To keep your system secure, you should take a two-pronged approach. On the one hand, learn from the mistakes of your predecessors by reading legacy documents. On the other hand, you should constantly keep up-to-date on the latest security issues. The resources in this chapter will help you do both.
Many Linux flaws and weaknesses are Linux-specific. Hence, you should start with Linux patches, updates, and advisories. See Table D.1 for links to such information.
Table D.1. Linux Security Patches, Updates, and Advisory Resources
Distribution | Resource, Description, and Location |
---|---|
Caldera OpenLinux | Patches and updates are at ftp://ftp.caldera.com/pub/openlinux/. |
Advisories are at http://www.calderasystems.com/news/security/. | |
Red Hat Linux | Patches and updates are at ftp://updates.redhat.com/. |
SuSE | Updates and patches are at http://www.suse.de/e/patches/index.html. |
Recent security advisories are at http://www.suse.de/security/index.html. | |
Mailing listsare at http://www.suse.com/Mailinglists/index.html. | |
Debian Linux | For Debian Linux security information, start at http://www.debian.org/security/. |
For the latest advisories, and to join their mailing list, go to http://www.debian.org/MailingLists/subscribe. |
Table D.2 identifies several security mailing lists. Use them to keep up-to-date on the latest security issues.
Table D.2. Mailing Lists That Report Updates, Vulnerabilities, and Fixes
List | Description |
---|---|
[email protected] | The Eight Little Green Men Security List. Detailed discussion of security holes, exploits, and fixes. This list focuses primarily on UNIX. Junk mail is not allowed, nor transmitted. To subscribe, send a message that has the command |
[email protected] | The Alert List at Internet Security Systems. Alerts, product announcements, and company information from Internet Security Systems. To subscribe to this and other ISS lists, go to http//iss.net/vd/maillist.html#alert. |
[email protected] | The BUGTRAQ Mailing List. Members here discuss vulnerabilities in the UNIX operating system. This is one of the very best sources for recent bugs and vulnerabilities. To subscribe, send a message with the command |
[email protected] | The Firewall Wizards Mailing List. Maintainedby Marcus Ranum, this list is a moderated forum for advanced firewall administrators. Tosubscribe, go to http://www.nfr.net/forum/firewall-wizards.html. |
[email protected] | The Linux Alert List. This list carries announcements and warnings from Linux vendors or developers. To join, send a message with the command |
[email protected] | The Linux Security List. Now maintained by Red Hat, this list focuses on Linux security issues. To subscribe, send a message with the command |
[email protected] | The Information Security Mailing List. Members of this list discuss security in information processing. To subscribe, send a message with the command |
[email protected] | The Firewall-1 Security List. This list focuses on issues related to CheckPoint's Firewall-1 product. To subscribe, send a message with the command |
[email protected] | The Firewalls Mailing List. This list focuses on firewall security. (This was previously |
[email protected] | > The Cyberpunks Mailing List. Members discuss issues of personal privacy and cryptography. (If a major cryptographic API is broken, you'll probably hear it here first.) To subscribe, send a message with the command |
[email protected] | The Intrusion Detection Systems List. Members of this list discuss real-time intrusion detection techniques, agents, neural net development, and so forth. To subscribe, send a message with the command |
[email protected] | The NTBUGTRAQ List. Maintained by Russ Cooper, the NTBUGTRAQ list tracks vulnerabilities and other security issues related to Microsoft Windows NT. To subscribe, send a message with the command subscribe |
[email protected] | The Risks Forum. Members of this list discuss a variety of risks that we are exposed to in an information-based society. Examples include invasion of personal privacy, credit card theft, cracking attacks, and so on. To subscribe, send a message with the command |
[email protected] | The Secure Sockets Layer Mailing Lists. Members of this list discuss developments in SSL and potential security issues. To subscribe, send a message with the command |
Usenet groups are also good information sources. Much productive (and admittedly, non- productive) discussion occurs in such groups. Table D.3 lists a few.
Table D.3. Relevant Usenet Newsgroups
Sooner or later, you'll start developing your own Linux applets, scripts, or applications. The following resources focus on secure programming techniques.
Resource: The Secure UNIX Programming FAQ
Description: This is a great starting point and covers general principles of secure programming, including SUID/SGID processes, parent and child processes, race conditions, input, output, and permissions.
Resource: Designing Secure Software
Description: Peter Galvin (from Corporate Technologies Inc.) gives some excellent pointers on secure programming do's and don'ts.
URL: http://www.sunworld.com/sunworldonline/swol-04-1998/swol-04-security.html
Resource: The Lab Engineer's Security Checklist
Description: This document was excerpted from Practical UNIX and Internet Security by Simson Garfinkel and Gene Spafford, O'Reilly&Associates (ISBN 1565921488). Before deploying your Linux application, check it against these requirements.
URL: ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist
Resource: How to Find Security Holes
Description: Kragen Sitaker shows you the ins and outs of common programming errors that open security holes.
Resource: Robust Programming
Description: Matt Bishop discusses bombproof coding and how to do it properly.
URL: http://seclab.cs.ucdavis.edu/~bishop/classes/ecs153-98-winter/robust.html
Resource: How to Write a Setuid Program
Description: Matt Bishop discusses writing setuid programs and various techniques to do so safely. (PostScript)
URL: http://seclab.cs.ucdavis.edu/~bishop/scriv/1986-loginv12n1.ps
Resource: Security Code Review Guidelines
Description: Adam Shostack explains how to review firewall code before deployment (and what elements of such a review program are essential).
Resource: How to Write Buffer Overflows
Description: Mudge (from L0pht Heavy Industries) demonstrates buffer overflows in action.
Resource: Smashing the Stack for Fun and Profit
Description: In Phrack Vol. 7, Issue Forty-Nine, Aleph One illustrates stack corruption and how to force arbitrary code into unintended memory spaces.
URL: http://reality.sgi.com/nate/machines/security/P49-14-Aleph-One
Resource: Buffer Overruns: What's the Real Story?
Description: Linux-specific treatment of buffer overflows.
URL: http://reality.sgi.com/nate/machines/security/stack.nfo.txt
Description: Lincoln Stein's must-have for CGI programmers and Web developers.
Resource: CGI Security
Description: Michael Van Biesbrouck takes you through some vital CGI security issues.
Resource: latro
Description: Tom Christiansen's tool for assaying CGI installations. Use this to determine if yours is secure.
Resource: How To Remove Meta-Characters from User-Supplied Data in CGI Scripts
Description: CERT's guide to stripping metacharacters from user input to CGI.
Resource: Security Issues When Installing and Customizing Prebuilt Web Scripts
Description: Selena Sol takes you through pitfalls of installing other folks' code and tells you how to ensure that the code is secure.
Description: This archive contains discussions of WWW security and CGI programming. You can find many, many solutions here if you dig around.
URL: http://www-ns.rutgers.edu/www-security/archives/index.html
Resource: The Secure Internet Programming Project at Princeton
Description: You may remember the Edward Felten team that originally identified Java security issues. Their site contains copious information about secure Internet programming.
Resource: UNIX Security: Writing Secure Programs
Description: Matt Bishop's 107-page slide presentation, defining the important points in secure UNIX programming. (PDF format)
URL: http://seclab.cs.ucdavis.edu/~bishop/scriv/1996-sans-tut.pdf
Resource: Shifting the Odds: Writing More Secure Software
Description: Steve Bellovin's slide presentation that focuses on salient points of secure UNIX programming.
Resource: The Linux Security Audit Archive
Description: This site houses multi-source (BUGTRAQ, Linux Alerts, etc.) archives about Linux security.
Resource: Beej's Guide to Network Programming
Description: Brian Hall takes you through the subtleties of socket programming.
Resource: NCSA Secure Programming Guidelines
Description: Discussion of writing secure setuid or CGI programs and checklists for the same.
URL: http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming/
Resource: 21 Rules for Writing Secure CGI Programs
Description: The hard facts from Simson Garfinkel about secure CGI.
Resource: Known Bugs in Apache
Description: Apache bugs and links to a searchable bug archive.
Resource: Apache Developer Resources
Description: If you delve deeper into Apache as a Web server (or decide to become an Apache developer), this site is for you.
Resource: Apache+SSL+PHP/FI+frontpage-howto
Description: Learn how to configure your Apache server for SSL, PHP, and FrontPage extensions. (Note: watch the FrontPage extensions, which have had many security issues.)
Resource: Java and HTTP/1.1 Page
Description: Discussion of problems you'll encounter using JDK 1.0.2 (and perhaps later) with Apache.
Resource: Security Tips for Apache Server Configuration
Description: General (and short) discussion on battening down Apache.
Resource: PHF Attacks: Fun and games for the whole family
Description: BUGTRAQ posting from Paul Danckaert with sample PHF exploit.
Resource: Web Security
Description: Nice theoretical discussion from Andrew Cormack. This document offers a clear, concise overview.
Resource: Requirements for Hypertext Transfer Protocol Security
URL: http://www-ns.rutgers.edu/www-security/drafts/draft-rutgers-httpsec-requirements-00.txt
Description: CERT issues security advisories and provides research studies on incident response, survivability, and general network security. Formed in response to the 1988 Internet worm incident, CERT is one of the oldest and most reliable information sources for statistics, vulnerabilities, and trends in security.
URL: http://www.cert.org/
Resource: Navy Handbook for the Computer Security Certification of Trusted Systems
Description: Cradle-to-grave coverage of security plans (right down to penetration testing).
URL: http://www.itd.nrl.navy.mil/ITD/5540/publications/handbook/index-txt.html
Description: Phrack is currently the finest underground network security publication going. Each issue is chockful of exploit code, analysis, and research. Much of the work is Linux-centric, and top-notch at that.
Resource: Linux Net News
Description: Good general coverage of Linux issues, including security, market share, new applications, and techniques for successfully running a Linux network. Features the Linux Weekly News.
Resource: Packet Storm Security
Description: Security news and files (exploits, fixes, etc.) from the folks at Genocide2600.com
.
Resource: The Linux Help section at www.sekurity-net.com
Description: Both security-oriented and general help-oriented documents of interest to system administrators. For example, there are documents describing how to implement IP masquerading.
Resource: The alt.2600
Hack Frequently Asked Questions (0.12)
Description: This document has long been the starting point for hackers and crackers. It covers cracking passwords, defeating shadowing, attacking voicemail systems, war dialing, and the like.
Resource: Linux Resources at Active Matrix's Hideaway
Description: This page describes Linux and provides links to various distributions and mini-distributions. (The author also devotes ample space to hacking and cracking.)
Resource: The BUGTRAQ Archives
Description: This is an archive of the popular mailing list BUGTRAQ, one of the most reliable sources for up-to-date reports on newfound vulnerabilities in UNIX (and at times, other operating systems).
Resource: Internet Security Auditing Class Handouts
Description: Papers and talks from an April 30, 1996, class on security auditing by Dan Farmer and Wietse Venema. There's some very good stuff here, including a paper in which two system administrators share their experiences using SATAN to assay some 40,000 hosts.
Resource: Shall We Dust Moscow?
Description: This is a fascinating independent security study conducted by Dan Farmer. Farmer scanned approximately 2,200 sites for security vulnerabilities and found saddening results.
Resource: U.S. Department of Energy's Computer Incident Advisory Capability (CIAC)
Description: CIAC provides computer security services to employees and contractors of the U.S. Department of Energy, but the site is open to the public as well. There are many tools and documents at this location.
Description: This site contains reports, papers, advisories, and analyses of various computer security products and techniques. Moreover, the ICSA provides security training and certification.
URL: http://www.icsa.net/
Description: Linux Today Security News lists breaking news on the latest Linux vulnerabilities.
Resource: Securing Red Hat 5.X
Description: Kurt Seifried takes you through some important steps for locking down a Red Hat server.
Resource: J. T. Murphy's Linux Security Homepage
Description: J. T. Murphy has assembled some nice links to various Linux security resources, including programs to keep your system safe and good, common-sense system administration.
Resource: The Linux Security Administrator's Guide
Description: Created by Dave Wreski, this document is probably the best freely available Linux document anywhere. It offers start-to-finish coverage of Linux system administration.
URL: http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html
Resource: Linux Administrators Security Guide
Description: Kurt Seifried takes you through many important aspects of Linux system security. (PDF document)
Resource: The Linux Programmers Guide
Description: Sven Goldt, Sven van der Meer, Scott Burkett, and Matt Welsh cover Linux programming in detail.
Description: A great spot for the latest Linux news and some excellent editorial (tutorials, general information, employment, etc.).
Resource: The Linux Documentation Project
Description: Essential starting point for Linux documentation.
Resource: Linux Administration Made Easy (LAME)
Description: Steve Frampton takes you through essential system administration tasks, with a strong focus on SlackWare.
Description: The Linux Gazette routinely features great articles on configuring, securing, and running Linux.
Resource: The Linux IP Masquerade Resource
Description: Links to everything you need to know about IP masquerading on Linux.
Resource: The Hard Disk Drive Database
Description: This site is a lifesaver when you're using older disks. It has disk geometry for thousands and thousands of disks. Aren't sure about that old hard drive? Find out here.
Resource: An Introduction to Computer Security
Description: The NIST COMPUSEC introduction, which is now dated but still quite relevant. Available in various formats, including Word, WordPerfect, PostScript, etc.
Resource: Michael Sobirey's Intrusion Detection Systems Page
Description: Links to discussion on some 78 intrusion detection systems (quite comprehensive).
URL: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html#ACME
Resource: Intruder Detection Checklist
Description: A CERT checklist for establishing whether an intrusion has taken place. Dated but relevant.
Resource: Live Traffic Analysis of TCP/IP Gateways
Description: Phillip A. Porras and Alfonso Valdes from SRI explore statistical and signature-based intrusion-detection analysis techniques to monitor network traffic. Heady stuff, but engrossing.
Resource: Network Intrusion Detector Distribution Site
Description: NID is a new tool suite from Lawrence Livermore Labs that helps detect, analyze, and gather evidence of intrusive behavior occurring on an Ethernet or Fiber Distributed Data Interface (FDDI) network using the Internet Protocol (IP). Currently available for Red Hat.
Resource: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls
Description: An excellent primer from NIST's John Wack on firewalls and policy.
Resource: Creating a Linux Firewall Using the TIS Toolkit
Description: Benjamin Ewy steers you through setting up a Linux firewall with Trusted Information System's Firewall Toolkit.
Resource: An Introduction to SOCKS
Description: This document describes basic SOCKS concepts and provides links to SOCKS 4 and 5 models.
Description: This document covers all aspects of anonymous remailing techniques and tools. From André Bacard, author of Computer Privacy Handbook.
Description: This is a comprehensive but often-changing list of anonymous remailers.
Resource: Purdue University COAST Archive
Description: This is one of the more comprehensive security sites, containing many tools and documents of deep interest to the security community.
Resource: The Raptor Systems Security Library
Description: An aging but useful security library.
Resource: Forum on Risks to the Public in Computers and Related Systems
Description: This is a moderated digest of security and other risks in computing. Use this to tap the better security minds on the Net.
Resource: Forum of Incident Response and Security Teams (FIRST)
Description: FIRST is a conglomeration of many organizations undertaking security measures on the Net. This powerful organization is a good starting place for sources.
Resource: The CIAC Virus Database
Description: This is the ultimate virus database on the Internet. It's an excellent resource for learning about viruses that can affect your platform.
Resource: Information Warfare and Information Security on the Web
Description: This is a comprehensive list of links and other resources concerning information warfare over the Internet.
Resource: The Center for Secure Information Systems
Description: This site, affiliated with the Center at George Mason University, has some truly incredible papers. There is much cutting-edge research going on here. The following URL sends you directly to the publications page, but you really should explore the entire site.
Resource: The AUSCERT (Australian CERT) UNIX Security Checklist
Description: An excellent security checklist.
URL: ftp://caliban.physics.utoronto.ca/pub/unix_security_checklist_1.1
Resource: Computer Security Policy: Setting the Stage for Success
Description: National Institute of Standards and Technology. CSL Bulletin. This document will assist you in setting security policies in your network.
Resource: Electronic Resources for Security Related Information
Description: This document is dated but will still provide you with a comprehensive list of UNIX-related resources for security.
Resource: Securing X Windows
Description: Lawrence Livermore National Laboratory Computer Incident Advisory Capability. This document will help you understand the basic weaknesses in X and how to shore up X security on your server.
URL: http://ciac.llnl.gov/ciac/documents/CIAC-2316_Securing_X_Windows.pdf
Resource: Securing Internet Information Servers
Description: This document will take you step-by-step through securing anonymous FTP, Gopher, and WWW services on your UNIX system.
URL: http://ciac.llnl.gov/ciac/documents/CIAC-2308_Securing_Internet_Information_Servers.pdf
Resource: The UNIX Guru Universe
Description: The UGU is an excellent place to start on system administration.
URL: http://www.ugu.com/
Resource: The UNIX Reference Desk at Geek-Girl
Description: Jennifer Myers, AKA Geek Girl, maintains this site, which boasts many good links to UNIX software and documentation.
Resource: The Linux Applications and Utilities Page
Description: This site also simplifies finding Linux software because the author has broken Linux applications down into categories.
Resource: The Linux-Security Archive at Sonic.net
Description: Searchable Linux security mailing list archive.
Resource: RootShell
Description: Good resource for exploits and test code (for where Linux is the build platform, the target platform, or both).
Resource: ENskip
Description: ENskip is a security module for the TCP/IP stack. It provides encryption and authentication of packets on the IP layer between two or more machines. ENskip is compatible to standard SKIP specifications (those on Solaris).
Resource: Linux IPv6 FAQ/HOWTO
Description: Eric Osborne explains how to get IPv6 working on Linux.
URL: http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/linux-ipv6.faq.html
Resource: Linux Firewall Facilities for Kernel-Level Packet Screening
Description: Jos Vos and Willy Konijnenberg explain kernel-level IP packet filtering, screening, and ipfwadm
.
Description: Go here to learn a bit about sockets.
Resource: Linux Filesystem Structure
Description: Daniel Quinlan takes you through the hardcore specs of the Linux file system. This is the version 1.2 of the Linux Filesystem Structure (FSSTND).
Resource: LinuxPowered.Com
Description: A good resource for general Linux information, and documentation in particular.
Resource: Linux Security 101
Description: Graeme Cross takes you through essential Linux security tasks.
Resource: The Infilsec Vulnerability Database
Description: A good resource for Linux vulnerabilities, as well as other UNIX flavors.
Resource: Slash Dot Org
Description: The site that specializes in news for nerds (per their self-description). A great source for general networking and Linux news.
Resource: A Short History of Cryptography
Description: Frederick B. Cohen takes you through a quick history of cryptography.
Resource: Federal Information Processing Standards Publication 46-2
Description: The government standard document for the Data Encryption Standard.
Resource: Terry Ritter's Crypto Glossary
Description: A magnificent glossary of cryptographic terms.
Resource: Crack: A Sensible Password Checker for UNIX
Description: An early paper from Alec Muffet describing the popular password auditing tool Crack.
Resource: Dictionary wordlists from the National Center for Supercomputer Applications
Resource: The Wordlist Archive at Coast Purdue
Description: Wordlists for password auditing/cracking.
Resource: Self-Study Course in Block Cipher Cryptanalysis
Description: Great document from Bruce Schneier on block-cipher cryptanalysis (in PDF or PostScript).
Resource: Cryptographic Design Vulnerabilities
Description: Bruce Schneier examines some common vulnerabilities in crypto schemes.
Resource: DES Modes of Operation
Description: Federal document that offers a very technical treatment of the Data Encryption Standard.
Resource: The Electronic Frontier Foundation DES Challenge News
Description: Keep up with the latest efforts to crack DES here.
Resource: distributed.net
Description: These folks have cracked various encryption algorithms using thousands of computers over the Internet.
Resource: The Encryption and Security Tutorial
Description: Peter Gutmann offers a "Godzilla" tutorial, consisting of 500+ slides and addressing many important encryption issues.
Resource: Security Pitfalls in Cryptography
Description: Bruce Schneier addresses some common misconceptions about strong encryption.
Resource: 2x Isolated Double-DES: Another Weak Two-Level DES Structure
Description: Terry Ritter makes a good argument for replacing DES.
URL: http://www.l0pht.com/pub/blackcrwl/encrypt/2XISOLAT.TXT
Resource: Security Breaches: Five Recent Incidents at Columbia University
Description: Document that describes various security breaches from an administrator's viewpoint.
URL: http://www.alw.nih.gov/Security/FIRST/papers/general/fuat.ps
Resource: Foiling the Cracker: A Survey of, and Improvements to, Password Security
Description: Daniel V. Klein discusses practical aspects of password security and how increased processor power and poor password choices can lead to highly effective dictionary attacks.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/klein.ps
Resource: UNIX Password Security—Ten Years Later
Description: David C. Feldmeier and Philip R. Karn explore dictionary attacks and other methods of using substantial processor power to crack DES.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/pwtenyrs.ps.
Resource: A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack
Description: Udi Manber discusses the possibility that crackers might generate and distribute a massive list of encrypted passwords.
Resource: Password Security: A Case History
Description: Robert Morris and Ken Thompson explore theoretical and practical means of cracking DES passwords.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/pwstudy.ps
Resource: CERN Security Handbook on Passwords
Description: CERN authors offer a short primer on choosing strong passwords.
URL: http://consult.cern.ch/writeups/security/security_3.html#SEC7
Resource: Observing Reusable Password Choices
Description: Eugene Spafford discusses the problem of reusable passwords.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/observe.ps
Resource: Opus: Preventing Weak Password Choices
Description: Eugene Spafford discusses how to avoid weak passwords and proposes a solution.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/opus.ps
Resource: Selecting Good Passwords
Description: David A. Curry discusses how to avoid weak password choices.
Resource: Announcing the Standard for Automated Password Generator
Description: A federal document that focuses on tools that can automatically create reasonably strong passwords.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/fips181.txt
Resource: Department of Defense Password Management Guideline
Description: The feds set forth their view on password security.
URL: http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt
Resource: RFC 931. Authentication Server
Description: By M. St. Johns, January 1985. Further discussion on automated authentication of users.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc931.txt
Resource: RFC 1004. A Distributed-Protocol Authentication Scheme
Description: By D. L. Mills, April 1987. Discusses access control and authentication procedures in distributed environments and services.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1004.txt
Resource: RFC 1038. Draft Revised IP Security Option
Description: By M. St. Johns, January 1988. Discusses protection of datagrams and classifications of such protection.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1038.txt
Resource: RFC 1108. Security Options for the Internet Protocol
Description: By S. Kent, November 1991. Discusses extended security option in the Internet protocol and DoD guidelines.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1108.txt
Resource: RFC 1135. The Helminthiasis of the Internet
Description: By J. Reynolds, December 1989. Famous RFC that describes the worm incident of November 1988.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1135.txt
Resource: RFC 1186. The MD4 Message Digest Algorithm
Description: By R. Rivest, October 1990. The specification of MD4.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1186.txt
Resource: RFC 1244. The Site Security Handbook
Description: By P. Holbrook and J. Reynolds, July 1991. RFC that lays out security practices and procedures. This RFC was an authoritative document for a long, long time. It is still pretty good and applies even today.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1244.txt
Resource: RFC 1272. Internet Accounting
Description: By C. Mills, D. Hirsh, and G. Ruth, November 1991. Specifies system for accounting; network usage, traffic, and such.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1272.txt
Resource: RFC 1281. Guidelines for the Secure Operation of the Internet
Description: By R. D. Pethia, S. Crocker, and B. Y. Fraser, November 1991. Document that sets forth guidelines for security.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1281.txt
Resource: RFC 1321. The MD5 Message-Digest Algorithm
Description: By R. Rivest, April 1992. Description of MD5 and how it works.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1321.txt
Resource: RFC 1334. PPP Authentication Protocols
Description: By B. Lloyd and W. Simpson, October 1992. Defines the Password Authentication Protocol and the Challenge-Handshake Authentication Protocol in PPP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1334.txt
Resource: RFC 1352. SNMP Security Protocols
Description: By J. Galvin, K. McCloghrie, and J. Davin, July 1992. Simple Network Management Protocol security mechanisms.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1352.txt
Resource: RFC 1355. Privacy and Accuracy Issues in Network Information Center Databases
Description: By J. Curran and A. Marine, August 1992. Network Information Center operation and administration guidelines.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1355.txt
Resource: RFC 1412. Telnet Authentication: SPX
Description: By K. Alagappan, January 1993. Experimental protocol for Telnet authentication.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1412.txt
Resource: RFC 1413. Identification Protocol
Description: By M. St. Johns, February 1993. Introduction and explanation of IDENT protocol.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1413.txt
Resource: RFC 1414. Identification MIB
Description: By M. St. Johns and M. Rose, February 1993. Specifies MIB for identifying owners of TCP connections.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1414.txt
Resource: RFC 1421. Privacy Enhancement For Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures
Description: By J. Linn, February 1993. Updates and supersedes RFC 989.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1421.txt
Resource: RFC 1422. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management
Description: By S. T. Kent and J. Linn, February 1993. Updates and supersedes RFC 1114.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1422.txt
Resource: RFC 1446. Security Protocols for Version 2 of the Simple Network Management Protocol
Description: By J. Galvin and K. McCloghrie, April 1993. Specifies security protocols for SNMPv2.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1446.txt
Resource: RFC 1455. Physical Link Security Type of Service
Description: By D. Eastlake, May 1993. Experimental protocol to provide physical link security.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1455.txt
Resource: RFC 1457. Security Label Framework for the Internet
Description: By R. Housley, May 1993. Presents a label framework for network engineers to adhere to.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1457.txt
Resource: RFC 1472. The Definitions of Managed Objects for the Security Protocols of the Point-to-Point Protocol
Description: By F. Kastenholz, June 1993. Security protocols on subnetwork interfaces using PPP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1472.txt
Resource: RFC 1492. An Access Control Protocol, Sometimes Called TACACS
Description: By C. Finseth, July 1993. Documents the extended TACACS protocol use by the Cisco Systems terminal servers.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1492.txt
Resource: RFC 1507. DASS - Distributed Authentication Security Service
Description: By C. Kaufman, September 1993. Discusses new proposed methods of authentication in distributed environments.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1507.txt
Resource: RFC 1508. Generic Security Service Application Program Interface
Description: By J. Linn, September 1993. Specifies a generic security framework for use in source-level porting of applications to different environments.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1508.txt
Resource: RFC 1510. The Kerberos Network Authentication Service (V5)
Description: By J. Kohl and C. Neumann, September 1993. An overview of Kerberos 5.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1510.txt
Resource: RFC 1535. A Security Problem and Proposed Correction with Widely Deployed DNS Software
Description: By E. Gavron, October 1993. Discusses flaws in some DNS clients and means of dealing with them.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1535.txt
Resource: RFC 1675. Security Concerns for IPNG
Description: By S. Bellovin, August 1994. Bellovin expresses concerns over lack of direct access to source addresses in IPNG.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1675.txt
Resource: RFC 1704. On Internet Authentication
Description: By N. Haller and R. Atkinson, October 1994. Treats a wide range of Internet authentication procedures and approaches.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1704.txt
Resource: RFC 1731. IMAP4 Authentication Mechanisms
Description: By J. Myers, December 1994. Internet Message Access Protocol authentication issues.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1731.txt
Resource: RFC 1750. Randomness Recommendations for Security
Description: By D. Eastlake, 3rd, S. Crocker and J. Schiller, December 1994. Extensive discussion of the difficulties surrounding deriving truly random values for key generation.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1750.txt
Resource: RFC 1751. A Convention for Human-Readable 128-bit Keys
Description: By D. McDonald, December 1994. Proposed solutions for using 128-bit keys, which are hard to remember because of their length.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1751.txt
Resource: RFC 1760. The S/KEY One-Time Password System
Description: By N. Haller, February 1995. Describes Bellcore's S/Key OTP system.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1760.txt
Resource: RFC 1810. Report on MD5 Performance
Description: By J. Touch, June 1995. Discusses deficiencies of MD5 when viewed against the rates of transfer in high-speed networks.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1810.txt
Resource: RFC 1824. The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange
Description: By H. Danisch, August 1995. Discussion of proposed protocol for key exchange, authentication, and generation of signatures.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1824.txt
Resource: RFC 1825. Security Architecture for the Internet Protocol
Description: By R. Atkinson, August 1995. Discusses security mechanisms for IPV4 and IPV6.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1825.txt
Resource: RFC 1826. IP Authentication Header
Description: By R. Atkinson, August 1995. Discusses methods of providing cryptographic authentication for IPv4 and IPv6 datagrams.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1826.txt
Resource: RFC 1827. IP Encapsulating Security Payload
Description: By R. Atkinson, August 1995. Discusses methods of providing integrity and confidentiality to IP datagrams.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1827.txt
Resource: RFC 1828. IP Authentication using Keyed MD5
Description: By P. Metzger and W. Simpson, August 1995. Discusses the use of keyed MD5 with the IP Authentication Header.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1828.txt
Resource: RFC 1852. IP Authentication using Keyed SHA
Description: By P. Metzger and W. Simpson, September 1995. Discusses the use of keys with the Secure Hash Algorithm to ensure datagram integrity.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1852.txt
Resource: RFC 1853. IP in IP Tunneling
Description: By W. Simpson, October 1995. Discusses methods of using IP payload encapsulation for tunneling with IP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1853.txt
Resource: RFC 1858. Security Considerations for IP Fragment Filtering
Description: By G. Ziemba, D. Reed, P. Traina, October 1995. Discusses IP fragment filtering and the dangers inherent in fragmentation attacks.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1858.txt
Resource: RFC 1910. User-based Security Model for SNMPv2
Description: By G. Waters, February 1996. Discussion of application of security features to SNMP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1910.txt
Resource: RFC 1928. SOCKS Protocol Version 5
Description: By M. Leech, March 1996. Discussion of the SOCKS protocol and its use to secure TCP and UDP traffic.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1928.txt
Resource: RFC 1929. Username/Password Authentication for SOCKS V5
Description: By M. Leech, March 1996. Discussion of SOCKS authentication.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1929.txt
Resource: RFC 1938. A One-Time Password System
Description: By N. Haller and C. Metz. This is a one-time password authentication system for login access.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1938.txt
Resource: RFC 1948. Defending Against Sequence Number Attacks
Description: By S. Bellovin (AT&T Research). A discussion of spoofing attacks and how to prevent them.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1948.txt
Resource: RFC 1968. The PPP Encryption Control Protocol
Description: By G. Meyer, June 1996. Discusses negotiating encryption over PPP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1968.txt
Resource: RFC 1969. The PPP DES Encryption Protocol
Description: By K. Sklower and G. Meyer, June 1996. Discusses using the Data Encryption Standard with PPP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1969.txt
Resource: RFC 1991: PGP Message Exchange Formats
Description: By D. Atkins, W. Stallings and P. Zimmermann, August 1996. Adding PGP to message exchanges.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1991.txt
Resource: RFC 2040. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms
Description: By R. Baldwin and R. Rivest, October 1996. Defines all four ciphers in great detail.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2040.txt
Resource: RFC 2057. Source Directed Access Control on the Internet
Description: By S. Bradner, November 1996. Discusses possible avenues of filtering; an answer to the CDA.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2057.txt
Resource: RFC 2065. Domain Name System Security Extensions
Description: By D. Eastlake, 3rd, C. Kaufman, January 1997. Adding more security to the DNS system.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2065.txt
Resource: RFC 2069. An Extension to HTTP: Digest Access Authentication
Description: By J. Franks, P. Hallam-Baker, J. Hostetler, P. Leach, A. Luotonen, E. Sink, and L. Stewart, January 1997. Advanced authentication for HTTP
.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2069.txt
Resource: RFC 2084. Considerations for Web Transaction Security
Description: By G. Bossert, S. Cooper, and W. Drummond, January 1997. Bringing confidentiality, authentication, and integrity to data sent via HTTP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2084.txt
Resource: RFC 2085. HMAC-MD5 IP Authentication with Replay Prevention
Description: By M. Oehler, R. Glenn, February 1997. Keyed-MD5 coupled with the IP Authentication Header.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2085.txt
Resource: RFC 2137. Secure Domain Name System Dynamic Update
Description: By D. Eastlake 3rd, April 1997. Describes use of digital signatures in DNS updates to enhance overall security of the DNS system.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2137.txt
Resource: RFC 2144. The CAST-128 Encryption Algorithm
Description: By C. Adams from Entrust Technologies. This document describes a DES-like Substitution-Permutation Network (SPN) cryptosystem.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2144.txt
Resource: RFC 2179. Network Security For Trade Shows
Description: By A. Gwinn from Networld. This document presents a security checklist for tradeshows.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2179.txt
Resource: RFC 2196. Site Security Handbook
Description: By B. Fraser, Editor, September 1997. Updates 1244. Yet another version of the already useful document.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2196.txt
Resource: RFC 2222. Simple Authentication and Security Layer
Description: By J. Myers, October 1997. Describes a method for adding authentication support to connection-based protocols.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2222.txt
Resource: RFC 2228. FTP Security Extensions
Description: By M. Horowitz and S. Lunt, October 1997. Extending the security capabilities of FTP.
URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2228.txt
3.138.179.100