service
Click on the red underlined text to get to the source
... or other devices that have access to the Internet. A site may be an
end user of Internet services or a service provider such as a mid-
level network ...
... Internet. A site may be an
end user of Internet services or a service provider such as a mid-
level network. However, most of the focus of this guide is on those
...
... level network. However, most of the focus of this guide is on those
end users of Internet services. We assume that the site has the
ability to set policies and procedures for itself with the
concurrence and support from those who actually own the resources. It
...
... common set of technical protocols which make it possible for users of
any one of the networks to communicate with, or use the services
located on, any of the other networks (FYI4, RFC 1594(-> 2664fyi4) ...
... Denial of service ...
... services offered versus security provided -
Each service offered to users carries its own security risks.
For some services ...
... service offered to users carries its own security risks.
For some services the risk outweighs the benefit of the service
and the administrator ...
... security risks.
For some services the risk outweighs the benefit of the service
and the administrator may choose to eliminate the service ...
... service
and the administrator may choose to eliminate the service rather
than try to secure it.
...
... reading of information by unauthorized individuals), loss of
data (i.e., the corruption or erasure of information), and the
loss of service (e.g., the filling of data storage space, usage
of computational resources, and denial of network access). Each
...
...
A security plan should define: the list of network services that will
be provided; which areas of the organization will provide the
services ...
... network services that will
be provided; which areas of the organization will provide the
services; who will have access to those services; how access will be
provided; who will administer those services ...
... be provided; which areas of the organization will provide the
services; who will have access to those services; how access will be
provided; who will administer those services; etc.
...
... services; who will have access to those services; how access will be
provided; who will administer those services; etc.
...
... Separation of Services ...
...
There are many services which a site may wish to provide for its
users, some of which may be external. There are a variety of
security ...
... users, some of which may be external. There are a variety of
security reasons to attempt to isolate services onto dedicated host
computers. There are also performance ...
...
The services which a site may provide will, in most cases, have
different levels of access needs and models of trust. Services ...
... services which a site may provide will, in most cases, have
different levels of access needs and models of trust. Services which
are essential to the security or smooth operation of a site would be
...
... better off being placed on a dedicated machine with very limited
access (see Section 3.1.3 "deny all" model), rather than on a machine
that provides a service (or services) which has traditionally been
less secure, or requires greater accessability by users who may
...
... access (see Section 3.1.3 "deny all" model), rather than on a machine
that provides a service (or services) which has traditionally been
less secure, or requires greater accessability by users who may
accidentally suborn security ...
...
Some of the services which should be examined for potential
separation are outlined in section 3.2.3. It is important to remember
that security ...
... electronic mail, but
they used the vulnerability in that service to gain access to other
systems.
...
...
If possible, each service should be running on a different machine
whose only duty is to provide a specific service. This helps to
...
... If possible, each service should be running on a different machine
whose only duty is to provide a specific service. This helps to
isolate intruders and limit potential harm.
...
...
The first option is to turn off all services and then selectively
enable services on a case by case basis as they are needed. This can
...
... The first option is to turn off all services and then selectively
enable services on a case by case basis as they are needed. This can
be done at the host or network ...
... generally more secure than the other model described in the next
paragraph. More work is required to successfully implement a "deny
all" configuration as well as a better understanding of services.
Allowing only known services provides for a better analysis of a
...
... all" configuration as well as a better understanding of services.
Allowing only known services provides for a better analysis of a
particular service/protocol and the design of a security mechanism ...
... Allowing only known services provides for a better analysis of a
particular service/protocol and the design of a security mechanism
suited to the security ...
... The other model, which will here after be referred to as the "allow
all" model, is much easier to implement, but is generally less secure
than the "deny all" model. Simply turn on all services, usually the
default at the host level, and allow all protocols to travel across
...
... Identify Real Needs for Services ...
...
There is a large variety of services which may be provided, both
internally and on the Internet at large. Managing security ...
... Internet at large. Managing security is, in
many ways, managing access to services internal to the site and
managing how internal users access information at remote sites.
...
...
Services tend to rush like waves over the Internet. Over the years
many sites have established anonymous FTP ...
... gopher servers,
wais servers, WWW servers, etc. as they became popular, but not
particularly needed, at all sites. Evaluate all new services that
are established with a skeptical attitude to determine if they are
actually needed or just the current fad sweeping the Internet ...
... Bear in mind that security complexity can grow exponentially with the
number of services provided. Filtering routers need to be modified
...
... filter safely (e.g., RPC and UDP services), thus
providing more openings to the internal network. Services ...
... services), thus
providing more openings to the internal network. Services provided
on the same machine can interact in catastrophic ways. For example,
allowing anonymous FTP ...
... host, that host may offer degraded
service. This only affects users who require that host and, unless
that host ...
... There are several problems to which networks are vulnerable. The
classic problem is a "denial of service" attack. In this case, the
network ...
... routing updates are sent to one or more routers causing them to
misroute packets. This differs from a denial of service attack only
in the purpose behind the spurious route. In denial of service ...
... denial of service attack only
in the purpose behind the spurious route. In denial of service, the
object is to make the router unusable; a state ...
... Protecting the Services ...
...
There are many types of services and each has its own security
requirements. These requirements will vary based on the intended use
...
... security
requirements. These requirements will vary based on the intended use
of the service. For example, a service which should only be usable
within a site (e.g., NFS ...
... requirements will vary based on the intended use
of the service. For example, a service which should only be usable
within a site (e.g., NFS) may require different protection mechanisms
...
... within a site (e.g., NFS) may require different protection mechanisms
than a service provided for external use. It may be sufficient to
protect the internal server from external access. However, a WWW
server, which provides a home page intended for viewing by users
...
... anywhere on the Internet, requires built-in protection. That is, the
service/protocol/server must provide whatever security may be
required to prevent unauthorized access ...
...
Internal services (i.e., services meant to be used only by users
within a site) and external services ...
...
Internal services (i.e., services meant to be used only by users
within a site) and external services (i.e., services ...
... services (i.e., services meant to be used only by users
within a site) and external services (i.e., services deliberately
made available to users outside a site) will, in general, have
...
... services meant to be used only by users
within a site) and external services (i.e., services deliberately
made available to users outside a site) will, in general, have
protection requirements ...
... protection requirements which differ as previously described. It is
therefore wise to isolate the internal services to one set of server
host computers and the external services ...
... services to one set of server
host computers and the external services to another set of server
host computers. That is, internal and external servers should not be
...
... intranets should be aware that they
will need to consider three separations and take appropriate actions
when designing and offering services. A service offered to an
intranet ...
... will need to consider three separations and take appropriate actions
when designing and offering services. A service offered to an
intranet would be neither public, nor as completely private as a
...
... intranet would be neither public, nor as completely private as a
service to a single organizational subunit. Therefore, the service
would need its own supporting system, separated from both external
...
... intranet would be neither public, nor as completely private as a
service to a single organizational subunit. Therefore, the service
would need its own supporting system, separated from both external
and internal services ...
... service
would need its own supporting system, separated from both external
and internal services and networks.
...
...
One form of external service deserves some special consideration, and
that is anonymous, or guest, access. This may be either anonymous
FTP ...
... Now we shall consider some of the most popular services: name
service, password/key service, authentication ...
... file transfer, and NFS. Since these are the
most frequently used services, they are the most obvious points of
attack. Also, a successful attack ...
... attack. Also, a successful attack on one of these services can
produce disaster all out of proportion to the innocence of the basic
service.
...
... attack on one of these services can
produce disaster all out of proportion to the innocence of the basic
service.
...
... address
resolution for host and network names. The Network Information
Service (NIS) and NIS+ are not used on the global Internet ...
... to act as secondary name servers and protect their DNS masters from
denial of service attacks using filtering routers.
...
... servers are not accessable by hosts which do not plan to use them for
the service, and even those hosts should only be able to access the
service ...
... service, and even those hosts should only be able to access the
service (i.e., general services, such as Telnet and FTP ...
... hosts should only be able to access the
service (i.e., general services, such as Telnet and FTP, should not
...
... proxy server provides a number of security enhancements. It allows
sites to concentrate services through a specific host to allow
monitoring, hiding of internal structure, etc. This funnelling of
...
... host to allow
monitoring, hiding of internal structure, etc. This funnelling of
services creates an attractive target for a potential intruder. The
...
... proxy server depends greatly on the
proxy protocol in use and the services being proxied. The general
rule of limiting access only to those hosts which need the services ...
... services being proxied. The general
rule of limiting access only to those hosts which need the services,
and limiting access by those hosts to only those services ...
... services,
and limiting access by those hosts to only those services, is a good
starting point.
...
... break-ins because email protocols are among the oldest and most
widely deployed services. Also, by it's very nature, an email server
requires access to the outside world; most email ...
... privileges to deliver the mail.
Most email implementations perform both portions of the service,
which means the receiving agent also has system privileges ...
...
The Web is growing in popularity exponentially because of its ease of
use and the powerful ability to concentrate information services.
Most WWW servers accept some type of direction and action from the
persons accessing their services ...
... services.
Most WWW servers accept some type of direction and action from the
persons accessing their services. The most common example is taking
a request from a remote user and passing the provided information to
a program running on the server to process the request. Some of
...
...
Many sites may want to co-locate FTP service with their WWW service.
But this should only occur for anon-ftp servers that only provide
...
... Many sites may want to co-locate FTP service with their WWW service.
But this should only occur for anon-ftp servers that only provide
information (ftp-get). Anon-ftp puts, in combination with WWW, might
...
... information your site is publishing to the web) and in themselves
make the security considerations for each service different.
...
... delete files at will, anywhere on a host, so it is very
important to configure this service correctly. Access to encrypted
passwords ...
... are just a few of the potential security holes that can occur when
the service is configured incorrectly. FTP servers should reside on
their own host ...
... However, the the practice isn't recommended, especially when the FTP
service allows the deposit of files (see section on WWW above). As
mentioned in the opening paragraphs of section 3.2.3, services ...
... service allows the deposit of files (see section on WWW above). As
mentioned in the opening paragraphs of section 3.2.3, services
offered internally to your site should not be co-located with
...
... offered internally to your site should not be co-located with
services offered externally. Each should have its own host.
...
... FTP, and has no
security whatsoever. This service should only be considered for
internal use, and then it should be configured in a restricted way so
that the server only has access to a set of predetermined files
...
... NFS server be accessable only by
those hosts which are using it for service. This is achieved by
specifying which hosts the file system ...
... network since this
will require that the NFS service be accessible externally. Ideally,
external access to NFS service ...
... service be accessible externally. Ideally,
external access to NFS service should be stopped by a firewall.
...
... other servers. Further, all access to the node, including access to
the service itself, should be logged to provide a "paper trail" in
the event of a security breach.
...
... state of a packet. Building a good filter can be very difficult and
requires a good understanding of the type of services (protocols)
that will be filtered.
...
... has to be protected very carefully. To make resources available to
legitimate users across this firewall, services have to be forwarded
by the bastion host. Some servers have forwarding built in (like
...
...
A proxy server is way to concentrate application services through a
single machine. There is typically a single machine (the bastion
host ...
... HTTP, etc.) but there can be individual host computers for
each service. Instead of connecting directly to an external server,
the client connects to the proxy server ...
... Security Services and Procedures ...
... This chapter guides the reader through a number of topics that should
be addressed when securing a site. Each section touches on a
security service or capability that may be required to protect the
information and systems at a site. The topics are presented at a
fairly high-level ...
... KDC) which is known as the Kerberos server. A user or
service (known as "principals") are granted electronic "tickets"
after properly communicating with the KDC ...
...
Consider whether you need to provide this service, bearing in mind
that it allows any user to attach an unauthorized host to your
...
... must appreciate the risks involved. If you decide to provide walk-up
connections, plan the service carefully and define precisely where
you will provide it so that you can ensure the necessary physical
...
... network. As an alternative, it may be
possible to control physical access. For example, if the service is
to be used by students, you might only provide walk-up connection
...
...
Be sure modems can't be reprogrammed while they're in service. At a
minimum, make sure that three plus signs won't put your dial-in
...
... being accessed. Depending on the importance of the data and the need
to have it local in instances in which services are being denied,
data could be kept local to the resource until needed or be
transmitted to storage after each event.
...
... Recovery (how to reestablish service and systems) ...
... Protecting resources which could be utilized more
profitably if an incident did not require their services ...
... Due to the nature of the incident, there might be a conflict between
analyzing the original source of a problem and restoring systems and
services. Overall goals (like assuring the integrity of critical
...
... than to risk damage to data or systems. Sites will have
to evaluate the trade-offs between shutting down and
disconnecting, and staying up. There may be service
agreements in place that may require keeping systems
...
... up even in light of further damage occurring. However,
the damage and scope of an incident may be so extensive
that service agreements may have to be over-ridden.
...
... POC) should be defined. These may be technical or administrative in
nature and may include legal or investigative agencies as well as
service providers and vendors. When establishing these contact, it
is important to decide how much information will be shared with each
...
... In the event of an incident that has legal consequences, it is
important to establish contact with investigative agencies (e.g, the
FBI and Secret Service in the U.S.) as soon as possible. Local law
enforcement, local security offices, and campus police departments
...
... instructed to respond with a prepared statement like, "I'm sorry our
systems are unavailable, they are being maintained for better service
in the future."
...
... Denial of service (a system manager and all other users
become locked out of a UNIX system, now in single user mode). ...
... Once the cause of an incident has been eradicated, the recovery phase
defines the next stage of action. The goal of recovery is to return
the system to normal. In general, bringing up services in the order
of demand to allow a minimum of user inconvenience is the best
practice. Understand that the proper recovery procedures for the
...
... M. Greenia, "Computer Security Information Sourcebook", Lexikon Services, Sacramento, CA, 1989. ...
... D. Hess, D. Safford, and U. Pooch, "A Unix Network Protocol Security Study: Network Information Service", Texas A&M University. ...
... National Security Agency, "Information Systems Security Products and Services Catalog", NSA, Quarterly Publication. ...