proceedings: UNIX Security IV", Santa Clara, CA, October 4-6, 1993. ...
... USENIX, "The Fifth USENIX UNIX Security Symposium", Salt Lake City, UT, June 5-7, 1995. ...
... C. Wood, W. Banks, S. Guarro, A. Garcia, V. Hampel, and H. Sartorio, "Computer Security: A Comprehensive Controls Checklist", John Wiley and Sons, Interscience Publication, 1987. ...
... S. Vallabhaneni, "Auditing Computer Security: A Manual with Case Studies", Wiley, New York, NY, 1989. ...


10. Security Considerations
... Security Considerations ...
... This entire document discusses security issues. ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org