Index

A note on the digital index

A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.

A

AAA servers, Authentication and Auditing Services
access
fail safe, Fail-Safe StanceDefault Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
least privilege, Least PrivilegeLeast Privilege
logging (see logs)
monitoring at choke point, Choke Point
to networks, Network Security
remote, to hosts, Remote Access to HostsSummary of Recommendations for Windows Remote Access
to unbuilt bastion host, Building a Bastion Host
access router (see exterior routers)
accidents, Stupidity and Accidents
account management, Managing Your AccountsManaging Your Accounts
ACK (acknowledgment) bit, TCP layer
with SMTP, Packet Filtering Characteristics of SMTP
TCP connections, TCP
Active Channels, Push Technologies
Active Directory, Naming and Directory Services, Active DirectoryActive Directory
Active Server Pages (ASP), HTTP Extensions
ActiveX, ActiveXActiveX
extension systems, Web Client Security Issues
activity logs (see logs)
address-based authentication, Network Window Systems
addresses
accepted by router, Conventions for Packet Filtering RulesConventions for Packet Filtering Rules
email (see email)
filtering by, Filtering by AddressRisks of Filtering by Source Address
AES (Advanced Encryption Standard) algorithm, Encryption Algorithms
AFS (Andrew File System), File Sharing
algorithms
digital signature, Digital Signature Algorithms
DSA/DSS, Digital Signature Algorithms
Elliptic Curve, Digital Signature Algorithms
encryption, Kinds of encryption algorithmsEncryption algorithms and key length, Encryption AlgorithmsEncryption Algorithms
selecting, Selecting an Algorithm
evaluating, Evaluating Other AlgorithmsEvaluating Other Algorithms
HMAC, Cryptographic Hashes and Message Digests
key exchange, Key ExchangeKey Exchange
MD4/MD5, Cryptographic Hashes and Message Digests
public key, Kinds of encryption algorithms
SHA/SHA-1, Cryptographic Hashes and Message Digests
altering routers (see screening routers)
Andrew File System (see AFS)
anonymous FTP, File Transfer, File Transfer, ftpd, Providing Anonymous FTP ServiceLimiting access to information
(see also FTP)
via proxy server, Using Proxy-Aware User Procedures for Proxying
removing files from, Removing the files
writable directories with, Preventing people from using your server to distribute their dataPreventing people from using your server to distribute their data
wuarchive server, Using the wuarchive FTP daemon
APOP (version of POP), Post Office Protocol (POP)
AppleShare, File Sharing
application-level
gateways (see proxy services)
proxy servers, Application-Level Versus Circuit-Level ProxiesApplication-Level Versus Circuit-Level Proxies
archives, self-decrypting, Keeping Mail Secret
ASP (Active Server Pages), HTTP Extensions
attackers (see intruders)
attacks (see incidents)
audit, security, Running a Security AuditUse cryptographic checksums for auditing, Running a Security AuditRunning a Security Audit
tools for, Analysis ToolsSAINT
Auth protocol, Auth and identdSummary of Recommendations for Auth
authentication, Authentication and Auditing Services, Terminal Servers and Modem Pools, Is the level of authentication and authorization it uses appropriate for doing that?, Authentication and Auditing Services
address-based, Network Window Systems
basic, Inadvertent Release of Information
client, network lesystems and, File SharingFile Sharing
DNS and, Naming and Directory Services
false, False Authentication of ClientsFalse Authentication of Clients, Protecting Services
Microsoft RPC, Microsoft RPC Authentication
mutual, Mutual Authentication
network address translation, Network address translation interferes with some encryption and authentication systems
in NFS, NFS AuthenticationNFS Authentication
protocol security and, Protocol Security
of remote logins, Remote Terminal Access and Command Execution
SMB, Authentication and SMBUser-level authentication, SMB AuthenticationSMB Authentication
of SSH
client, SSH client authenticationAdditional SSH options for client control
server, SSH server authentication
Sun RPC, Sun RPC AuthenticationSun RPC Authentication
TIS FWTK server, The TIS FWTK Authentication ServerProblems with the authentication server
tools for, Authentication ToolsKerberos
types of, What Is Authentication?Something You Have
for web pages, Inadvertent Release of InformationInadvertent Release of Information
Windows NT, Accessing Other ComputersAlternate Authentication Methods
automounting filesystems, AutomountingAutomounting

B

backup browsers, on Microsoft networks, Backup browsers
backups, Least Privilege, How will you back up the system?, Backing Up Your Filesystems
of bastion hosts, Protecting the Machine and BackupsDo Secure Backups
of firewalls, Backing Up Your Firewall
logs and, Do Secure Backups
using to restore system, Restore and Recover
BackWeb program, Push Technologies
basic authentication, Inadvertent Release of Information
bastion hosts, Some Firewall Definitions, Bastion Host, Bastion HostsDo Secure Backups, Screened Subnet Architecture
backups of, Protecting the Machine and BackupsDo Secure Backups
building, Building a Bastion Host
DNS clients on, Bastion DNS clients also query the internal serverBastion DNS clients also query the internal server
email addresses and, Configuring SMTP to Work with a Firewall
fake DNS server on, Set up a “fake” DNS server on the bastion host for the outside world to useSet up a “fake” DNS server on the bastion host for the outside world to use
graphics on, What Hardware Configuration?
internal, Internal Bastion Hosts
on internal firewalls, An Internal Firewall May or May Not Need Bastion Hosts
isolating, Screened Subnet ArchitecturesExterior Router
Linux, Unix and Linux Bastion HostsRunning a Security Audit
merging with routers, It’s OK to Merge the Bastion Host and the Exterior Router, It’s Dangerous to Merge the Bastion Host and the Interior Router
multiple, It’s OK to Use Multiple Bastion HostsIt’s OK to Use Multiple Bastion Hosts
network location of, Locating Bastion Hosts on the Network
nonrouting dual-homed, Nonrouting Dual-Homed Hosts
operating, Operating the Bastion HostConsider Using Software to Automate Monitoring
operating systems for, What Operating System?What Operating System?
physical location of, Choosing a Physical Location
services on, Selecting Services Provided by a Bastion Host, Multiple Services or Multiple Hosts?
speed of, How Fast a Machine?
Unix, What Operating System?, Unix and Linux Bastion HostsRunning a Security Audit
usage profile, Learn What the Normal Usage Profile Is
user accounts on, Disabling User Accounts on Bastion Hosts, Disabling User Accounts on Bastion Hosts
Windows 2000, Windows NT and Windows 2000 Bastion HostsInstalling and Modifying Services
Windows NT, What Operating System?, Windows NT and Windows 2000 Bastion HostsInstalling and Modifying Services
Berkeley Internet Name Domain (BIND), Domain Name System (DNS)
bidirectionality of protocols, Protocols Are Usually Bidirectional
biff service, biff
BIND (Berkeley Internet Name Domain), Domain Name System (DNS)
biometric systems, Something You Are
Blowfish algorithm, Encryption Algorithms
BO2K program, Remote Graphic Interfaces for Microsoft Operating Systems, BO2KNetwork address translation characteristics of BO2K
booting protocols, Protocols for Booting and Boot-Time ConfigurationSummary of Recommendations for Booting and Boot-Time Configuration
booting services, Booting services, Other ways to start programs under Windows NT
bootp protocol, bootp
broadcasting, Multicast and the Multicast Backbone (MBONE)
browser client, on Microsoft networks, Browser clientBrowser client
Browser, the (see Windows Browser)
browsers, web, Web Client Security IssuesWeb Client Security Issues
as FTP clients, Packet Filtering Characteristics of FTP
protocols and, The World Wide Web
security and, Inadvertent Release of InformationInternet Explorer and Security Zones
BSD fir commands (see fir commands)
buffer overflow, as basis for attacks, How Well Is the Protocol Implemented?, JavaScript
bugs
in packet filtering packages, Current filtering tools are not perfect
in operating system, Fix All Known System Bugs
BugTraq mailing list, BugTraq
building bastion hosts, Building a Bastion Host
byte compiling, Java

C

Cache Array Routing Protocol (CARP), Cache Array Routing Protocol (CARP)
caching proxies, Proxying Characteristics of HTTP, Cache Communication ProtocolsSummary of Recommendations for Cache Communication Protocols
capturing intruders, Pursuing and Capturing the IntruderPursuing and Capturing the Intruder
CARP (Cache Array Routing Protocol), Cache Array Routing Protocol (CARP)
catastrophe logs, System logs for catastrophes
on Unix, System logs for catastrophe
CD-ROM drive, What Hardware Configuration?
CERIAS, CERIAS, cerias.purdue.edu
CERT advisories mailing list, CERT-Advisory
CERT-CC (Computer Emergency Response Team Coordination Center)
FAQ, CERT-CC
response teams, CERT-CC and other incident response teams, info.cert.org
contacting regarding incident, CERT-CC or other incident response teams
certificate authority, Certificates
Certificate Revocation List (CRL), Certificates
CGI scripts, HTTP Extensions
challenge-response system, Something You Know
chargen service, Mostly Harmless ProtocolsSummary Recommendations for Mostly Harmless Protocols
checksums
keeping secure, Keeping Secured Checksums
using Tripwire for, Running a Security Audit
choke points, Choke Point, Choke point, Choke point
using routers as, What Can You Do with Packet Filtering?
choke router (see interior router)
chroot mechanism, Unix and Linux Bastion Hosts, Limiting access to information
CIFS (Common Internet File System), File Sharing, Common Internet File System (CIFS) and Server Message Block (SMB), File Sharing for Microsoft Networks
, Common Internet File System (CIFS) and Server Message Block (SMB)
(see also SMB)
ciphertext, Encryption
circuit-level proxy servers, Application-Level Versus Circuit-Level ProxiesApplication-Level Versus Circuit-Level Proxies
Cisco routers, Conventions for Packet Filtering Rules
client
authentication, network lesystems and, File SharingFile Sharing
DNS, configuring, Internal DNS clients query the internal serverBastion DNS clients also query the internal server
false authentication of, False Authentication of ClientsFalse Authentication of Clients, Protecting Services
HTTP, security of, HTTP Client SecurityInternet Explorer and Security Zones
NFS, NFS Client Vulnerabilities
port numbers, Internet Services and Firewalls
RPC-based, Remote Procedure Call (RPC)
software
converting to use SOCKS, Converting Clients to Use SOCKS
for proxying, Using Proxy-Aware Application Software for Proxying
SSH, authentication, SSH client authenticationAdditional SSH options for client control
clocks
configuring, Network Time Protocol (NTP)Summary of Recommendations for NTP
setting, Time Service
COAST FTP archive, CERIAS
code, publicly available, It contains no publicly available code, so it’s secret
command execution, Remote Terminal Access and Command Execution
command-channel attacks, Command-Channel Attacks
protecting against, Protecting Services
command-line arguments, How Well Is the Protocol Implemented?
Common Internet File System (see CIFS)
Common Object Request Broker Architecture (see CORBA)
Computer Emergency Response Team Coordination Center (see CERT-CC)
computer games, GamesSummary of Recommendations for Games
computer viruses, A firewall can’t fully protect against virusesA firewall can’t fully protect against viruses
conferences, security-related, ConferencesInternet Society Symposium on Network and Distributed System Security (SNDSS)
conferencing services, real-time, Real-Time Conferencing ServicesReal-Time Conferencing Services, Real-Time Conferencing ServicesSummary of Recommendations for Multicast
configuring
audit packages, Auditing packages, Running a Security Audit
clocks, Network Time Protocol (NTP)Summary of Recommendations for NTP
DNS, DNS
clients, Internal DNS clients query the internal serverBastion DNS clients also query the internal server
in screened subnet architecture, DNS
exterior routers, Exterior routerExterior router
FTP, in screened subnet architecture, FTP
hardware, What Hardware Configuration?
HTTP/HTTPS, HTTP and HTTPS
HTTP/HTTPS
in screened subnet architecture, HTTP and HTTPS
interior routers, Interior routerInterior router
kernel, Reconfigure and Rebuild the KernelReconfigure and Rebuild the Kernel
labeling system, Labeling and Diagramming Your System
machine, Reconfiguring for ProductionMount filesystems as read-only
Unix, Reconfiguring for ProductionMount Filesystems as Read-Only
NIS (Network Information Service), Network Information Service (NIS)
NNTP, NNTP
in screened subnet architecture, NNTP
packet filtering router, Configuring a Packet Filtering RouterWhat Does the Router Do with Packets?
SMTP, SMTP
with firewalls, Configuring SMTP to Work with a FirewallConfiguring SMTP to Work with a Firewall
SMTP
in screened subnet architecture, SMTP
SSH, in screened subnet architecture, SSH
Telnet, in screened subnet architecture, Telnet
connections
between Internet and unbuilt bastion host, Building a Bastion Host
checking network (see ping)
disconnecting, Disconnect or Shut Down, as Appropriate, Planning for Disconnecting or Shutting Down Machines
killed by TCP, TCP
multiple Internet, It’s OK to Use Multiple Exterior RoutersAn Internal Firewall May or May Not Need Bastion Hosts
outbound, Network address translation helps to enforce the firewall’s control over outbound connections
per session, One Connection per SessionOne Connection per Session
content filtering, What Can You Do?What Can You Do?
of email, Viruses and other hostilities
cookies, CookiesCookies
COPS (Computer Oracle and Password System)
auditing package, Running a Security Audit
CORBA (Common Object Request Broker Architecture), Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)Summary of Recommendations for CORBA and IIOP
crashes, system, Watch Reboots Carefully
CRC (cyclic redundancy counter), Running a Security Audit
CRL (Certificate Revocation List), Certificates
cron process, Which Services Should You Leave Enabled?
crypt program, Next steps after disabling services
cryptographic
checksums, Use cryptographic checksums for auditingUse cryptographic checksums for auditing, Running a Security Audit, Cryptographic Hashes, Checksums, and Message DigestsCryptographic Hashes, Checksums, and Message Digests
hashes, Cryptographic Hashes, Checksums, and Message DigestsCryptographic Hashes, Checksums, and Message Digests
keys
distribution of, Key Distribution and ExchangeKey Distribution and Exchange
size and strength of, Key Sizes and Strength
systems, components of, Key Components of Cryptographic SystemsRandom Numbers
cryptography, CryptographyEvaluating Other Algorithms
certificates, CertificatesCertificates
trust models of, Certificate Trust Models
digital signatures, Digital SignaturesDigital Signatures
public key, Kinds of encryption algorithms, Sharing a Secret
random numbers, Random NumbersRandom Numbers
Secure RPC and, Sun RPC Authentication
in SSL, Cryptography in TLS and SSL
in TLS, Cryptography in TLS and SSL
, Cryptography
(see also encryption)
custom
client software for proxying, Using Proxy-Aware Application Software for Proxying
system, Restore and Recover
user procedures for proxying, Using Proxy-Aware User Procedures for Proxying
cyclic redundancy counter (CRC), Running a Security Audit

D

daemons, tools for, DaemonsAndrew File System (AFS)
data, Your Data
DNS, DNS Data
mismatched, Mismatched data between the hostname and IP address DNS trees
protecting, Integrity Protection
from sniffers, Packet Sniffing
theft of, Spies (industrial and otherwise)
, Information theft
(see also information theft)
transferring, What Does a Packet Look Like?, Packet FilteringPutting It All Together
allowing/disallowing, Basic Packet Filtering
evaluating protocols for, What Data Does the Protocol Transfer?What Data Does the Protocol Transfer?
via TCP, TCPTCP sequence numbers
, File Transfer, File Sharing, and Printing
(see also email les, transferring)
data-driven attacks, Data-Driven Attacks
protecting against, Protecting Services
database protocols, connecting to web servers with, Using the database’s protocols to connect to a perimeter web server
database servers, locating, Locating Database ServersUsing a custom protocol to connect to a perimeter web server
daytime service, Mostly Harmless Protocols
DCC (Direct Client Connections), Internet Relay Chat (IRC)
DCOM (Distributed Component Object Model), Distributed Component Object Model (DCOM)Distributed Component Object Model (DCOM)
dcomcnfg program, Distributed Component Object Model (DCOM)
debugging operating system, Fix All Known System Bugs
dedicated proxy servers, Generic Versus Dedicated Proxies
Deep Crack, Passwords
default deny stance, Default Deny Stance: That Which Is Not Expressly Permitted Is Prohibited, Default Permit Versus Default Deny
default permit stance, Default Permit Stance: That Which Is Not Expressly Prohibited Is PermittedDefault Permit Stance: That Which Is Not Expressly Prohibited Is Permitted, Default Permit Versus Default Deny
defense in depth, Defense in DepthDefense in Depth, Defense in depth, Defense in depth
Demilitarized Zone (DMZ), Some Firewall Definitions
denial of service attacks, Denial of serviceDenial of service, Electronic Mail, Denial of ServiceDenial of Service
HTTP and, HTTP Server Security
ICMP and, ICMP and Network Diagnostics
JavaScript and, JavaScript
protecting against, Protecting Services
DependOnGroup registry key, Registry keys
DependOnService registry key, Registry keys
DES (Data Encryption Standard) algorithm, Encryption Algorithms
designing rewalls, Buying Versus BuildingBuying Versus Building
destination unreachable codes (see ICMP)
Dfs (Distributed File System), Distributed File System (Dfs)
DHCP (Dynamic Host Configuration Protocol), Dynamic Host Configuration Protocol (DHCP)Proxying Characteristics of bootp and DHCP
diagramming the system, Labeling and Diagramming Your System
dictionary attacks, One-Time Password Software
Diffie-Helman algorithm, Key Exchange
digital signature, Digital SignaturesDigital Signatures
in ActiveX, ActiveXActiveX
algorithms, Digital Signature Algorithms
in OpenPGP, S/MIME and OpenPGPS/MIME and OpenPGP
in S/MIME, S/MIME and OpenPGPS/MIME and OpenPGP
Direct Client Connections (DCC), Internet Relay Chat (IRC)
Directory Replication (Windows NT), Windows NT Directory Replication
disabling
routing (see routers, disabling)
services, Disabling Nonrequired ServicesTurning Off Routing
on Unix, Disabling Services Under UnixDisabling Services Under Unix, Specific Unix Services to DisableOther services
on Windows NT, How to Disable Services Under Windows NTHow to Disable Services Under Windows NT, Specific Windows NT Services to DisableThe Services control panel
discard service, Mostly Harmless ProtocolsSummary Recommendations for Mostly Harmless Protocols
disconnecting
machine, Planning for Disconnecting or Shutting Down Machines
after incident, Disconnect or Shut Down, as Appropriate
from network, Disconnect or Shut Down, as Appropriate
plan for, Planning for Disconnecting or Shutting Down Machines
disk space (see memory resources)
disks, needs for, What Hardware Configuration?
DisplayName registry key, Registry keys
Distributed Component Object Model (DCOM), Distributed Component Object Model (DCOM)Distributed Component Object Model (DCOM)
Distributed File System (Dfs), Distributed File System (Dfs)
diversity of defense systems, Diversity of Defense
DMZ (Demilitarized Zone), Some Firewall Definitions
DNS (Domain Name Service), Naming and Directory ServicesNaming and Directory Services, Selecting Services Provided by a Bastion Host, Domain Name System (DNS)Summary of Recommendations for DNS
clients, Internal DNS clients query the internal serverBastion DNS clients also query the internal server
configuring, DNS
to hide information, Setting Up DNS to Hide Information, with Subdomains
without hiding information, Setting Up DNS Without Hiding InformationSetting Up DNS Without Hiding Information
in screened subnet architecture, DNS
data, DNS Data
fake server, Set up a “fake” DNS server on the bastion host for the outside world to useSet up a “fake” DNS server on the bastion host for the outside world to use
hiding information with, Setting Up DNS to Hide Information, Without Subdomains
revealing information to attackers, Revealing too much information to attackers
server for internal hosts, Set up a real DNS server on an internal system for internal hosts to use
Windows 2000 and, Windows 2000 and DNSWindows 2000 and DNS
on Windows NT, Specific Windows NT Services to Disable
DNS Mail Exchange (MX), Configuring SMTP to Work with a Firewall
documenting
plan for, Planning for Documentation
system after incident, Snapshot the System, Planning for Snapshots
domain controllers, NTLM DomainsFinding a Domain Controller
communication among, Controller-to-Controller Communication
domain master browser, on Microsoft networks, Domain master browser
Domain Name Service (see DNS)
domains, on Microsoft networks, Domains and Workgroups
Domino server, Lotus Notes and DominoSummary of Recommendations for Lotus Notes
dot (.) files, disabling creation of, Disabling the creation of directories and certain files
double-reverse lookups, Mismatched data between the hostname and IP address DNS trees
double-reverse lookups, Set up a “fake” DNS server on the bastion host for the outside world to use
DSA (Digital Signature Algorithm), Digital Signature Algorithms
DSS (Digital Signature Standard) algorithm, Digital Signature Algorithms
dual-homed hosts, Some Firewall Definitions
architecture of, Dual-Homed Host
as firewall, Turning Off Routing
nonrouting, Nonrouting Dual-Homed Hosts
proxy services (see proxy services)
dumpel utility, Setting Up System Logs Under Windows NT
dynamic packet filtering, FTP and, Packet Filtering Characteristics of FTP

E

echo service, Mostly Harmless ProtocolsSummary Recommendations for Mostly Harmless Protocols
electronic mail (see email)
electronic sabotage (see denial of service attacks)
Elliptic Curve algorithm, Digital Signature Algorithms, Key Exchange
email, Electronic Mail, Selecting Services Provided by a Bastion Host, Electronic Mail and NewsMicrosoft Messaging API (MAPI)
attachments, Viruses and other hostilitiesViruses and other hostilities
encryption and, Keeping Mail Secret
mailing lists, resources via, Mailing Lists
ooding, Denial of serviceDenial of service
security of, Keeping Mail SecretKeeping Mail Secret
Sendmail, Electronic Mail
SMTP, Electronic Mail
spam, Junk mailJunk mail
to trace intruders, Pursuing and Capturing the Intruder
viruses, Viruses and other hostilitiesViruses and other hostilities
encapsulation, What Does a Packet Look Like?
encrypted timestamp, Something You Know
encrypting executables, Next steps after disabling services, Next Steps After Disabling Services
encryption, EncryptionEncryption algorithms and key length
algorithms, Kinds of encryption algorithmsEncryption algorithms and key length
selecting, Selecting an Algorithm
types of, Encryption AlgorithmsEncryption Algorithms
email and, Keeping Mail Secret
in RDP[encryption
RDP}, Microsoft Terminal Server and Terminal Services
key distribution, Key Distribution and Certificates
network address translation, Network address translation interferes with some encryption and authentication systems
in OpenPGP, S/MIME and OpenPGPS/MIME and OpenPGP
packet filtering perimeter, Where Do You Encrypt?
in S/MIME, S/MIME and OpenPGPS/MIME and OpenPGP
virtual private networks, Virtual private networks provide overall encryption
, Cryptography
(see also cryptography)
ErrorControl registry key, Registry keys
errors, ICMP codes for, Returning Error CodesReturning Error Codes
ESMTP (Extended SMTP), Extended SMTP (ESMTP)Extended SMTP (ESMTP)
espionage, Spies (industrial and otherwise)
/etc/hosts.allow file, TCP Wrapper example
/etc/hosts.deny file, TCP Wrapper example
/etc/inetd.conf file, TCP Wrapper example
/etc/rc files, services started by, Services started by /etc/rc files or directories
Ethernet, packet layer, Ethernet layer
Event Logger, Setting Up System Logs Under Windows NT, Setting Up System Logs Under Windows NT
Event Viewer, Setting Up System Logs Under Windows NT, Setting Up System Logs Under Windows NT
executables, encrypting, Next steps after disabling services, Next Steps After Disabling Services
Extended SMTP (ESMTP), Extended SMTP (ESMTP)Extended SMTP (ESMTP)
extension systems, Web Client Security IssuesWeb Client Security Issues
exterior routers, Exterior RouterExterior Router, Screened Subnet Architecture
configuring, in screened subnet architecture, Exterior routerExterior router
merging
with bastion host, It’s OK to Merge the Bastion Host and the Exterior Router
with interior router, It’s OK to Merge the Interior Router and the Exterior Router
multiple, It’s OK to Use Multiple Exterior RoutersIt’s OK to Use Multiple Exterior Routers
external
programs
on HTTP servers, HTTP ExtensionsRunning unexpected external programs
programs
on HTTP clients, Extension SystemsExtension Systems
viewers
on HTTP clients, External ViewersExternal Viewers

F

factoring attacks, Sun RPC Authentication
fail safety, Fail-Safe StanceDefault Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
fail-safe stance, Fail-safe stance, Fail-safe stance
false authentication of clients, False Authentication of ClientsFalse Authentication of Clients
protecting against, Protecting Services
File Replication Service (FRS), Windows 2000 File Replication Service (FRS)Windows 2000 File Replication Service (FRS)
file synchronization protocols, File SynchronizationSummary of Recommendations for File Synchronization
File Transfer Protocol (see FTP)
files
locking, with NFS, File Locking with NFSFile Locking with NFS
removing from anonymous FTP area, Removing the files
sharing, File Transfer, File Sharing, and Printing, File SharingFile Sharing, Network File System (NFS)Summary of Recommendations for File Sharing
on Microsoft networks, File Sharing for Microsoft NetworksPacket Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing
synchronizing, File SynchronizationSummary of Recommendations for File Synchronization
transferring, File Transfer, File Sharing, and PrintingFile Transfer, File Transfer, File Sharing, and Printing
by prearrangement, Uploading by prearrangement
transferring
, File Synchronization
(see also printing)
uploading by prearrangement, Uploading by prearrangement
filesystems
automounting, AutomountingAutomounting
backing up, Backing Up Your Filesystems
mounting as read-only, Mount filesystems as read-only, Mount Filesystems as Read-Only
filtering, packets (see packet filtering)
finger service, fingerd, fingerSummary of recommendations for finger
fingerd server, fingerdfingerd
fingerprint authentication, Something You Are
firewalls
architecture of, Firewall ArchitecturesAn Internal Firewall May or May Not Need Bastion Hosts
backing up, Backing Up Your FirewallBacking Up Your Firewall
content-aware, What Can You Do?What Can You Do?
designing, Firewall DesignWhere will alarms go, and how?
dual-homed host as, Turning Off Routing
FAQ for, Papers
internal, Internal FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
bastion hosts on, An Internal Firewall May or May Not Need Bastion Hosts
IP multicasting and, Multicast and the Multicast Backbone (MBONE)
on joint networks, Joint Venture FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
keeping current, Keeping up to DateHow Long Does It Take?
mailing lists about, Firewalls
maintaining, Maintaining FirewallsWhen Should You Start Over?
multiple bastion hosts, It’s OK to Use Multiple Bastion HostsIt’s OK to Use Multiple Bastion Hosts
NTP and, Configuring NTP to Work with a Firewall
one-box, One-Box Firewalls
recreating entirely, When Should You Start Over?
resources for, ResourcesBooks
responding to
probes of, Responding to ProbesResponding to Probes
security incidents, Responding to Security IncidentsDoing Drills
sample configurations, Two Sample Firewalls
security policies for, Security PoliciesWhat If You Can’t Get a Security Policy?
SMTP and, Configuring SMTP to Work with a FirewallConfiguring SMTP to Work with a Firewall
technologies, Firewall TechnologiesVirtual private networks extend the network you must protect
testing, It Should Have Good Testing and Validation Capabilities
tools for, Toolstrimlog
what to protect, What Are You Protecting and Why?What Are You Protecting and Why?
X Window System and, X11 Window System
forgery
man-in-the-middle, Risks of Filtering by Source Address
of packets, Default Permit Versus Default Deny
source address, Risks of Filtering by Source Address
forwarders directive (DNS), Set up a real DNS server on an internal system for internal hosts to use
fragments, packet, IP layer, IP FragmentationIP Fragmentation
FRS (File Replication Service), Windows 2000 File Replication Service (FRS)Windows 2000 File Replication Service (FRS)
FTP (File Transfer Protocol), File TransferFile Transfer, ftpd, File Transfer Protocol (FTP)Summary of Recommendations for FTP
anonymous, Providing Anonymous FTP ServicePreventing people from using your server to distribute their data
removing files from, Removing the files
configuring, in screened subnet architecture, FTP
passive (or PASV) mode, Packet Filtering Characteristics of FTPPacket Filtering Characteristics of FTP
proxying with TIS FWTK, FTP Proxying with TIS FWTK
resources for, FTP SitesRISKS
server, preventing attacks from, Preventing people from using your server to attack other machinesPreventing people from using your server to attack other machines
via proxy server, Using Proxy-Aware User Procedures for Proxying
write-only incoming directory, Making your incoming directory write-only
wuarchive server, Using the wuarchive FTP daemon
, Trivial File Transfer Protocol (TFTP)
(see also TFTP)
ftp-gw proxy server, FTP
ftpd program, ftpd
functions, SOCKS versus standard network, Converting Clients to Use SOCKS
fuser program, Analyzing Other Protocols
FWALL-Users mailing list, FWTK-USERS

G

games (see computer games)
GateD routing daemon, routed
gateways, application-level (see proxy services)
general-purpose routers, It Can Be a Single-Purpose Router or a General-Purpose Computer
generic proxy servers, Generic Versus Dedicated Proxies
Generic Security Services API (GSSAPI), The Generic Security Services API (GSSAPI)
GINA (Graphical Identification and Authorization), Alternate Authentication Methods
Gopher service, Gopher and WAISSummary of Recommendations for Gopher and WAIS
proxying with TIS FWTK, Other TIS FWTK Proxies
Graphical Identification and Authorization (GINA), Alternate Authentication Methods
graphics, on bastion host, What Hardware Configuration?
Group registry key, Registry keys
GSSAPI (Generic Security Services API), The Generic Security Services API (GSSAPI)

H

hardening machines, Building a Bastion HostBuilding a Bastion Host
hardware
configuration of, What Hardware Configuration?
routers (see routers)
header packet, What Does a Packet Look Like?
headers
nested IP, IP Version 6
packet filtering, It Should Allow Rules Based on Any Header or Meta-Packet Criteria
Hewlett-Packard printers, Other Printing Systems
hijacking, HijackingHijacking
protecting against, Protecting Services
with SSH, SSH session hijacking protection
HINFO records, Revealing too much information to attackers
HMAC, Integrity Protection
algorithm, Cryptographic Hashes and Message Digests
host unreachable codes (see ICMP)
hosts
bastion (see bastion hosts)
dual-homed (see dual-homed hosts)
multiple, Multiple Services or Multiple Hosts?
screened (see screened hosts)
security of, Host Security
speed of, How Fast a Machine?
victim (see victim hosts)
hot fixes, and services, Installing and Modifying Services
housekeeping, HousekeepingManaging Your Disk Space
HTTP (Hypertext Transfer Protocol), The World Wide Web, The World Wide WebSummary of Recommendations for Gopher and WAIS
client security, HTTP Client SecurityInternet Explorer and Security Zones
configuring, HTTP and HTTPS
in screened subnet architecture, HTTP and HTTPSHTTP and HTTPS
network address translation in, Network Address Translation Characteristics of HTTP
packet filtering in, Packet Filtering Characteristics of HTTPPacket Filtering Characteristics of HTTP
proxying in, Proxying Characteristics of HTTPProxying Characteristics of HTTP
with TIS FWTK, Other TIS FWTK Proxies
server, Special HTTP Servers
security of, The World Wide WebRunning unexpected external programs
tunneling, HTTP TunnelingHTTP Tunneling
using with databases, Using a custom protocol to connect to a perimeter web server
, Securing HTTP
(see also HTTPS Secure HTTP)
http-gw proxy, Other TIS FWTK Proxies
HTTPS, Securing HTTPNetwork address translation characteristics of HTTPS and Secure HTTP
configuring, HTTP and HTTPS
in screened subnet architecture, HTTP and HTTPSHTTP and HTTPS
hybrid proxying (see routers, proxy-aware)
Hypertext Transfer Protocol (HTTP), The World Wide Web

I

ICA (Independent Computing Architecture), Remote Graphic Interfaces for Microsoft Operating Systems, Independent Computing Architecture (ICA)Network address translation characteristics of ICA
ICMP (Internet Control Message Protocol), Network Diagnostics, ICMP, ICMP and Network DiagnosticsSummary of Recommendations for ICMP
echo, ping, ping
(see also ping)
packets, Other ICMP PacketsSummary of Recommendations for ICMP
returning error codes, Returning Error CodesReturning Error Codes
ICMP Router Discovery Protocol (IRDP), Router Discovery/ICMP Router Discovery Protocol (IRDP)Packet filtering characteristics of router discovery
ICP (Internet Cache Protocol), Internet Cache Protocol (ICP)Network address translation characteristics of ICP
ICQ, ICQSummary of Recommendations for ICQ
IDEA (International Data Encryption Algorithm), Encryption Algorithms
identd, Auth and identdSummary of Recommendations for Auth
Igateway program, Using Proxy-Aware Application Software for Proxying
IGMP (Internet Group Management Protocol), Internet Group Management Protocol (IGMP)Packet filtering characteristics of IGMP
IIOP (Internet Inter-Orb Protocol), Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)Summary of Recommendations for CORBA and IIOP
ImagePath registry key, Registry keys
IMAP (Internet Message Access Protocol), Electronic Mail, Internet Message Access Protocol (IMAP)Summary of Recommendations for IMAP
immutable attribute (BSD 4.4-Lite), Mount Filesystems as Read-Only
inbound packets, Be Careful of “Inbound” Versus “Outbound” Semantics
filtering rules for, It Should Apply Rules Separately to Incoming and Outgoing Packets, on a Per-Interface BasisIt Should Have Good Testing and Validation Capabilities
Telnet, Inbound Telnet Service
incident response teams, CERT-CC or other incident response teams, CERT-CC and other incident response teams, Response TeamsSystem Administrators Guild (SAGE)
incidents, Attacks Against Internet ServicesProtecting Services
accidental, Stupidity and Accidents
buffer overflow, How Well Is the Protocol Implemented?, JavaScript
command-channel attacks, Command-Channel Attacks, Protecting Services
contacting service providers about, Vendors and service providers
data-driven attacks, Data-Driven Attacks, Protecting Services
denial of service, Denial of ServiceDenial of Service, Protecting Services
ICMP and, ICMP and Network Diagnostics
detecting, plan for, Planning for Detection
documenting system after, Snapshot the System
planning for, Planning for Snapshots
email viruses, Viruses and other hostilitiesViruses and other hostilities
evaluating, plan for, Planning for Evaluation of the Incident
factoring attacks, Sun RPC Authentication
false authentication of clients, False Authentication of ClientsFalse Authentication of Clients, Protecting Services
hijacking, HijackingHijacking, Protecting Services
SSH protection against, SSH session hijacking protection
intrusions, Intrusion
IP spoofing, IP SpoofingThe attacker doesn’t want the reply
man-in-the-middle forgery, Risks of Filtering by Source Address
multiple failed logins, The Good, the Bad, and the Ugly
notifying people of, Make “Incident in Progress” Notifications, Planning for Notification of People Who Need to Know
packet sniffing attacks, Packet InterceptionPacket Interception, Packet SniffingPacket Sniffing, Protecting Services
password attacks, One-Time Password Software
playback attacks, False Authentication of Clients
port scanning, Port ScanningPort Scanning
practicing drills for, Doing Drills
recovering from, Restore and RecoverRestore and Recover
planning for, Planning for Restoration and Recovery
replay attacks, Replay, Protecting Services
responding to, Responding to Attacks, Responding to Security IncidentsDoing Drills
reviewing, strategies for, Periodic Review of Plans
social manipulation, Electronic Mail
third-party attacks, Third-Party Attacks, Protecting Services
tools and supplies for, Keeping a Cache of Tools and Supplies
Trojan horse, ICMP and, ICMP and Network Diagnostics
types of, What Are You Trying to Protect Against?Information theft
using SSH, Secure Shell (SSH)
weak TCP/IP implementations, exploiting, Implementation Weaknesses
Independent Computing Architecture (see ICA)
independent screened subnet, Independent Screened SubnetsAppropriate uses
inetd process, Which Services Should You Leave Enabled?
modifying for anonymous FTP, Limiting access to information
services started by, Services started by inetd
information lookup services, Information Lookup ServicesSummary of recommendations for whois
information theft, Information theftInformation theft
espionage, Spies (industrial and otherwise)
init process, Which Services Should You Leave Enabled?
insecure networks, Insecure Networks
installing
filesystems as read-only, Mount filesystems as read-only, Mount Filesystems as Read-Only
kernel, Reconfigure and Rebuild the KernelReconfigure and Rebuild the Kernel
operating system, Start with a Minimal Clean Operating System Installation
services, Installing and Modifying Services
on Unix/Linux, Installing and Modifying ServicesUsing netacl to protect services
on Windows NT, Installing and Modifying ServicesInstalling and Modifying Services
software on machine, Reconfiguring for Production, Reconfiguring for ProductionMount Filesystems as Read-Only
intelligent proxy servers, Intelligent Proxy Servers
interior gateway protocols (see routing protocols)
interior routers, Interior Router, Screened Subnet Architecture
configuring, Interior routerInterior router
merging
with bastion host, It’s Dangerous to Merge the Bastion Host and the Interior Router
with exterior routers, It’s OK to Merge the Interior Router and the Exterior Router
multiple, It’s Dangerous to Use Multiple Interior RoutersIt’s Dangerous to Use Multiple Interior Routers
internal
bastion hosts, Internal Bastion Hosts
firewalls, Internal FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
Internet
conferencing services, real-time, Real-Time Conferencing ServicesReal-Time Conferencing Services
connections to unbuilt bastion host, Building a Bastion Host
Control Message Protocol (see ICMP)
defense in depth, Defense in Depth
email over (see email)
logging activity on (see logs)
multiple connections to, It’s OK to Use Multiple Exterior RoutersAn Internal Firewall May or May Not Need Bastion Hosts
Protocol (see IP)
Relay Chat (see IRC)
rewalls (see rewalls)
security resource, CERT-Advisory
services (see Internet services)
Internet Cache Protocol (ICP), Internet Cache Protocol (ICP)Network address translation characteristics of ICP
Internet Explorer
security zones and, Internet Explorer and Security ZonesInternet Explorer and Security Zones
Internet games (see Quake computer games)
Internet Group Management Protocol (IGMP), Internet Group Management Protocol (IGMP)Packet filtering characteristics of IGMP
Internet Inter-Orb Protocol (IIOP), Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)Summary of Recommendations for CORBA and IIOP
Internet Message Access Protocol (see IMAP)
Internet Printing Protocol (IPP), Other Printing Systems
Internet Relay Chat (see IRC)
Internet services, Internet ServicesGames, Internet Services and FirewallsControlling Unsafe Configurations
default deny stance, Default Deny Stance: That Which Is Not Expressly Permitted Is Prohibited
default permit stance, Default Permit Stance: That Which Is Not Expressly Prohibited Is PermittedDefault Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
disabling, Disabling Nonrequired ServicesTurning Off Routing
on Unix, Disabling Services Under UnixDisabling Services Under Unix, Specific Unix Services to DisableOther services
on Windows NT, How Are Services Managed Under Windows NT?Other ways to start programs under Windows NT, Which Services Should You Leave Enabled?Which Services Should You Leave Enabled?
evaluating risks of, What Operations Does the Protocol Allow?What Else Can Come in If I Allow This Service?
filtering by, Filtering by ServiceRisks of Filtering by Source Port
installing and/or modifying
on Unix, Installing and Modifying ServicesEvaluating and Configuring Unix Services
on Windows NT, Installing and Modifying ServicesInstalling and Modifying Services
installing/modifying, Installing and Modifying Services
intruders
pursuing and capturing, Pursuing and Capturing the IntruderPursuing and Capturing the Intruder
recovering from, Restore and Recover
revealing DNS information to, Revealing too much information to attackers
reviewing response strategies, Periodic Review of Plans
slower machines and, How Fast a Machine?
types of, Types of AttackersStupidity and Accidents
intrusions (see incidents)
inzider program, Analyzing Other Protocols, inzider
IP (Internet Protocol), IPIP Fragmentation
fragmentation, IP FragmentationIP Fragmentation
multicasting, Multicast and the Multicast Backbone (MBONE)
nested over IP, IP over IP and GRE
packet layer, IP layer
packet routes to (see traceroute program)
source route option, IP Options
status and control messages, ICMP
Version 6 (IPv6), IP Version 6
IP addresses
in packet filtering rules, Always Use IP Addresses, Never Hostnames
network address translation, Embedded IP addresses are a problem for network address translation
IP forwarding, disabling, Turning Off Routing
IP security protocol (IPsec), IPsecSummary of Recommendations for IPsec
IP source route option, IP Options
IP spoofing, IP SpoofingThe attacker doesn’t want the reply
ipchains filtering system, Linux ipchains and MasqueradingTesting ipchains rules
compared to ipfilter, Comparing ipfilter and ipchains
masquerading and, Using ipchains (including masquerading)Using ipchains (including masquerading)
ipfilter filtering system, ipfilteripfilter
compared to ipchains, Comparing ipfilter and ipchains
IPP (Internet Printing Protocol), Other Printing Systems
IPsec (IP security protocol), IPsecSummary of Recommendations for IPsec
IRC (Internet Relay Chat), Real-Time Conferencing Services, Internet Relay Chat (IRC)Summary of Recommendations for IRC
IRDP (ICMP Router Discovery Protocol), Router Discovery/ICMP Router Discovery Protocol (IRDP)Packet filtering characteristics of router discovery

J

Java, JavaJava
Java Database Connectivity (JDBC), Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)
JavaScript, JavaScriptJavaScript
extension systems, Web Client Security Issues
JDBC (Java Database Connectivity), Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)
joint networks, Joint Venture FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
joyriders, Joyriders
junk email, Junk mailJunk mail

K

KDC (Key Distribution Center), How It Works
Kerberos authentication system, File Sharing, KerberosSummary of Recommendations for Kerberos
POP and, Post Office Protocol (POP)
in SSH, SSH client authentication
Kerberos-supporting Post Office Protocol (KPOP), Post Office Protocol (POP)
kernel, reconfiguring, Reconfigure and Rebuild the KernelReconfigure and Rebuild the Kernel
Key Distribution Center (KDC), How It Works
key distribution, encryption, Key Distribution and Certificates
keystroke timing authentication, Something You Are
KPOP (Kerberos-supporting Post Office Protocol), Post Office Protocol (POP)

L

L2TP (Layer 2 Transport Protocol), Layer 2 Transport Protocol (L2TP)Summary of Recommendations for L2TP
labeling the system, Labeling and Diagramming Your System
laboratory networks, Laboratory Networks
LAN-oriented service, Selecting Services Provided by a Bastion Host
LanMan format, Passwords
LanManager, File Sharing for Microsoft Networks
Layer 2 Transport Protocol (L2TP), Layer 2 Transport Protocol (L2TP)Summary of Recommendations for L2TP
layering rewalls, Defense in Depth
LDAP (Lightweight Directory Access Protocol), Naming and Directory Services, Lightweight Directory Access Protocol (LDAP)Summary of Recommendations for LDAP
least privilege principle, Least PrivilegeLeast Privilege, Least privilege, Least privilege
legal issues
documentation of incidents, Document the Incident
pursuing intruders, Pursuing and Capturing the Intruder
security responsibilities, External Factors That Influence Security PoliciesExternal Factors That Influence Security Policies
lesystems
network, File SharingFile Sharing
Lightweight Directory Access Protocol (see LDAP)
Linux, Platforms
bastion host, Unix and Linux Bastion HostsRunning a Security Audit
Internet services on, How Are Services Managed Under Unix?Services started by inetd, Which Services Should You Leave Enabled?Which Services Should You Leave Enabled?
disabling, Disabling Services Under UnixDisabling Services Under Unix, Specific Unix Services to DisableOther services
installing and modifying, Installing and Modifying ServicesUsing netacl to protect services
ipchains, Linux ipchains and MasqueradingTesting ipchains rules
compared to ipfilter, Comparing ipfilter and ipchains
using, Using ipchains (including masquerading)
ipfilter, ipfilteripfilter
example, Conventions for Packet Filtering Rules
machine
configuring, Reconfiguring for ProductionMount Filesystems as Read-Only
securing, Securing UnixSystem logs for catastrophe
masquerading, MasqueradingUsing ipchains (including masquerading)
netfilter, Linux netfilter
syslog example, syslog Linux example
, syslog Linux example
(see also Unix)
Linux Documentation Project, The Linux Documentation Project
Linux Router Project, The Linux Router Project
Livingston routers, Conventions for Packet Filtering Rules
LMRepl service, Windows NT Directory Replication
local newsgroups, Usenet News
lockd, File Locking with NFS
locking files, with NFS, File Locking with NFSFile Locking with NFS
logins
remote, Remote Terminal Access and Command Execution
successful, from unexpected site, The Good, the Bad, and the Ugly
logs, Where will logs go, and how?, Safeguard the System LogsChoosing what to log, syslog, Keeping Activity Logs
(see also syslog)
of accepted/dropped packets, It Should Be Able to Log Accepted and Dropped Packets
backups and, Do Secure Backups
creating with SOCKS, Versions of SOCKS
memory required for, Managing Your Disk Space, What Should You Watch For?
network address translation, Dynamic allocation of addresses interferes with logging
proxy services, Proxy services can be good at logging
of router actions, Logging Actions
setting up
on Unix, Setting Up System Logs on UnixSystem logs for catastrophe
on Windows NT, Setting Up System Logs Under Windows NTSetting Up System Logs Under Windows NT
unexpectedly deleted or modified, The Good, the Bad, and the Ugly
what to watch for, What Should You Watch For?What Should You Watch For?
lookups, DNS, Packet Filtering Characteristics of DNS, Mismatched data between the hostname and IP address DNS trees
Lotus Notes, Lotus Notes and DominoSummary of Recommendations for Lotus Notes
lp/lpr printing systems, lpr and lpPacket filtering and proxying characteristics of lp

M

machine
auditing (see audit, security)
backing up, Backing Up Your Filesystems
choosing, Choosing a MachineWhat Hardware Configuration?
configuring, Reconfiguring for ProductionMount filesystems as read-only
on Unix/Linux, Reconfiguring for ProductionMount Filesystems as Read-Only
connecting, Connecting the Machine
disconnecting or shutting down, Planning for Disconnecting or Shutting Down Machines
hardening, Building a Bastion HostBuilding a Bastion Host
hardware (see hardware)
physical location of, Choosing a Physical Location
securing, Securing the MachineChoosing what to log, Controlling Unsafe ConfigurationsControlling Unsafe Configurations
on Unix/Linux, Securing UnixSystem logs for catastrophe
on Windows NT, Securing Windows NTSetting Up System Logs Under Windows NT
software (see software)
speed of, How Fast a Machine?
mail (see email)
mail delivery agent (MDA), Electronic Mail
mail servers, evaluating, Junk mail
mail transfer agent (MTA), Electronic Mail
mail user agent (MUA), Electronic Mail
mailing lists, keeping current, Mailing lists, Mailing Lists
maintaining firewalls, Maintaining FirewallsWhen Should You Start Over?
man-in-the-middle forgery, Risks of Filtering by Source Address
management tools, Administrative Services
managing accounts, Managing Your AccountsManaging Your Accounts
MAPI (Microsoft Messaging API), Microsoft Messaging API (MAPI)
masquerading, MasqueradingUsing ipchains (including masquerading)
master browser, on Microsoft networks, Master browserMaster browser
MBONE (Multicast Backbone), Real-Time Conferencing Services, Multicast and the Multicast Backbone (MBONE)Summary of Recommendations for Multicast
MD4 algorithm, One-Time Password Software, Cryptographic Hashes and Message Digests, Cryptographic Hashes and Message Digests
MDA (mail delivery agent), Electronic Mail
memory, What Hardware Configuration?
for logs, Managing Your Disk Space, What Should You Watch For?
managing, Managing Your Disk Space
merging interior and exterior routers, It’s OK to Merge the Interior Router and the Exterior Router
message digests, Cryptographic Hashes, Checksums, and Message DigestsCryptographic Hashes, Checksums, and Message Digests
meta-packets, and filtering, It Should Allow Rules Based on Any Header or Meta-Packet Criteria
Microsoft DNS server, disabling, Specific Windows NT Services to Disable
Microsoft Exchange, Electronic Mail, Microsoft ExchangeSummary of Recommendations for Microsoft Exchange
Microsoft Messaging API (MAPI), Microsoft Messaging API (MAPI)
Microsoft networks
browser roles, Domain master browserBrowser client
common security problems in, Remote Graphic Interfaces for Microsoft Operating Systems
domains, Domains and Workgroups
file sharing on, File Sharing for Microsoft NetworksPacket Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing
workgroups, Domains and Workgroups
Microsoft Proxy Server, Using Microsoft Proxy ServerProxy Server and WinSock
Microsoft RPC, Remote Procedure Call (RPC), Microsoft Exchange
authentication, Microsoft RPC Authentication
, Remote Procedure Call (RPC)
(see also RPC)
Microsoft SQL Server (see SQL Server)
Microsoft TCP/IP printing services, disabling, Specific Windows NT Services to Disable
Microsoft Terminal Server/Terminal Services, Microsoft Terminal Server and Terminal ServicesNetwork address translation characteristics of RDP
MIME (Multimedia Internet Mail Extensions), Multimedia Internet Mail Extensions (MIME)Multimedia Internet Mail Extensions (MIME)
extensions (see S/MIME OpenPGP)
mobile code systems, Mobile Code and Web-Related LanguagesActiveX
modem pools, Terminal Servers and Modem PoolsTerminal Servers and Modem Pools
modifying services, Installing and Modifying Services
on Unix, Installing and Modifying ServicesUsing netacl to protect services
on Windows NT, Installing and Modifying Services
monitoring system, Monitoring Your SystemResponding to Attacks
automatically, Consider Using Software to Automate Monitoring
Morris worm, What Data Does the Protocol Transfer?, Does it have any other commands in it?
mountd, NFS and related services, NFS Authentication, Packet Filtering Characteristics of NFS
mounting filesystems, Mount filesystems as read-only, Mount Filesystems as Read-Only
mrouter, IP over IP and GRE
MRTG program, Consider Using Software to Automate Monitoring
MTA (mail transfer agent), Electronic Mail
MUA (mail user agent), Electronic Mail
Multicase Backbone (see MBONE)
multicast IP, IP over IP and GRE
multicasting, Multicast and the Multicast Backbone (MBONE)Multicast and the Multicast Backbone (MBONE)
Multimedia Internet Mail Extensions
(see MIME)
MX records, Set up a “fake” DNS server on the bastion host for the outside world to use

N

named programs (DNS), Set up a real DNS server on an internal system for internal hosts to use
naming services (see DNS)
NAT (see network address translation)
nested IP over IP, IP over IP and GRE
Net8, Oracle SQL*Net and Net8Summary of recommendations for SQL*Net and Net8
netacl program, Using netacl to protect services
NetBEUI, File Sharing for Microsoft Networks
NetBIOS, File Sharing for Microsoft Networks
NetBIOS names, NetBIOS for TCP/IP Name Service and Windows Internet Name Service, NetBIOS NamesNetBIOS Names
NetBIOS over TCP/IP (see NetBT)
NetBT, NetBIOS over TCP/IP (NetBT)Summary of Recommendations for NetBT, File Sharing for Microsoft Networks, NetBIOS for TCP/IP Name Service and Windows Internet Name ServiceSummary of Recommendations for NetBT Name Service and WINS
name service, NetBIOS NamesConflict management
Netcaster, Push Technologies
netcat program, Analyzing Other Protocols
netfilter filtering system, Linux netfilter
NetMeeting, NetMeetingSummary of Recommendations for NetMeeting
NetSaint program, Consider Using Software to Automate Monitoring
netstat program, Next Steps After Disabling Services, Analyzing Other Protocols
network
architecture (see firewalls, architecture of)
checking connectivity of (see ping)
diagnostics, ICMP and Network DiagnosticsSummary of Recommendations for ICMP
disconnecting from
after incident, Disconnect or Shut Down, as Appropriate
plan to, Planning for Disconnecting or Shutting Down Machines
File System (see NFS)
functions, SOCKS version of, Converting Clients to Use SOCKS
independent screened, Independent Screened SubnetsAppropriate uses
insecure, Insecure Networks
internal, locating web and database servers on, Putting both the web server and the database on the internal network
joint, Joint Venture FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
lab/test, Laboratory Networks
lesystems, File SharingFile Sharing
location of bastion host on, Locating Bastion Hosts on the Network
management services, Administrative Services, Administrative ServicesSummary Recommendations for Mostly Harmless Protocols
monitoring automatically, Consider Using Software to Automate Monitoring
perimeter, Some Firewall Definitions, Perimeter Network, Screened Subnet Architecture
locating web and database servers on, Putting both the web server and the database on the perimeter network
protecting internally, Internal FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
security (see security)
split-screened, architecture of, Split-Screened SubnetAppropriate uses
taps, Information theft
Time Protocol (see NTP)
transferring information across (see packet filtering)
virtual private (see VPN)
network address translation (NAT), Some Firewall Definitions, Network Address TranslationNetwork Address Translation
advantages/disadvantages, Advantages of Network Address TranslationDynamic allocation of ports may interfere with packet filtering
Network Information Service (see NIS)
Network Monitor, Performance Monitor and Network Monitor
Network News Transfer Protocol (see NNTP)
network unreachable codes (see ICMP)
newsgroups, Usenet News, Network News Transfer Protocol (NNTP)Summary of Recommendations for NNTP
keeping current via, Newsgroups
private, Usenet News
security resources via, Newsgroups
NFS (Network File System), File Sharing, Remote Procedure Call (RPC), Network File System (NFS)Network Address Translation Characteristics of NFS
client, NFS Client Vulnerabilities
disabling, NFS and related servicesNFS and related services
file locking with, File Locking with NFSFile Locking with NFS
NIS (Network Information Service), Naming and Directory Services, Remote Procedure Call (RPC), Domain Name System (DNS), Network Information Service (NIS)Summary of Recommendations for NIS
disabling, NFS and related services
NIS+, Network Information Service (NIS)
NISGINA, Alternate Authentication Methods
NNTP (Network News Transfer Protocol), Usenet News, Network News Transfer Protocol (NNTP)Summary of Recommendations for NNTP
configuring, NNTP
in screened subnet architecture, NNTP
proxying, Proxying Without a Proxy Server
NOCOL program, Consider Using Software to Automate Monitoring
nonrouting dual-homed hosts, Nonrouting Dual-Homed Hosts, Turning Off Routing
notifying people of incidents, Make “Incident in Progress” Notifications, Planning for Notification of People Who Need to Know
NT LM Security Support Provider, Which Services Should You Leave Enabled?
NTBugTraq mailing list, NTBugTraq
NTLM domains, NTLM DomainsSummary of Recommendations for NTLM Domain Authentication
NTP (Network Time Protocol), Time Service, Network Time Protocol (NTP)Summary of Recommendations for NTP
proxying, Proxying Without a Proxy Server

O

ObjectName registry key, Registry keys
ODBC (Open Database Connectivity), Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)
on program, Remote Terminal Access and Command Execution
one-time passwords, One-Time Password SoftwareModular Authentication for Unix
ooding, Denial of serviceDenial of service
Open Database Connectivity (ODBC), Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)
Open Shortest Path First (OSPF), Open Shortest Path First (OSPF)Packet filtering characteristics of OSPF
OpenPGP, S/MIME and OpenPGPS/MIME and OpenPGP
operating systems
choosing, Unix and Linux Bastion HostsWhich Version of Unix?, Which Version of Windows NT?Which Version of Windows NT?
for bastion host, What Operating System?What Operating System?
fixing bugs in, Fix All Known System Bugs
installation of, Start with a Minimal Clean Operating System Installation
Linux (see Linux)
multiple, proxying and, Why Proxying?
proxy-aware, Using Proxy-Aware Operating System Software
testing reload of, Testing the Reload of the Operating System
Unix (see Unix)
Windows NT (see Windows NT)
Oracle Net8, Oracle SQL*Net and Net8Summary of recommendations for SQL*Net and Net8
Oracle SQL*Net, Oracle SQL*Net and Net8Summary of recommendations for SQL*Net and Net8
OSPF (Open Shortest Path First), Open Shortest Path First (OSPF)Packet filtering characteristics of OSPF
OTP system, One-Time Password SoftwareOne-Time Password Software
outbound
finger requests, finger
packets, Be Careful of “Inbound” Versus “Outbound” Semantics
filtering rules for, It Should Apply Rules Separately to Incoming and Outgoing Packets, on a Per-Interface BasisIt Should Have Good Testing and Validation Capabilities
Telnet, Outbound Telnet Service

P

packages, auditing, Auditing packagesUse cryptographic checksums for auditing
Unix, Running a Security AuditRunning a Security Audit
packet altering, What Does a Packet Look Like?What Does a Packet Look Like?
IP (see IP)
packet filtering, Some Firewall Definitions, Packet Filtering, Packet FilteringPutting It All Together
by address, Filtering by AddressRisks of Filtering by Source Address
administering systems, Packet Filtering Tips and TricksIf Possible, Use Named Access Lists
bastion hosts, protection for, Controlling Inbound Traffic
bugs in packages, Current filtering tools are not perfect
conventions for, It Should Allow Simple Specification of Rules
dynamic, Stateful or Dynamic Packet Filtering
examples of, Putting It All TogetherPutting It All Together
with exterior router, Exterior Router
implementations, on general-purpose computers, Packet Filtering Implementations for General-Purpose ComputersWindows NT Packet Filtering
inbound vs. outbound, It Should Apply Rules Separately to Incoming and Outgoing Packets, on a Per-Interface BasisIt Should Have Good Testing and Validation Capabilities
with interior router, Interior Router
perimeter, encryption and, Where Do You Encrypt?
routers
configuring, Configuring a Packet Filtering RouterMaking Changes
rules for, Conventions for Packet Filtering RulesRisks of Filtering by Source Address, What Rules Should You Use?, Putting It All TogetherPutting It All Together, Packet Filtering RulesPacket Filtering Rules
editing offline, Edit Your Filtering Rules Offline
IP addresses in, Always Use IP Addresses, Never Hostnames
reloading, Reload Rule Sets from Scratch Each Time
in screened subnet architecture, Packet Filtering RulesExterior router
sequence of, It Should Apply Rules in the Order SpecifiedPacket filtering rules are tricky
updating, Replace Packet Filters Atomically
with screened host architecture, Screened Host ArchitecturesScreened Host Architectures
by service, Filtering by ServiceRisks of Filtering by Source Port
by source port, Risks of Filtering by Source Port
stateful, Stateful or Dynamic Packet FilteringStateful or Dynamic Packet Filtering
tools for, Packet Filtering Tools
where to do, Where to Do Packet FilteringWhere to Do Packet Filtering
on Windows NT, Windows NT Packet FilteringWindows NT Packet Filtering
packet ltering
routers
choosing, Choosing a Packet Filtering RouterIt Should Be Able to Log Accepted and Dropped Packets
testing, It Should Have Good Testing and Validation Capabilities
packet sniffing attacks, Packet SniffingPacket Sniffing
protecting against, Protecting Services
packets, Packets and Protocols, Some Firewall Definitions, traceroute
(see also traceroute program)
accepted/dropped, logging, It Should Be Able to Log Accepted and Dropped Packets
forged, Default Permit Versus Default Deny
fragmenting, IP layer, IP FragmentationIP Fragmentation
handling (by router), What Does the Router Do with Packets?Returning Error Codes
headers of, What Does a Packet Look Like?
ICMP, Other ICMP Packets
inbound vs. outbound, Be Careful of “Inbound” Versus “Outbound” Semantics
sniffing, Packet InterceptionPacket Interception, Protecting Services
programs, Packet SniffingPacket Sniffing
source-routed, Turning Off Routing
TCP, TCPTCP sequence numbers
UDP, UDP
page process, Which Services Should You Leave Enabled?
PAM (Pluggable Authentication Modules), Pluggable Authentication Modules (PAM)Pluggable Authentication Modules (PAM)
papers, security-related, PapersPapers
passive (or PASV) mode, FTP, Packet Filtering Characteristics of FTPPacket Filtering Characteristics of FTP
password aging, Managing Your Accounts
passwords, Something You Know
automatically generated, Passwords
cracking, Passwords
false authentication and, False Authentication of Clients
one-time, Something You Have, One-Time Password SoftwareModular Authentication for Unix
for packet filters, Password Protect Your Packet Filters
on PostScript printers, Printing Protocols
in SSH, SSH client authentication
stealing with network taps, Information theft
time-based, Kerberos
Unix, Passwords
on web pages, Inadvertent Release of Information
Windows NT, Passwords
, What Is Authentication?
(see also authentication)
patches, Keeping Your Systems up to Date
pcbind service, Other RPC services
Performance Monitor, Performance Monitor and Network Monitor
performance, with multiple interior routers, It’s Dangerous to Use Multiple Interior Routers
perimeter networks, Some Firewall Definitions, Perimeter Network
shared, A Shared Perimeter Network Allows an “Arms-Length"Relationship
PGP program, Next Steps After Disabling Services
ping program, Network Diagnostics, pingNetwork address translation and ping
PKIX (Public-Key Infrastructure X.509), Certificates
plaintext, Encryption
platforms, Platforms
playback attacks, False Authentication of Clients
plug-gw proxy, Generic Proxying with TIS FWTK
plug-ins, Web Client Security Issues, External Viewers
Pluggable Authentication Modules (PAM), Pluggable Authentication Modules (PAM)Pluggable Authentication Modules (PAM)
PlugPlayServiceType registry key, Registry keys
Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP)Summary of Recommendations for PPTP
Pointcast program, Push Technologies
policy, security (see security, policies for)
POP (Post Ofce Protocol), Electronic Mail
POP (Post Office Protocol), Post Office Protocol (POP)Summary of Recommendations for POP
port forwarding, in SSH, Port forwardingPort forwarding
port numbers
assigned, Assigned Ports
finding, Analyzing Other Protocols
client, Internet Services and Firewalls
setting, Packet Filtering Characteristics of RPC
portmap service, Other RPC services, Other RPC services
portmapper server, Remote Procedure Call (RPC), Packet Filtering Characteristics of NFS
ports
network address translation, Dynamic allocation of ports may interfere with packet filtering
scanning, Port ScanningPort Scanning
source, filtering by, Risks of Filtering by Source Port
Postfix program, Postfix
PostScript
files, External Viewers
printers, attacks from, Printing Protocols
PPP (Point-to-Point Protocol), Point-to-Point Tunneling Protocol (PPTP)Summary of Recommendations for PPTP
printing, Least Privilege, Printing ProtocolsSummary of Recommendations for Printing Protocols
Hewlett-Packard printers, Other Printing Systems
PostScript printers, Printing Protocols
systems, Printing SystemsPrinting Systems
Windows-based, Windows-based Printing
private newsgroups, Usenet News
privileges, root, Sendmail
probes, responding to, Responding to ProbesResponding to Probes
procedures for proxying, custom, Using Proxy-Aware User Procedures for Proxying
processing speed, How Fast a Machine?
programming languages, web-related, Mobile Code and Web-Related LanguagesActiveX
programs
evaluating security of, Choosing Security-Critical ProgramsThere is a secure software distribution mechanism
external
on HTTP clients, Extension SystemsExtension Systems
on HTTP servers, HTTP ExtensionsRunning unexpected external programs
removing nonessential, Remove Nonessential Programs
uploading on HTTP servers, Running unexpected external programs
programs
removing nonessential on Windows NT, Next Steps After Disabling Services
promiscuous mode, Locating Bastion Hosts on the Network
protocol checking, Protocol CheckingProtocol Checking
protocol modification, Protocol Security
protocols
analyzing, What Else Can Come in If I Allow This Service?Analyzing Other Protocols
assigned port numbers, Assigned Ports
bidirectionality of, Protocols Are Usually Bidirectional
custom, Using a custom protocol to connect to a perimeter web server
evaluating, What Operations Does the Protocol Allow?What Else Can Come in If I Allow This Service?
file synchronization, File SynchronizationSummary of Recommendations for File Synchronization
implementation of, evaluating, How Well Is the Protocol Implemented?Does it have any other commands in it?
above IP, Protocols Above IPIP over IP and GRE
below IP, Protocols Below IP
non-IP, Non-IP Protocols
from OSI, Other Mail Transfer Protocols
routing, Routing ProtocolsSummary of Recommendations for Routing Protocols
security of, What Makes a Protocol Secure?Destroying the Shared Secret
proxying and, Protocol Security
time-dependence of, Network Time Protocol (NTP)
Proxy Server, Using Microsoft Proxy ServerProxy Server and WinSock
proxy services, Some Firewall Definitions, Proxy ServicesProxy Services, Proxy SystemsCan’t Modify Client or Procedures
advantages/disadvantages, Advantages of ProxyingProxy services usually require modifications to clients, applications, or procedures
application- versus circuit-level, Application-Level Versus Circuit-Level ProxiesApplication-Level Versus Circuit-Level Proxies
generic vs. dedicated, Generic Versus Dedicated Proxies
intelligent servers, Intelligent Proxy Servers
Microsoft Proxy Server, Using Microsoft Proxy ServerProxy Server and WinSock
multiple operating systems, Why Proxying?
protocol security, Protocol Security
without proxy server, Proxying Without a Proxy Server
SOCKS package for, Using SOCKS for ProxyingConverting Clients to Use SOCKS
software for, How Proxying WorksUsing Proxy-Aware User Procedures for Proxying
TIS Internet Firewalls Toolkit for, Using the TIS Internet Firewall Toolkit for ProxyingOther TIS FWTK Proxies
tools for, Proxy Systems Tools
when unable to provide, What If You Can’t Proxy?
public key cryptography, Kinds of encryption algorithms, Sharing a Secret
in SSH, SSH server authentication, SSH client authenticationSSH client authentication
Public-Key Infrastructure X.509 (PKIX), Certificates
pull technology, Push Technologies
pursuing intruders, Pursuing and Capturing the IntruderPursuing and Capturing the Intruder
push technologies, Push TechnologiesSummary of Recommendations for Push Technologies

Q

Qmail program, Qmail
Quake, Quake

R

fir command services, BSD “r” command services
fir commands, BSD “r” command services
r commands, BSD “r” CommandsSummary of recommendations for the BSD “r” command
NAT characteristics of, Network address translation characteristics of the BSD “r"commands
packet filtering characteristics of, Packet filtering characteristics of the BSD “r” commandsPacket filtering characteristics of the BSD “r” commands
proxy services characteristics of, Proxying characteristics of the BSD “r” commands
RADIUS (Remote Authentication Dial-in User Service), Remote Authentication Dial-in User Service (RADIUS)Summary of Recommendations for RADIUS
random numbers, Random NumbersRandom Numbers
RAS (Remote Access Service), Remote Access Service (RAS)Remote Access Service (RAS)
RC2/RC4 algorithms, Encryption Algorithms
RCMD service, Windows NT Remote CommandsSummary of recommendations for remote commands
RCONSOLE service, Windows NT Remote CommandsSummary of recommendations for remote commands
rcp transfer program, File Transfer
rdist program, rdist
RDP (Remote Desktop Protocol), Remote Graphic Interfaces for Microsoft Operating Systems, Microsoft Terminal Server and Terminal Services
read-only filesystems, Mount filesystems as read-only, Mount filesystems as read-only, Mount Filesystems as Read-Only
real-time conferencing services, Real-Time Conferencing ServicesSummary of Recommendations for Multicast
RealAudio/RealVideo, RealAudio and RealVideoSummary Recommendations for RealAudio and RealVideo
RealNetworks, RealAudio and RealVideoSummary Recommendations for RealAudio and RealVideo
RealServer, Risks of RealServer
rebooting, Watch Reboots Carefully
recording activity (see logs)
recovering after incident, Restore and RecoverRestore and Recover
plan for, Planning for Restoration and Recovery
registry keys
insecure, Other ways to start programs under Windows NT
permissions on, Installing and Modifying Services
for services, Registry keysRegistry keys
remote
command execution, Remote Command ExecutionSummary of recommendations for SSH
computers, hijacking, HijackingHijacking
terminal access, Remote Terminal Access and Command Execution
Remote Access Service (see RAS)
Remote Authentication Dial-in User Service (RADIUS), Remote Authentication Dial-in User Service (RADIUS)Summary of Recommendations for RADIUS
Remote Desktop Protocol (see RDP)
remote graphical interfaces
Windows operating systems, Remote Graphic Interfaces for Microsoft Operating Systems, Remote Graphic Interfaces for Microsoft Operating SystemsSummary of Recommendations for Windows Remote Access
X Window System, X11 Window SystemSummary of recommendations for XII
Remote Procedure Call (see RPC)
REMOTE service, Windows NT Remote CommandsSummary of recommendations for remote commands
remote terminal access (see Telnet)
replay attacks, Replay
protecting against, Protecting Services
reputation, Your Reputation, Electronic Mail
resources, Your Resources
, Your Resources
(see also memory)
response teams (see incident response teams)
retina authentication, Something You Are
reverse lookups, Mismatched data between the hostname and IP address DNS trees, Set up a “fake” DNS server on the bastion host for the outside world to use
reviewing security policies, Provision for reviews
rewalls, What Is an Internet Firewall?What Is an Internet Firewall?
buying versus building, Buying Versus BuildingBuying Versus Building
IPv6, IP Version 6
layering, Defense in Depth
weakest link, Weakest Link
what to protect, What Are You Trying to Protect?Your Reputation
, What Is an Internet Firewall?
(see also security)
rex service, rex
rexec server, rexecSummary of recommendations for rexec
rhosts authentication mechanism, SSH client authentication
RIP (Routing Information Protocol), Routing Information Protocol (RIP)Packet filtering characteristics of RIP
RISKS mailing list, RISKS
rlogin program, Remote Terminal Access and Command Execution
proxying with TIS FWTK, Telnet and rlogin Proxying with TIS FWTK
root privileges, required by Sendmail, Sendmail
routed server, routed
router discovery, Router Discovery/ICMP Router Discovery Protocol (IRDP)Packet filtering characteristics of router discovery
routers, Packet Filtering
as choke point, What Can You Do with Packet Filtering?
choosing, Choosing a Packet Filtering RouterIt Should Be Able to Log Accepted and Dropped Packets
disabling, Turning Off RoutingTurning Off Routing
on Unix/Linux, Turning Off RoutingTurning Off Routing
on Windows NT, Turning Off RoutingTurning Off Routing
exterior (or access) (see exterior routers)
handling packets, What Does the Router Do with Packets?Returning Error Codes
interior (see interior routers)
logging actions of, Logging Actions
merging interior and exterior, It’s OK to Merge the Interior Router and the Exterior Router
multicast, IP over IP and GRE
network address translation, Some Firewall Definitions
proxy-aware, Using a Proxy-Aware Router
returning ICMP error codes, Returning Error CodesReturning Error Codes
screening (see screening routers)
single-purpose vs. general-purpose, It Can Be a Single-Purpose Router or a General-Purpose Computer
testing, Laboratory Networks
where to filter, Where to Do Packet FilteringWhere to Do Packet Filtering
routing protocols, Routing, Routing ProtocolsSummary of Recommendations for Routing Protocols
rows, IPv6, IP Version 6
RPC (Remote Procedure Call), Remote Procedure Call (RPC)Summary of Recommendations for RPC
disabling, NFS and related services
network address translation in, Network Address Translation Characteristics of RPC
packet filtering in, Packet Filtering Characteristics of RPCPacket Filtering Characteristics of RPC
portmapper server, Remote Procedure Call (RPC)
proxying in, Proxying Characteristics of RPC
RPC Locator server, Remote Procedure Call (RPC)
service number, Remote Procedure Call (RPC)
RPC Locator server, Remote Procedure Call (RPC)
RSA algorithm, Encryption Algorithms, Key Exchange
rsh program, Remote Terminal Access and Command Execution
rsync program, rsyncNetwork address translation characteristics of rsync

S

S/Key password program, One-Time Password SoftwareOne-Time Password Software
S/MIME, S/MIME and OpenPGPS/MIME and OpenPGP
sabotage (see denial of service attacks)
Samba, SambaSamba
sandbox security model, JavaJava
SANS Institute, System Administration, Networking, and Security (SANS) Institute
SATAN (Security Administrator’s Tool for Analyzing Networks), Running a Security Audit
sc command, How Are Services Managed Under Windows NT?
scanning ports, Port ScanningPort Scanning
SCM (Service Control Manager), How Are Services Managed Under Windows NT?
scorekeepers, Scorekeepers
screened hosts
architecture of, Screened Host ArchitecturesScreened Host Architectures
screened subnets and, It’s Dangerous to Use Both Screened Subnets and Screened Hosts
screened subnet
architecture of[, Screened Subnet Architectures
screened subnets
architecture of, Screened Subnet ArchitecturesExterior Router, Screened Subnet ArchitectureConclusions
screened hosts and, It’s Dangerous to Use Both Screened Subnets and Screened Hosts
screening routers, What Does a Packet Look Like?, Packet Filtering, Screening RouterAppropriate uses
acceptable addresses for, Conventions for Packet Filtering RulesConventions for Packet Filtering Rules
choosing, Choosing a Packet Filtering RouterIt Should Be Able to Log Accepted and Dropped Packets
configuring, Configuring a Packet Filtering RouterDefault Permit Versus Default Deny
proxy systems, Proxy Systems
rules for, Conventions for Packet Filtering RulesPutting It All Together
where to use, Where to Do Packet FilteringWhere to Do Packet Filtering
, What Does a Packet Look Like?
(see also packet altering)
Secure HTTP, Securing HTTPNetwork address translation characteristics of HTTPS and Secure HTTP
Secure RPC, Sun RPC Authentication
secure shell (see SSH)
Secure Socket Layer (see SSL)
security
ActiveX and, ActiveX
against system failure, Fail-Safe StanceDefault Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
audit, Running a Security AuditUse cryptographic checksums for auditing
on Unix, Running a Security AuditRunning a Security Audit
of backups, Protecting the Machine and BackupsDo Secure Backups
bastion host speed and, How Fast a Machine?
of BSD r commands, BSD “r” Commands
on Unix/Linux, BSD “r” Commands
on Windows, BSD “r” commands under Windows NT
of checksums, Keeping Secured Checksums
choke points, Choke point, Choke point
of computer games, Games
of database protocols, Locating Database Servers
default deny stance, Default Permit Versus Default Deny
default permit stance, Default Permit Versus Default Deny
defense in depth, Defense in depth, Defense in depth
designing for network, Buying Versus BuildingBuying Versus Building
diversity of defense, Diversity of Defense, Diversity of defense, Diversity of defense
of DNS, DNS Security ProblemsRevealing too much information to attackers
drills for, practicing, Doing Drills
of email, Keeping Mail SecretKeeping Mail Secret
fail-safe stance, Fail-safe stance, Fail-safe stance
of FTP, Providing Anonymous FTP Service
host, Host Security
of HTTP, HTTP Server SecurityInternet Explorer and Security Zones
of ICMP, ICMP and Network Diagnostics
incident response teams (see incident response teams)
incidents (see incidents)
of IRC, Internet Relay Chat (IRC)
of Java, Java
of JavaScript, JavaScript
lack of, How Can You Protect Your Site?
least privilege, Least privilege, Least privilege
legal responsibilities, External Factors That Influence Security PoliciesExternal Factors That Influence Security Policies
of lpr and lp printing systems, lpr and lp
of machine, Securing the MachineChoosing what to log
Unix/Linux, Setting Up System Logs on UnixSetting Up System Logs on Unix
Windows NT, Setting Up System Logs Under Windows NTSetting Up System Logs Under Windows NT
models, Security Through ObscurityNo Security Model Can Do It All
modem pools, Terminal Servers and Modem PoolsTerminal Servers and Modem Pools
of Net8, Security implications of SQL*Net and Net8Security implications of SQL*Net and Net8
netacl, Using netacl to protect services
of NetBT name service, Security Implications of NetBT Name Service and WINS
networks
insecure, Insecure Networks
protecting, Internal FirewallsAn Internal Firewall May or May Not Need Bastion Hosts
of NIS, Network Information Service (NIS)
of NNTP, Network News Transfer Protocol (NNTP)
operating system bugs, Fix All Known System Bugs
of passwords, Passwords
policies for, A firewall is a focus for security decisions, Security PoliciesWhat If You Can’t Get a Security Policy?
reviewing, Provision for reviews
of POP, Post Office Protocol (POP)
of PostScript printers, Printing Protocols
of programs
evaluating, Choosing Security-Critical ProgramsThere is a secure software distribution mechanism
indicators of, Real Indicators of SecurityThere is a secure software distribution mechanism
of protocols, What Makes a Protocol Secure?Destroying the Shared Secret
proxying and, Protocol Security
of push technologies, Push Technologies
of rdist, rdist
of remote graphical interfaces
on Windows operating systems, Remote Graphic Interfaces for Microsoft Operating SystemsRemote Graphic Interfaces for Microsoft Operating Systems
resources for, ResourcesBooks
of routing protocols, Routing Protocols
sandbox model, JavaJava
of Sendmail, SendmailSendmail
simplicity of, Simplicity
of SNMP, Simple Network Management Protocol (SNMP)
of SQL*Net, Security implications of SQL*Net and Net8Security implications of SQL*Net and Net8
of SSH, What makes SSH secure?What makes SSH secure?
strategies for, Security StrategiesSimplicity
TCP Wrapper, Using the TCP Wrapper Package to Protect Services
terminal servers, Terminal Servers and Modem PoolsTerminal Servers and Modem Pools
time information and, Network Time Protocol (NTP)
universal participation, Universal Participation, Universal participation, Universal participation
of VBScript, VBScript
weakest link, Weakest Link, Weakest link, Weakest link
when proxying is ineffective, Proxying Won’t Secure the Service
when system crashes, Watch Reboots Carefully
of whois service, whois
of Windows Browser, Security Implications of the Windows BrowserSecurity Implications of the Windows Browser
of WINS, Security Implications of NetBT Name Service and WINS
of X Window System, X11 Window System
zones, Internet Exporer and, Internet Explorer and Security ZonesInternet Explorer and Security Zones
, What Is an Internet Firewall?
(see also rewalls)
security manager (Java), Java
self-decrypting archives, Keeping Mail Secret
Sendmail, Electronic Mail, Electronic Mail, Least Privilege, SendmailSendmail
(see also SMTP)
Morris worm, What Data Does the Protocol Transfer?, Does it have any other commands in it?
server
AAA, Authentication and Auditing Services
caching, Proxying Characteristics of HTTP, Cache Communication ProtocolsSummary of Recommendations for Cache Communication Protocols
database, locating, Locating Database ServersUsing a custom protocol to connect to a perimeter web server
DNS
for internal hosts, Set up a real DNS server on an internal system for internal hosts to use
setting up fake, Set up a “fake” DNS server on the bastion host for the outside world to useSet up a “fake” DNS server on the bastion host for the outside world to use
FTP, preventing attacks from, Preventing people from using your server to attack other machinesPreventing people from using your server to attack other machines
HTTP, Special HTTP Servers
security of, HTTP Server SecurityRunning unexpected external programs
KDC, How It Works
mail, evaluating, Junk mail
proxy (see proxy services)
routed, routed
SMB authentication, SMB AuthenticationSMB Authentication
SMTP
commercial, Commercial SMTP Servers for Unix
freely available, Other Freely Available SMTP Servers for UnixQmail
for Windows NT, SMTP Servers for Windows NTSMTP Servers for Windows NT
SSH, authentication, SSH server authenticationSSH server authentication
TIS FWTK authentication, The TIS FWTK Authentication ServerProblems with the authentication server
web, Web Server Security IssuesWeb Server Security Issues
Windows Browser, The Windows BrowserSummary of Recommendations for the Windows Browser
WINS, communication among, WINS Server-Server CommunicationWINS Server-Server Communication
wuarchive, Using the wuarchive FTP daemon
Server Message Block (SMB) (see SMB)
Service Control Manager (see SCM)
service packs, services and, Installing and Modifying Services
services, Internet Services and FirewallsControlling Unsafe Configurations
biff, biff
booting, on Unix, Booting services
contacting providers about incidents, Vendors and service providers, Vendors and service providers
disabling those not required, Disabling Nonrequired ServicesTurning Off Routing
on Unix/Linux, Disabling Services Under UnixDisabling Services Under Unix, Specific Unix Services to DisableOther services
on Windows NT, How to Disable Services Under Windows NTHow to Disable Services Under Windows NT, Specific Windows NT Services to DisableThe Services control panel
essential
on Unix/Linux, Which Services Should You Leave Enabled?Which Services Should You Leave Enabled?
on Windows NT, Which Services Should You Leave Enabled?Which Services Should You Leave Enabled?
evaluating risks of, What Operations Does the Protocol Allow?What Else Can Come in If I Allow This Service?
information lookup, Information Lookup ServicesSummary of recommendations for whois
installing and modifying, Installing and Modifying Services
on Unix/Linux, Installing and Modifying Services
on Windows NT, Installing and Modifying ServicesInstalling and Modifying Services
LAN-oriented, Selecting Services Provided by a Bastion Host
management of, on Unix/Linux, How Are Services Managed Under Unix?Services started by inetd
network management (see network, management services)
protecting with TCP Wrapper, Using the TCP Wrapper Package to Protect Services
proxy (see proxy services)
fir commands, BSD “r” command services
real-time conferencing, Real-Time Conferencing Services
registry keys for, Registry keysRegistry keys
selecting for bastion host, Selecting Services Provided by a Bastion Host
started by /etc/rc, Services started by /etc/rc files or directories
Windows NT, How Are Services Managed Under Windows NT?Other ways to start programs under Windows NT
setgid/setuid capabilities, Unix and Linux Bastion Hosts
SHA/SHA-1 algorithms, Cryptographic Hashes and Message Digests
sharing files, File Transfer, File Sharing, and Printing, File SharingFile Sharing, Network File System (NFS)Summary of Recommendations for File Sharing
on Microsoft networks, File Sharing for Microsoft NetworksPacket Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing
shell scripts, Services started by /etc/rc files or directories
shutting down systems, Disconnect or Shut Down, as Appropriate, Planning for Disconnecting or Shutting Down Machines
Simple Mail Transfer Protocol (see SMTP)
Simple Network Management Protocol (see SNMP)
Simple Public Key Infrastructure (SPKI), Certificates
Simple TCP/IP printing services, disabling, Specific Windows NT Services to Disable
single-purpose routers, It Can Be a Single-Purpose Router or a General-Purpose Computer
Skipjack algorithm, Encryption Algorithms
smail program, smailsmail
smap/smapd programs, Postfix, Improving SMTP Security with smap and smapd
SMB (Server Message Block), Common Internet File System (CIFS) and Server Message Block (SMB)Summary of Recommendations for SMB, File Sharing for Microsoft Networks
authentication, Authentication and SMBUser-level authentication, SMB AuthenticationSMB Authentication
, Common Internet File System (CIFS) and Server Message Block (SMB)
(see also CIFS)
SMS (System Management Server), System Management Server (SMS)System Management Server (SMS)
SMTP (Simple Mail Transfer Protocol), Electronic Mail, Selecting Services Provided by a Bastion Host, Simple Mail Transfer Protocol (SMTP)Summary of Recommendations for SMTP
configuring, SMTP
firewalls and, Configuring SMTP to Work with a FirewallConfiguring SMTP to Work with a Firewall
in screened subnet architecture, SMTPSMTP
proxying, Proxying Without a Proxy Server
servers
commercial, Commercial SMTP Servers for Unix
freely available, Other Freely Available SMTP Servers for UnixQmail
for Windows NT, SMTP Servers for Windows NTSMTP Servers for Windows NT
for Unix (see Sendmail)
snapshots, system, Snapshot the System
planning for, Planning for Snapshots
sniffers, Packet SniffingPacket Sniffing
protecting against, Protecting Services
, Information theft
(see also packet sniffing attacks)
sniffing for passwords, One-Time Password Software
SNMP (Simple Network Management Protocol), System ManagementSystem Management, Simple Network Management Protocol (SNMP)Network address translation and SNMP
disabling, on Windows NT, Specific Windows NT Services to Disable
snuffie program, Next steps after disabling services
social manipulation attacks, Electronic Mail
SOCKS package, Using SOCKS for ProxyingConverting Clients to Use SOCKS
functions, Converting Clients to Use SOCKS
HTTP proxying on, in screened subnet architecture, HTTP and HTTPS
modified finger service, Proxying characteristics of finger
proxy system for ping, Proxying characteristics of ping
versions, Versions of SOCKS
, Proxy Services
(see also proxy services)
software
installing on machine, Reconfiguring for ProductionMount filesystems as read-only, Reconfiguring for ProductionMount Filesystems as Read-Only
proxying, Proxy Services, Proxy services lag behind nonproxied services, How Proxying WorksUsing Proxy-Aware User Procedures for Proxying
(see also proxy services)
routers (see routers)
system monitoring, Consider Using Software to Automate Monitoring
viruses, A firewall can’t fully protect against viruses
source address
filtering by, Risks of Filtering by Source AddressRisks of Filtering by Source Address
forgery, Risks of Filtering by Source Address
source port, filtering by, Risks of Filtering by Source Port
source routing, Turning Off Routing
option, IP, IP Options
spam, Junk mailJunk mail
speed, processing, How Fast a Machine?
spell command, Unix, Running a Security Audit
spies, Spies (industrial and otherwise)
SPKI (Simple Public Key Infrastructure), Certificates
split-screened subnets, architecture of, Split-Screened SubnetAppropriate uses
SQL Server, Microsoft SQL ServerSummary of recommendations for Microsoft SQL Server
SQL*Net, Oracle SQL*Net and Net8Summary of recommendations for SQL*Net and Net8
SSH (secure shell), Secure Shell (SSH)Summary of recommendations for SSH
configuring, in screened subnet architecture, SSH
security of, What makes SSH secure?What makes SSH secure?
X Window System, support for, Remote X11 Window System support
SSL (Secure Socket Layer), Transport Layer Security (TLS) and Secure Socket Layer (SSL)Summary of Recommendations for TLS and SSL
email and, TLS/SSL, SSMTP, and STARTTLS
SSMTP, TLS/SSL, SSMTP, and STARTTLS
Start registry key, Registry keys
STARTTLS, TLS/SSL, SSMTP, and STARTTLS
startup scripts, Services started by /etc/rc files or directories
statd, File Locking with NFS
Subkeys registry key, Registry keys
subnet architecture, screened, Screened Subnet ArchitecturesExterior Router, Screened Subnet ArchitectureConclusions
Sun RPC, Remote Procedure Call (RPC)
authentication, Sun RPC AuthenticationSun RPC Authentication
, Remote Procedure Call (RPC)
(see also RPC)
swap process, Which Services Should You Leave Enabled?
Sybase, SybaseSummary of recommendations for Sybase
syslog protocol, syslogSummary of recommendations for syslog
daemons, Setting Up System Logs on UnixSetting Up System Logs on Unix
example output from, What Should You Watch For?What Should You Watch For?
syslogd process, Which Services Should You Leave Enabled?
system
crashes, watching carefully, Watch Reboots Carefully
cryptographic, components of, Key Components of Cryptographic SystemsRandom Numbers
customized, Restore and Recover
defense, diversity of, Diversity of Defense
documenting after incident, Snapshot the System, Planning for Snapshots
failure of, Fail-Safe StanceDefault Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
keeping up-to-date, Keeping Your Systems up to Date
labeling and diagramming, Labeling and Diagramming Your System
logs (see logs)
monitoring, Consider Using Software to Automate Monitoring, Monitoring Your SystemResponding to Attacks
operating, testing reload of, Testing the Reload of the Operating System
rebuilding, Restore and Recover
restoring after incident, Restore and RecoverRestore and Recover
planning for, Planning for Restoration and Recovery
shutting down, Disconnect or Shut Down, as Appropriate
System Management Server (SMS), System Management Server (SMS)System Management Server (SMS)

T

Tabular Data Stream (TDS), Tabular Data Stream (TDS)Tabular Data Stream (TDS)
TACACS, TACACS and FriendsSummary of Recommendations for TACACS and Friends
Tag registry key, Registry keys
talk conferencing system, One Connection per Session, talkSummary of Recommendations for talk
tapes, needs for, What Hardware Configuration?
taps, Information theft
, Information theft
(see also packet sniffing attacks)
TCP (Transmission Control Protocol), TCPTCP sequence numbers
packet filtering in, TCP Versus Other Protocols
proxying in, TCP Versus Other Protocols
RPC and, Remote Procedure Call (RPC)
sequence numbers, TCP sequence numbersTCP sequence numbers
TCP Wrapper package, Using the TCP Wrapper Package to Protect ServicesEvaluating and Configuring Unix Services
TCP/IP
NetBIOS over, NetBIOS over TCP/IP (NetBT)Summary of Recommendations for NetBT
packet, TCP/IP/Ethernet ExampleTCP layer
weak implementations, exploiting, Implementation Weaknesses
on Windows NT, Specific Windows NT Services to Disable, Specific Windows NT Services to Disable
tcpd program, Using the TCP Wrapper Package to Protect Services
TDS (Tabular Data Stream), Tabular Data Stream (TDS)Tabular Data Stream (TDS)
Telebit NetBlazer, Conventions for Packet Filtering Rules
Telnet, Remote Terminal Access and Command Execution, Outbound Telnet ServiceTelnet Summary, Terminal Access (Telnet)Summary of Recommendations for Telnet
configuring, in screened subnet architecture, Telnet
inbound, Inbound Telnet Service
vs. outbound, Terminal Access (Telnet)
outbound, Outbound Telnet Service
packet filtering characteristics of, Packet Filtering Characteristics of Telnet
proxy services characteristics of, Proxying Characteristics of Telnet
proxying with TIS FWTK, Telnet and rlogin Proxying with TIS FWTK
Terminal Server/Services, Remote Graphic Interfaces for Microsoft Operating Systems
terminal servers, Terminal Servers and Modem PoolsTerminal Servers and Modem Pools
test networks, Laboratory Networks
testing
firewalls, It Should Have Good Testing and Validation Capabilities
reload of operating system, Testing the Reload of the Operating System
routers, Laboratory Networks
TFTP (Trivial File Transport Protocol), File Transfer, Trivial File Transfer Protocol (TFTP)Summary of Recommendations for TFTP
theft of information (see information theft)
third-party attacks, Third-Party Attacks
protecting against, Protecting Services
Tiger auditing package, Running a Security Audit
time service, Time Service
time-based passwords, Kerberos
timestamp, encrypted, Something You Know
TIS Internet Firewalls Toolkit (TIS FWTK)
authentication server, The TIS FWTK Authentication ServerProblems with the authentication server
FTP proxy server, Proxying Characteristics of FTP
ftp-gw-proxy server, FTP
HTTP proxying on, in screened subnet architecture, HTTP and HTTPS
for proxying, Using the TIS Internet Firewall Toolkit for ProxyingOther TIS FWTK Proxies
TLS (Transport Layer Security), Transport Layer Security (TLS) and Secure Socket Layer (SSL)Use of TLS and SSL by Other Protocols
email and, TLS/SSL, SSMTP, and STARTTLS
tools
for firewalls, Tools
for security incidents, Keeping a Cache of Tools and Supplies
ToolTalk, ToolTalkSummary of Recommendations for ToolTalk
traceroute program, Network Diagnostics, tracerouteNetwork address translation and traceroute
tracert (see traceroute program)
transferring files (see files, transferring)
transparency, Proxy Services
of client changes for proxying, Using Proxy-Aware Application Software for Proxying
transparent proxying (see routers, proxy-aware)
Transport Layer Security (see TLS)
trees, DNS, DNS Data
Triple A server, Authentication and Auditing Services
Triple DES algorithm, Encryption Algorithms
Tripwire package, Running a Security Audit
Trivial File Transport Protocol (see TFTP)
Trojan horse attacks, ICMP and, ICMP and Network Diagnostics
tunneling
HTTP, HTTP TunnelingHTTP Tunneling
multicast, Multicast and the Multicast Backbone (MBONE)Multicast and the Multicast Backbone (MBONE)
SSH, of X Window System, X11 Window System
TXT records, Revealing too much information to attackers
Type registry key, Registry keys

U

UCE (Unsolicited Commercial Email), Junk mail
UDP (User Datagram Protocol), UDP
RPC and, Remote Procedure Call (RPC)
unicasting, Multicast and the Multicast Backbone (MBONE)
universal participation, Universal Participation, Universal participation, Universal participation
Unix, Platforms
bastion host, What Operating System?, Unix and Linux Bastion HostsRunning a Security Audit
checksum programs, Running a Security Audit
Internet services on, How Are Services Managed Under Unix?Services started by inetd, Which Services Should You Leave Enabled?Which Services Should You Leave Enabled?
disabling, Disabling Services Under UnixDisabling Services Under Unix, Specific Unix Services to DisableTurning Off Routing
installing and modifying, Installing and Modifying ServicesUsing netacl to protect services
protecting with TCP Wrapper, Using the TCP Wrapper Package to Protect Services
ipfilter, ipfilteripfilter
compared to ipchains, Comparing ipfilter and ipchains
machine
configuring, Reconfiguring for ProductionMount Filesystems as Read-Only
securing, Securing UnixSystem logs for catastrophe
operating system versions, Which Version of Unix?Which Version of Unix?
passwords, Passwords
software, for system monitoring, Consider Using Software to Automate Monitoring
system logs, setting up, Setting Up System Logs on UnixSystem logs for catastrophe
window system, Network Window Systems
Unsolicited Commercial Email (UCE), Junk mail
uploading programs on HTTP servers, Running unexpected external programs
usage profile, Learn What the Normal Usage Profile Is
Usenet news, Usenet News
Usenet newsgroups (see newsgroups)
user accounts, on bastion host, Disabling User Accounts on Bastion Hosts, Disabling User Accounts on Bastion Hosts
User Diagram Protocol (see UDP)
User Manager for Domains, The User Manager
utilities for firewalls, Utilitiestrimlog

V

validating firewalls, It Should Have Good Testing and Validation Capabilities
vandals, Vandals
VBScript, VBScript
extension systems, Web Client Security Issues
victim hosts, Victim Machines, Selecting Services Provided by a Bastion Host
viewers, external, on HTTP clients, External Viewers
Virtual Local Area Network (VLAN), Packet Interception
virtual private network (VPN), Some Firewall Definitions, Advantages of Virtual Private Networks
viruses, A firewall can’t fully protect against virusesA firewall can’t fully protect against viruses
email, Viruses and other hostilitiesViruses and other hostilities
on Windows NT, Other ways to start programs under Windows NT
Visual Basic (see VBScript)
VLAN (Virtual Local Area Network), Packet Interception
VPN (virtual private network), Some Firewall Definitions, Advantages of Virtual Private Networks

W

WAIS (Wide Area Information Servers), Gopher and WAISSummary of Recommendations for Gopher and WAIS
WCCP (Web Cache Coordination Protocol), Web Cache Coordination Protocol (WCCP)Network address translation characteristics of WCCP
weakest link, Weakest Link, Weakest link, Weakest link
web browsers, Web Client Security IssuesWeb Client Security Issues
as FTP clients, Packet Filtering Characteristics of FTP
protocols and, The World Wide Web
security and, Inadvertent Release of InformationInternet Explorer and Security Zones
Web Cache Coordination Protocol (WCCP), Web Cache Coordination Protocol (WCCP)Network address translation characteristics of WCCP
web of trust, Certificate Trust Models
web pages on firewalls, Web PagesThe Linux Router Project
web servers, Web Server Security IssuesWeb Server Security Issues
web-related programming languages, Mobile Code and Web-Related LanguagesActiveX
whois service, whoisSummary of recommendations for whois
Wide Area Information Servers (WAIS), Gopher and WAISSummary of Recommendations for Gopher and WAIS
window systems, Network Window Systems
Windows 2000
Active Directory, Active DirectoryActive Directory
bastion host, Windows NT and Windows 2000 Bastion HostsInstalling and Modifying Services
DNS and, Naming and Directory Services, Windows 2000 and DNSWindows 2000 and DNS
File Replication Service (FRS), Windows 2000 File Replication Service (FRS)Windows 2000 File Replication Service (FRS)
Kerberos authentication system in, Kerberos
packet filtering on, Windows NT Packet Filtering
printing, Other Printing Systems
SMB on, Packet Filtering Characteristics of SMB
Telnet on, Terminal Access (Telnet)
Windows 2000 Server, Which Version of Windows NT?
Windows 95, printing, Windows-based Printing
Windows Browser, The Windows BrowserSummary of Recommendations for the Windows Browser
elections, Browser ElectionsBrowser Elections
security, Security Implications of the Windows BrowserSecurity Implications of the Windows Browser
Windows Internet Name Service (see WINS)
Windows NT
bastion host, What Operating System?, Windows NT and Windows 2000 Bastion HostsInstalling and Modifying Services
diagnosing problems, Performance Monitor and Network Monitor
Directory Replication, Windows NT Directory Replication
file permissions, Installing and Modifying Services
file-sharing protocols, File Sharing
machine, securing, Securing Windows NTSetting Up System Logs Under Windows NT
operating system versions, Which Version of Windows NT?Which Version of Windows NT?
packet filtering on, Windows NT Packet FilteringWindows NT Packet Filtering
passwords, Passwords
printing, Windows-based Printing
proxying services (see Microsoft Proxy Server)
r commands supported by, BSD “r” commands under Windows NT
remote command services, Windows NT Remote CommandsSummary of recommendations for remote commands
RPC on, Remote Procedure Call (RPC), Packet Filtering Characteristics of RPC
services on, How Are Services Managed Under Windows NT?Other ways to start programs under Windows NT, Which Services Should You Leave Enabled?Which Services Should You Leave Enabled?
disabling, How to Disable Services Under Windows NTHow to Disable Services Under Windows NT, Specific Windows NT Services to DisableThe Services control panel
installing and modifying, Installing and Modifying ServicesInstalling and Modifying Services
SMTP servers for, Electronic Mail, SMTP Servers for Windows NTSMTP Servers for Windows NT
SNMP agents, System Management
system logs, setting up, Setting Up System Logs Under Windows NTSetting Up System Logs Under Windows NT
system monitoring for, Consider Using Software to Automate Monitoring
Telnet on, Terminal Access (Telnet)
tracking usage, Performance Monitor and Network Monitor
versions, Platforms
Windows NT Resource Kit, Which Version of Windows NT?
r commands supported by, BSD “r” commands under Windows NT
remote command services, Windows NT Remote Commands
Windows NT Server, Which Version of Windows NT?
Windows operating systems
authentication, Accessing Other ComputersAlternate Authentication Methods
machines running, managing, System Management Server (SMS)
name resolution in, Name Resolution Under WindowsName Resolution Under Windows
NTLM domains, NTLM Domains
remote graphical interfaces for, Remote Graphic Interfaces for Microsoft Operating SystemsSummary of Recommendations for Windows Remote Access
WINS (Windows Internet Name Service), Naming and Directory Services, NetBIOS for TCP/IP Name Service and Windows Internet Name ServiceSummary of Recommendations for NetBT Name Service and WINS
servers, communication among, WINS Server-Server CommunicationWINS Server-Server Communication
WINS manager, The WINS Manager
WinSock proxy, Proxy Server and WinSock
workgroups, on Microsoft networks, Domains and Workgroups
World Wide Web (see WWW)
wuarchive
server, Using the wuarchive FTP daemon
WWW (World Wide Web), The World Wide WebThe World Wide Web, The World Wide WebSummary of Recommendations for Gopher and WAIS

X

X Window System, X11 Window SystemSummary of recommendations for XII
supported by SSH, Remote X11 Window System support
x-gw proxy, Other TIS FWTK Proxies
X.400 mail protocol, Other Mail Transfer Protocols
X11 window system, Network Window Systems
XTACACS, TACACS and FriendsSummary of Recommendations for TACACS and Friends

Y

YP (Yellow Pages) (see NIS)

Z

zone transfers, DNS, Packet Filtering Characteristics of DNS
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.36.192