Implementing Internet Security Frederic J. Cooper Chris Goggans John K. Halvey, Larry Hughes / ' Lisa Morgan Karanjit Siyan William Stallings Peter Stephenson 8UB Qattlngen 7 204437989 New Riders Publishing lulkala Indianapolis, Indiana NEW RIDERS PUBLISHING
IMPLEMENTING INTERNET SECURITY TABLE OF CONTENTS 1 Definition of Security 1 The Times, and Security Requirements, Change 2 What Is Security, Anyway? 3 Implementing Security 7 Layering Security 8 Some Approaches 9 2 Applicable Standards and Principles 13 Department of Defense C2 Principles 14 Security Policy 15 Accountability 18 Assurance 19 Design Documentation 22 Putting C2 in Context with Your Requirements 22 Using the Red Book to Interpret C2 for Networks 24 Security Policy 24 Accountability 26 Assurance 27 Documentation 29 The Generally Accepted System Security Principles (GSSP) 30 The Role of Standards 35 3 Authentication and Authorization 37 Access Control 38 The Authentication Dilemma 40 Monitoring and Control 46 Access Control Subsystems and Secure Single Sign-On 49 Vlll
TABLE OF CONTENTS 4 Local Workstation and Networking Holes 55 Prevention 56 Protect the root Account 56 Secure Terminals 56 User Account and Password Management 58 Limit Account Lifetime 58 Choose Secure Passwords 58 Crack Your Own Passwords 59 Implement Shadow Passwords 59 Implement Password Aging 60 Server Filters 60 TCP Wrapper 61 xinetd 63 Network Applications and Services 64 Trusted Hosts 64 sendmail 65 finger 68 Tape Backup and Restore 69 File Transfer Protocol (FTP) 70 tftpd 72 TheXWindow System 72 NFS 74 Detection 75 Observe System Files 75 Monitor User Login Habits 76 Detection Tools 76 Cure. 77 Change the Account Shell 78 Disable Local FTP Access 79 Change the Account Password 79 Expire the Account 79 Disable or Restrict Trusted Host Access 79 Change File Ownerships and Protections...80 Remove Files Owned by the Account 80 IX
IMPLEMENTING INTERNET SECURITY 5 Firewalls 81 Firewall Components 82 Screening Routers 83 Identifying Zones of Risk 83 Screening Routers and Firewalls in Relation to the OS1Model 85 Packet Filtering 86 Packet Filtering and Network Policy 86 A Simple Model for Packet Filtering 87 Packet Filter Operations 88 Designing a Packet Filter 90 Packet Filter Rules and Full Associations 95 Dual-Homed Host 97 Compromising the Security ofa Dual-Homed Firewall 100 Services on a Dual-Homed Firewall 101 Bastion Host 101 Simplest Deployment of a Bastion Host 102 Screened Host Gateway 102 Application Level Gateways 103 6 Secure Transactions: PGP and Kerberos 107 Pretty Good Privacy 108 Public Keys 110 Private Keys Ill Digital Signatures Ill Compression 113 Message Encryption 114 Radix-64Conversion 115 The Order of Operations in PGP 116 Public Key Management 117 PGP Versions 118 Where To Get PGP 119 X
TABLE OF CONTENTS Kerberos 119 The Kerberos Protocol 120 Kerberos Realms and Multiple Kerberi 124 Version 4 and Version 5 126 Performance Issues 126 Kerberos Now 127 7 Audit Trails 129 Audit Trails under Unix 130 Common Unix Logs 130 Process Accounting 138 Useful Utilities in Auditing 140 Other Reporting Tools Available Online 142 Audit Trails under Windows NT 144 Using the Event Viewer 145 Logging the ftp Server Service 147 Logging httpd Transactions 148 Logging by Other TCP/IP Applications under NT 148 Audit Trails under DOS 149 PC/DACS 149 Watchdog 150 LOCK 150 Using System Logs to Discover Intruders 150 Common Break-In Indications 151 Potential Problems 151 8 Legal Considerations 155 Electronic Rights: Copyrights Online 156 An Overview of Copyright Law 156 The National Infrastructure Task Force Proposed Changes to the Copyright Act 160 Copyrights on the Internet 161 XI
IMPLEMENTING INTERNET SECURITY Freedom of Expression 163 The First Amendment and Its Protection 163 Defamation 166 Privacy 168 Federal and State Law 170 The Electronic Communications Privacy Act 170 The Computer Fraud and Abuse Act 172 State Computer Crime Law 172 Trademark Law and the Internet 173 9 Internet Commerce 189 Internet Commerce Isn't New 190 Credit Cards 191 Modern Internet Commerce 192 Internet Commerce: What's the Big Deal? 193 Management Issues 194 Threats from Employees and Criminal Hackers 194 VANs and Internet Commerce 195 How Real Is Internet Commerce? 195 How Does Internet Commerce Relate to Existing Financial Systems? 196 How Financial Systems Are Affected by Online Capabilities 196 Internet Commerce Companies and Organizations 196 CommerceNet 197 CyberCash, Inc. 198 DigiCash 199 First Virtual Holdings, Inc. 200 Internet Shopping Network 202 Netscape Communications Corporation 203 Open Market 203 Proprietary Systems 205
TABLE OF CONTENTS Digital Cash 206 The Importance of Digital Cash Anonymity 207 How Digital Cash Is Generated 207 The Internet: The First Nation in Cyberspace 208 Digital Checks 209 Blind Signatures An Added Measure of Privacy 209 Digital Signatures 209 Sales, Marketing, and IS 210 Keeping an Eye on Implementation 210 The Role of the Network Manager 211 10 Improving the Security of Your Site by Breaking Into It 213 Overview 215 Gaining Information 217 Trust 227 Protecting the system 229 Conclusions 230 Appendix A 231 Appendix B 231 Appendix C 232 Appendix D 233 Bibliography 234 Suggested reading 234 A RFC Index List 235 B RFC 1244 - The Site Security Handbook 273 Contributing Authors 274 1. Introduction 274 1.1 Purpose of thiswork 274 1.2 Audience 275 1.3 Definitions 275 1.4 Related Work 275 1.5 Scope 276
IMPLEMENTING INTERNET SECURITY 1.6 Why Do We Need Security Policies and Procedures? 276 1.7 Basic Approach 278 1.8 Organization of this Document 278 2. Establishing Official Site Policy on Computer Security 279 2.1 Brief Overview 279 2.2 Risk Assessment 281 2.3 Policy Issues 283 2.4 What Happens When the Policy is Violated 289 2.5 Locking In or Out 291 2.6Interpreting the Policy 292 2.7Publicizing the Policy 293 3. Establishing Procedures to Prevent Security Problems 293 3.1 Security Policy Defines What Needs to be Protected 293 3.2 Identifing Possible Problems 294 3.3 Choose Controb to Protect Assets in a Cost-Effective Way 295 3.4 Use Multiple Strategies to Protect Assets 296 3.5 Physical Security 296 3.6 Procedures to Recognize Unauthorized Activity 297 3.7 Define Actions to Take When Unauthorized Activity is Suspected 299 3.8 Communicating Security Policy 299 3.9 Resources to Prevent Security Breaches 303 4. Types of Security Procedures 321 4.1 System Security Audits 321 4.2 Account Management Procedures 322 4.3 Password Management Procedures 323 4.4 Configuration Management Procedures 325 XIV
5. Incident Handling 326 5.1 Overview 326 5.2 Evaluation 330 5.3 Possible Types ofnotification 332 5.4 Response 335 5.5 Legal!Investigative 338 5.6Documentation Logs 341 6. Establishing Post-Incident Procedures 342 6.1 Overview 342 6.2 Removing Vulnerabilities 342 6.3 Capturing Lessons Learned 344 6.4 Upgrading Policies and Procedures 345 7. References 345 8. Annotated Bibliography 347 8.1 Computer Law 347 8.2 Computer Security 349 8.3 Ethics 354 8.4 The Internet Worm 356 8.5 National Computer Security Center (NCSC) 358 8.6Security Checklists 361 8.7 Additional Publications 361 9. Acknowledgments 363 " 10. Security Considerations 363 11. Authors'Addresses 363 Index 365 XV