RFC1244 - Page 86

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


           R. Brand, 8 June 1990.

           As computer security becomes a more important issue in
           modern society, it begins to warrant a systematic approach.
           The vast majority of the computer security problems and the
           costs associated with them can be prevented with simple
           inexpensive measures.  The most important and cost
           effective of these measures are available in the prevention
           and planning phases.  These methods are presented in this
           paper, followed by a simplified guide to incident
           handling and recovery.  Available on-line from:
           cert.sei.cmu.edu:/pub/info/primer.

   [CHESWICK]
           Cheswick, B., "The Design of a Secure Internet Gateway",
           Proceedings of the Summer Usenix Conference, Anaheim, CA,
           June 1990.

           Brief abstract (slight paraphrase from the original
           abstract): AT&T maintains a large internal Internet that
           needs to be protected from outside attacks, while
           providing useful services between the two.
           This paper describes AT&T's Internet gateway.  This
           gateway passes mail and many of the common Internet
           services between AT&T internal machines and the Internet.
           This is accomplished without IP connectivity using a pair
           of machines: a trusted internal machine and an untrusted
           external gateway.  These are connected by a private link.
           The internal machine provides a few carefully-guarded
           services to the external gateway.  This configuration
           helps protect the internal internet even if the external
           machine is fully compromised.

           This is a very useful and interesting design.  Most
           firewall gateway systems rely on a system that, if
           compromised, could allow access to the machines behind
           the firewall.  Also, most firewall systems require users
           who want access to Internet services to have accounts on
           the firewall machine.  AT&T's design allows AT&T internal
           internet users access to the standard services of TELNET and
           FTP from their own workstations without accounts on
           the firewall machine.  A very useful paper that shows
           how to maintain some of the benefits of Internet
           connectivity while still maintaining strong
           security.






Site Security Policy Handbook Working Group                    [Page 86]