Monitoring ATM connections:
MCI has given the user community a very valuable tool, OC3mon. By using this tool, you can examine, after the fact, what a potential intruder might have attempted trying to break into your site. OC3mon only captures the first cell of a flow so you will have the IP header, but no payload. In the next version, 3 cells will be captured so you can examine IPv6 packet headers.Authentication/Encryption:
One of the most popular methods today of authenticating users is the system developed by MIT calledKerberos. Kerberos is (from the Kerberos FAQ) :
- Kerberos is a network authentication system for use on physically insecure
networks, based on the key distribution model presented by Needham and
Schroeder.[3] It allows entities communicating over networks to prove their
identity to each other while preventing eavesdropping or replay attacks.
It also provides for data stream integrity (detection of modification)
and secrecy (preventing unauthorized reading) using cryptography systems
such as DES.
Some colleges are using another system called SmartGate which is being sold by V-ONE. Florida State is currently using the product for their campus. One nice feature is that they sell a floppy disk thats actually a smart card used for encryption/authentication.
Although the cost might be prohibitive, SecureID is another alternative for smart-card authentication.
SSH & SSL provide encryption of transmissions at the transport and
application layer, but at a cost in performance.
Host Security:
I believe that host security is the most important aspect of security.
If you leave your internal security weak, someone may break in and use your
site to launch attacks at other sites. One of the best methods
to keep your site safe is to subscribe to the CERT
mailing list for bug reports. The unofficial list
to subscribe to is called BUGTRAQ (I don't have any pointers to it
currently). Bugs (and many times the fixes) are posted to this list.
Some places to look for patches:
If you have more links to add, please send me email!
Routing Choices:
You can limit the vulnerability of your hosts by limiting the address
blocks that you announce to the vBNS. Since the number of routes
on the vBNS is nowhere near the number of routes that the commodity internet
has, it should be no problem to announce /24s. You may also want
to consider turning off source routing through your router/firewall.
Web Caching Security:
Since a Web Caching machine is recommended for sites on the vBNS, security
of these computers is vital as they will be outside of your firewall.
Our suggestion is to turn off everything that can
respond, such as telnet, rcommands, etc. You can replace it with
ssh (with tcp wrappers compiled in) to make sure that there are no unauthorized
attempts to connect to your cache.
Interesting Sites:
NIST tool
links
World Wide
Web Security
Cisco UDP Port
Denial of Service Attack
Cisco IP Security
Page
Phrack
Rotherwick Firewall Resource
AAI Performance
Hosts - Peak Throughput Evaluation Experiments
The
World Wide Web Security FAQ
Marcus J. Ranum Home Page
Securing
X Windows
Matt's Unix Security Page
Ross Anderson's Home
Page
Crypt Newsletter's Homepage
System
Monitoring Programs
SSH (Secure Shell) Remote Login
Program
Sudo -
a utility to allow restricted root access
Introduction
to PGP
If you have any suggestions/comment/additions/subtractions please email
me at lappa@psc.edu.
![[PSC Home Page]](http://www.psc.edu/general/images/icons/psc_home.gif){kind=icon}
![[Search]](http://www.psc.edu/general/images/icons/search.gif){kind=icon}
![[Help]](http://www.psc.edu/general/images/icons/help.gif){kind=icon}
![[Feedback]](http://www.psc.edu/general/images/icons/feedback.gif){kind=icon}