This is a beautiful little paper, "Protection of TCP/IP Based Network
Elements: Security Checklist", by Dale Drew (ddrew@mci.net).
Excerpt:
> In 1994, CERT reported over 40,000 compromised sites on the Internet
> (1994 CERT Annual Report). That number possibly references a much lower
> percentage of the actual problem as the Department Of Justice estimates
> that over 75% of incidents go unreported to proper authorities.
Geez.
> The need for effective security controls for the explosive growth of
> TCP/IP networks is now more important than ever.
You got that right.
> The purpose of this document is to provide an overall baseline for
> security considerations for securing TCP/IP based network elements. This
> document's intent is to provide a guideline for such considerations, and
> should not be considered a complete resource guide for implementing
> security precautions.
It's actually a really good baseline.
> The problem is that many Security Administrators are faced with
> providing protection for their systems within their Corporate Network,
> without the benifit of knowing the makeup of that network. This document
> attempts to provide an overview on the ability to identify systems
> within your companies network, the exposures on those systems, who owns
> them, and how to effectively plan for the long term security strategy
> needed to keep them protected. Should you have any feedback for this
> document, please feel free to contact me.
>
> To obtain a copy of "Security Considerations for the internetMCI
> Network", use the following URL:
> (http://www.security.mci.net/sec-whit.html).
That one's pretty good, too.
As far as the baseline recommendations go, I dig it, baby:
1.Identify valid internal network address numbers
2.Identify your systems
3.Store such information into a query database
4.Scan systems for external vulnerabilities/exposures
5.Obtain access to system elements
6.Perform vulnerability assessment on internal systems
7.Deploy Security measures and monitoring programs on systems
8.Correct identified exposures from external scans
9.Correct identified exposures from internal scans
10.Deploy Security Patches
11.Establish Password Checks
12.Log files from systems, applications
13.Use Telephone exchange scanners
14.Control Group Accounts
15.Deploy Virus Scanners
16.Control ROOT/SUPERUSER accounts
17.Network Security
1.Gabriel
2.ARGUS
18.Identify gateway machines
19.Obtain access to gateway systems to ensure firewall polices
20.Secure gateway systems
21.Develop a comprehensive Firewall model
22.Develop notification mailing lists
23.Be proactive
1.Subscribe to mailing lists
2.Subscribe to security news groups
24.Employee Awareness Issues
25.Obtain security related tools
26.Other Security Sites available
27.SECURITY PROGRAMS
28.SECURITY RELATED BOOKS
29.ADDITIONAL RECOMMENDATIONS:
1.1)Make use of one time password technologies
2.2)Encryption
3.3)File Access Policies
4.4)MD5 Checksum File
5.5)User access histories
6.6)Enforce password change cycles
30.COMMON EXPOSURES
1.1)Social Engineering
2.2)Poor Passwords
3.3)Sendmail
4.4)NFS
5.5) Sniffable Traffic
6.6) WEB Server Security
7.7) Denial Of Service
8.8) WEB Browser Security Iesues
9.9) DNS Hostname Conventions
31.OTHER CONSIDERATIONS
1.1)Network Security Policies and Procedures
2.2)Backups
3.3)Physical Security
4.4)Information Security
5.5)Contractors/Vendors
6.6)Human Resource Termination Lists
7.7)Employee Education Issues
8.8)Encryption
9.9)Inventory
10.10)Network Maps
11.11)Prefix Scanning
----
adam@cs.caltech.edu
Passwords are implemented as a result of insecurity.