Network Security For Trade Shows
RFC 2179
Document | Type |
RFC - Informational
(July 1997; No errata)
Was draft-rfced-info-gwinn (individual)
|
|
---|---|---|---|
Author | Allen Gwinn | ||
Last updated | 2013-03-02 | ||
Stream | Legacy stream | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | Legacy state | (None) | |
Consensus Boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | RFC 2179 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group A. Gwinn Request for Comments: 2179 Networld+Interop NOC Team Category: Informational July 1997 Network Security For Trade Shows Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This document is designed to assist vendors and other participants in trade shows, such as Networld+Interop, in designing effective protection against network and system attacks by unauthorized individuals. Generally, it has been observed that many system administrators and trade show coordinators tend to overlook the importance of system security at trade shows. In fact, systems at trade shows are at least as prone to attack as office-based platforms. Trade show systems should be treated as seriously as an office computer. A breach of security of a trade show system can render -- and has rendered -- an exhibitor's demonstrations inoperable -- sometimes for the entire event! This document is not intended to replace the multitudes of comprehensive books on the subject of Internet security. Rather, its purpose is to provide a checklist-style collection of frequently overlooked, simple ways to minimize the chance of a costly attack. We encourage exhibitors to pay special attention to this document and share it with all associated representatives. Physical Security Before addressing technical security issues, one of the most frequently underrated and overlooked security breaches is the simple low-tech attack. The common victim is the one who leaves a console logged in, perhaps as root, and leaves the system. Other times, an anonymous "helpful soul" might ask for a password in order to assist the user in "identifying a problem." This type of method allows an intruder, especially one logged in as "root", access to system files. Gwinn Informational [Page 1] RFC 2179 Network Security For Trade Shows July 1997 Tips: * Educate sales and support staff regarding system logins, especially "root" or other privileged accounts. * Identify individuals who are not using exhibit systems for their intended purpose, especially non-booth personnel. * Request identification from anyone wishing to access systems for maintenance purposes unless their identities are known. System Security This section discusses technical security procedures for workstations on the vendor network. Although specifics tend to be for Unix systems, general procedures apply to all platforms. Password Security Lack of passwords or easy to guess passwords are a relatively low- tech door into systems, but are responsible for a significant number of breakins. Good passwords are a cornerstone of system security. By default, PC operating systems like Windows 95 and MacOS do not provide adequate password security. The Windows login password provides no security (hitting the "ESC" key allows the user to bypass password entry). Password security for these machines is possible, but is beyond the scope of this document. Tips: * Check /etc/passwd on Unix systems and the user administration application on other systems for lack of passwords. Some vendors ship systems with null passwords, in some cases even for privileged accounts. * Change passwords, especially system and root passwords. * Mix case, numbers and punctuation, especially on privileged accounts. * Change system passwords on a regular basis. * Do not use passwords relating to the event, the company, or products being displayed. Systems personnel at Networld+Interop, when asked to assist booth personnel, often guess even root passwords! Gwinn Informational [Page 2] RFC 2179 Network Security For Trade Shows July 1997 Extra Privileged Accounts Some system vendors have been known to ship systems with multiple privileged accounts (for example, Unix systems with accounts that have root privileges [UID=0]). Some vendors may include a separate system administration account that places a user in a specific administrative program. Each additional privileged account presents yet another opportunity for abuse. Generally, if a Unix system does not need additional root accounts, these can be disabled by placing "*" in the password field of /etc/passwd, or by using the administrative tool when a system employees enhanced security. Verify all systems for extra privileged accounts and either disable them or change their password as appropriate. Make certain that privileged accounts are inaccessible from anywhereShow full document text