RFC2196 - Page 30

• Title: Site Security Handbook
• Author: B. Fraser
• Date: September 1, 1997

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75 

Printable Version: RFC2196.PDF

RFC 2196              Site Security Handbook              September 1997


   easily maintained (one central list per object) and it's very easy to
   visually check who has access to what. The disadvantages are the
   extra resources required to store such lists, as well as the vast
   number of such lists required for large systems.

4.5  Access

4.5.1  Physical Access

   Restrict physical access to hosts, allowing access only to those
   people who are supposed to use the hosts.  Hosts include "trusted"
   terminals (i.e., terminals which allow unauthenticated use such as
   system consoles, operator terminals and terminals dedicated to
   special tasks), and individual microcomputers and workstations,
   especially those connected to your network.  Make sure people's work
   areas mesh well with access restrictions; otherwise they will find
   ways to circumvent your physical security (e.g., jamming doors open).

   Keep original and backup copies of data and programs safe.  Apart
   from keeping them in good condition for backup purposes, they must be
   protected from theft.  It is important to keep backups in a separate
   location from the originals, not only for damage considerations, but
   also to guard against thefts.

   Portable hosts are a particular risk.  Make sure it won't cause
   problems if one of your staff's portable computer is stolen.
   Consider developing guidelines for the kinds of data that should be
   allowed to reside on the disks of portable computers as well as how
   the data should be protected (e.g., encryption) when it is on a
   portable computer.

   Other areas where physical access should be restricted is the wiring
   closets and important network elements like file servers, name server
   hosts, and routers.

4.5.2  Walk-up Network Connections

   By "walk-up" connections, we mean network connection points located
   to provide a convenient way for users to connect a portable host to
   your network.

   Consider whether you need to provide this service, bearing in mind
   that it allows any user to attach an unauthorized host to your
   network.  This increases the risk of attacks via techniques such as







Fraser, Ed.                Informational                       [Page 30]