Network Security For Trade Shows
RFC 2179

Document Type RFC - Informational (July 1997; No errata)
Was draft-rfced-info-gwinn (individual)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2179 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           A. Gwinn
Request for Comments: 2179                     Networld+Interop NOC Team
Category: Informational                                        July 1997

                    Network Security For Trade Shows

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   This document is designed to assist vendors and other participants in
   trade shows, such as Networld+Interop, in designing effective
   protection against network and system attacks by unauthorized
   individuals.  Generally, it has been observed that many system
   administrators and trade show coordinators tend to overlook the
   importance of system security at trade shows. In fact, systems at
   trade shows are at least as prone to attack as office-based
   platforms. Trade show systems should be treated as seriously as an
   office computer. A breach of security of a trade show system can
   render -- and has rendered -- an exhibitor's demonstrations
   inoperable -- sometimes for the entire event!

   This document is not intended to replace the multitudes of
   comprehensive books on the subject of Internet security.  Rather, its
   purpose is to provide a checklist-style collection of frequently
   overlooked, simple ways to minimize the chance of a costly attack.
   We encourage exhibitors to pay special attention to this document and
   share it with all associated representatives.

Physical Security

   Before addressing technical security issues, one of the most
   frequently underrated and overlooked security breaches is the simple
   low-tech attack.  The common victim is the one who leaves a console
   logged in, perhaps as root, and leaves the system.  Other times, an
   anonymous "helpful soul" might ask for a password in order to assist
   the user in "identifying a problem."  This type of method allows an
   intruder, especially one logged in as "root", access to system files.

Gwinn                        Informational                      [Page 1]
RFC 2179            Network Security For Trade Shows           July 1997

   Tips:

   * Educate sales and support staff regarding system logins, especially
     "root" or other privileged accounts.
   * Identify individuals who are not using exhibit systems for their
     intended purpose, especially non-booth personnel.
   * Request identification from anyone wishing to access systems
     for maintenance purposes unless their identities are known.

System Security

   This section discusses technical security procedures for workstations
   on the vendor network.  Although specifics tend to be for Unix
   systems, general procedures apply to all platforms.

Password Security

   Lack of passwords or easy to guess passwords are a relatively low-
   tech door into systems, but are responsible for a significant number
   of breakins. Good passwords are a cornerstone of system security.

   By default, PC operating systems like Windows 95 and MacOS do not
   provide adequate password security. The Windows login password
   provides no security (hitting the "ESC" key allows the user to bypass
   password entry). Password security for these machines is possible,
   but is beyond the scope of this document.

   Tips:

   * Check /etc/passwd on Unix systems and the user administration
     application on other systems for lack of passwords. Some vendors
     ship systems with null passwords, in some cases even for
     privileged accounts.
   * Change passwords, especially system and root passwords.
   * Mix case, numbers and punctuation, especially on privileged
     accounts.
   * Change system passwords on a regular basis.
   * Do not use passwords relating to the event, the company, or
     products being displayed.  Systems personnel at Networld+Interop,
     when asked to assist booth personnel, often guess even root
     passwords!

Gwinn                        Informational                      [Page 2]
RFC 2179            Network Security For Trade Shows           July 1997

Extra Privileged Accounts

   Some system vendors have been known to ship systems with multiple
   privileged accounts (for example, Unix systems with accounts that
   have root privileges [UID=0]). Some vendors may include a separate
   system administration account that places a user in a specific
   administrative program. Each additional privileged account presents
   yet another opportunity for abuse.

   Generally, if a Unix system does not need additional root accounts,
   these can be disabled by placing "*" in the password field of
   /etc/passwd, or by using the administrative tool when a system
   employees enhanced security. Verify all systems for extra privileged
   accounts and either disable them or change their password as
   appropriate.

   Make certain that privileged accounts are inaccessible from anywhere
Show full document text