RFC2196 - Page 34

• Title: Site Security Handbook
• Author: B. Fraser
• Date: September 1, 1997

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75 

Printable Version: RFC2196.PDF

RFC 2196              Site Security Handbook              September 1997


4.5.4.7  Make Your Modem Programming as "Bullet-proof" as Possible

   Be sure modems can't be reprogrammed while they're in service.  At a
   minimum, make sure that three plus signs won't put your dial-in
   modems into command mode!

   Program your modems to reset to your standard configuration at the
   start of each new call.  Failing this, make them reset at the end of
   each call.  This precaution will protect you against accidental
   reprogramming of your modems. Resetting at both the end and the
   beginning of each call will assure an even higher level of confidence
   that a new caller will not inherit a previous caller's session.

   Check that your modems terminate calls cleanly.  When a user logs out
   from an access server, verify that the server hangs up the phone line
   properly.  It is equally important that the server forces logouts
   from whatever sessions were active if the user hangs up unexpectedly.

4.6  Auditing

   This section covers the procedures for collecting data generated by
   network activity, which may be useful in analyzing the security of a
   network and responding to security incidents.

4.6.1  What to Collect

   Audit data should include any attempt to achieve a different security
   level by any person, process, or other entity in the network.  This
   includes login and logout, super user access (or the non-UNIX
   equivalent), ticket generation (for Kerberos, for example), and any
   other change of access or status.  It is especially important to note
   "anonymous" or "guest" access to public servers.

   The actual data to collect will differ for different sites and for
   different types of access changes within a site.  In general, the
   information you want to collect includes: username and hostname, for
   login and logout; previous and new access rights, for a change of
   access rights; and a timestamp.  Of course, there is much more
   information which might be gathered, depending on what the system
   makes available and how much space is available to store that
   information.

   One very important note: do not gather passwords.  This creates an
   enormous potential security breach if the audit records should be
   improperly accessed.  Do not gather incorrect passwords either, as
   they often differ from valid passwords by only a single character or
   transposition.




Fraser, Ed.                Informational                       [Page 34]