RFC2196 - Page 31

• Title: Site Security Handbook
• Author: B. Fraser
• Date: September 1, 1997

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75 

Printable Version: RFC2196.PDF

RFC 2196              Site Security Handbook              September 1997


   IP address spoofing, packet sniffing, etc.  Users and site management
   must appreciate the risks involved.  If you decide to provide walk-up
   connections, plan the service carefully and define precisely where
   you will provide it so that you can ensure the necessary physical
   access security.

   A walk-up host should be authenticated before its user is permitted
   to access resources on your network.  As an alternative, it may be
   possible to control physical access. For example, if the service is
   to be used by students, you might only provide walk-up connection
   sockets in student laboratories.

   If you are providing walk-up access for visitors to connect back to
   their home networks (e.g., to read e-mail, etc.) in your facility,
   consider using a separate subnet that has no connectivity to the
   internal network.

   Keep an eye on any area that contains unmonitored access to the
   network, such as vacant offices.  It may be sensible to disconnect
   such areas at the wiring closet, and consider using secure hubs and
   monitoring attempts to connect unauthorized hosts.

4.5.3  Other Network Technologies

   Technologies considered here include X.25, ISDN, SMDS, DDS and Frame
   Relay.  All are provided via physical links which go through
   telephone exchanges, providing the potential for them to be diverted.
   Crackers are certainly interested in telephone switches as well as in
   data networks!

   With switched technologies, use Permanent Virtual Circuits or Closed
   User Groups whenever this is possible.  Technologies which provide
   authentication and/or encryption (such as IPv6) are evolving rapidly;
   consider using them on links where security is important.

4.5.4  Modems

4.5.4.1  Modem Lines Must Be Managed

   Although they provide convenient access to a site for its users, they
   can also provide an effective detour around the site's firewalls.
   For this reason it is essential to maintain proper control of modems.

   Don't allow users to install a modem line without proper
   authorization.  This includes temporary installations (e.g., plugging
   a modem into a facsimile or telephone line overnight).





Fraser, Ed.                Informational                       [Page 31]