📄 rfc2504.txt
字号:
Network Working Group E. Guttman
Request for Comments: 2504 Sun Microsystems
FYI: 34 L. Leong
Category: Informational COLT Internet
G. Malkin
Bay Networks
February 1999
Users' Security Handbook
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
The Users' Security Handbook is the companion to the Site Security
Handbook (SSH). It is intended to provide users with the information
they need to help keep their networks and systems secure.
Table of Contents
Part One: Introduction . . . . . . . . . . . . . . . . . . . . 2
1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 3
Part Two: End-users in a centrally-administered network . . . 4
3. Watch Out! . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The Dangers of Downloading . . . . . . . . . . . . . . 4
3.2. Don't Get Caught in the Web . . . . . . . . . . . . . . 5
3.3. Email Pitfalls . . . . . . . . . . . . . . . . . . . . 6
3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. Viruses and Other Illnesses . . . . . . . . . . . . . . 7
3.6. Modems . . . . . . . . . . . . . . . . . . . . . . . . 8
3.7. Don't Leave Me... . . . . . . . . . . . . . . . . . . . 9
3.8. File Protections . . . . . . . . . . . . . . . . . . . 9
3.9. Encrypt Everything . . . . . . . . . . . . . . . . . . 10
3.10. Shred Everything Else . . . . . . . . . . . . . . . . . 10
3.11. What Program is This, Anyway? . . . . . . . . . . . . . 11
4. Paranoia is Good . . . . . . . . . . . . . . . . . . . . 11
Part Three: End-users self administering a networked computer 14
5. Make Your Own Security Policy . . . . . . . . . . . . . . 14
Guttman, et. al. Informational [Page 1]
RFC 2504 Users' Security Handbook February 1999
6. Bad Things Happen . . . . . . . . . . . . . . . . . . . . 15
6.1. How to Prepare for the Worst in Advance . . . . . . . . 15
6.2. What To Do if You Suspect Trouble . . . . . . . . . . . 16
6.3. Email . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Home Alone . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Beware of Daemons . . . . . . . . . . . . . . . . . . . 17
7.2. Going Places . . . . . . . . . . . . . . . . . . . . . 19
7.3. Secure It! . . . . . . . . . . . . . . . . . . . . . . 20
8. A Final Note . . . . . . . . . . . . . . . . . . . . . . 20
Appendix: Glossary of Security Terms . . . . . . . . . . . . . 21
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Security Considerations . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33
Part One: Introduction
This document provides guidance to the end-users of computer systems
and networks about what they can do to keep their data and
communication private, and their systems and networks secure. Part
Two of this document concerns "corporate users" in small, medium and
large corporate and campus sites. Part Three of the document
addresses users who administer their own computers, such as home
users.
System and network administrators may wish to use this document as
the foundation of a site-specific users' security guide; however,
they should consult the Site Security Handbook first [RFC2196].
A glossary of terms is included in an appendix at the end of this
document, introducing computer network security notions to those not
familiar with them.
1. READ.ME
Before getting connected to the Internet or any other public network,
you should obtain the security policy of the site that you intend to
use as your access provider, and read it. A security policy is a
formal statement of the rules by which users who are given access to
a site's technology and information assets must abide. As a user,
you are obliged to follow the policy created by the decision makers
and administrators at your site.
A security policy exists to protect a site's hardware, software and
data. It explains what the security goals of the site are, what
users can and cannot do, what to do and who to contact when problems
arise, and generally informs users what the "rules of the game" are.
Guttman, et. al. Informational [Page 2]
RFC 2504 Users' Security Handbook February 1999
2. The Wires have Ears
It is a lot easier to eavesdrop on communications over data networks
than to tap a telephone conversation. Any link between computers may
potentially be insecure, as can any of the computers through which
data flows. All information passing over networks may be
eavesdropped on, even if you think "No one will care about this..."
Information passing over a network may be read not only by the
intended audience but can be read by others as well. This can happen
to personal Email and sensitive information that is accessed via file
transfer or the Web. Please refer to the "Don't Get Caught in the
Web" and "Email Pitfalls" sections for specific information on
protecting your privacy.
As a user, your utmost concerns should, firstly, be to protect
yourself against misuse of your computer account(s) and secondly, to
protect your privacy.
Unless precautions are taken, every time you log in over a network,
to any network service, your password or confidential information may
be stolen. It may then be used to gain illicit access to systems you
have access to. In some cases, the consequences are obvious: If
someone gains access to your bank account, you might find yourself
losing some cash, quickly. What is not so obvious is that services
which are not financial in nature may also be abused in rather costly
ways. You may be held responsible if your account is misused by
someone else!
Many network services involve remote log in. A user is prompted for
his or her account ID (ie. user name) and password. If this
information is sent through the network without encryption, the
message can be intercepted and read by others. This is not really an
issue when you are logging in to a "dial-in" service where you make a
connection via telephone and log in, say to an online service
provider, as telephone lines are more difficult to eavesdrop on than
Internet communications.
The risk is there when you are using programs to log in over a
network. Many popular programs used to log in to services or to
transfer files (such as telnet and ftp, respectively) send your user
name and password and then your data over the network without
encrypting them.
The precaution commonly taken against password eavesdropping by
larger institutions, such as corporations, is to use one-time
password systems.
Guttman, et. al. Informational [Page 3]
RFC 2504 Users' Security Handbook February 1999
Until recently, it has been far too complicated and expensive for
home systems and small businesses to employ secure log in systems.
However, an increasing number of products enable this to be done
without fancy hardware, using cryptographic techniques. An example
of such a technique is Secure Shell [SSH], which is both freely and
commercially available for a variety of platforms. Many products
(including SSH-based ones) also allow data to be encrypted before it
is passed over the network.
Part Two: End-users in a centrally-administered network
The following rules of thumb provide a summary of the most important
pieces of advice discussed in Part Two of this document:
- Know who your security point-of-contact is.
- Keep passwords secret at all times.
- Use a password-locked screensaver or log out when you leave your
desk.
- Don't let simply anyone have physical access to your computer or
your network.
- Be aware what software you run and very wary of software of
unknown origin. Think hard before you execute downloaded
software.
- Do not panic. Consult your security point-of-contact, if
possible, before spreading alarm.
- Report security problems as soon as possible to your security
point-of-contact.
3. Watch Out!
3.1. The Dangers of Downloading
An ever expanding wealth of free software has become available on the
Internet. While this exciting development is one of the most
attractive aspects of using public networks, you should also exercise
caution. Some files may be dangerous. Downloading poses the single
greatest risk.
Be careful to store all downloaded files so that you will remember
their (possibly dubious) origin. Do not, for example, mistake a
downloaded program for another program just because they have the
same name. This is a common tactic to fool users into activating
programs they believe to be familiar but could, in fact, be
dangerous.
Guttman, et. al. Informational [Page 4]
RFC 2504 Users' Security Handbook February 1999
Programs can use the network without making you aware of it. One
thing to keep in mind is that if a computer is connected, any program
has the capability of using the network, with or without informing
you. Say, for example:
You download a game program from an anonymous FTP server. This
appears to be a shoot-em-up game, but unbeknownst to you, it
transfers all your files, one by one, over the Internet to a
cracker's machine!
Many corporate environments explicitly prohibit the downloading and
running of software from the Internet.
3.2. Don't Get Caught in the Web
The greatest risk when web browsing is downloading files. Web
browsers allow any file to be retrieved from the Internet. See "The
Dangers of Downloading".
Web browsers are downloading files even when it is not entirely
obvious. Thus, the risk posed by downloading files may be present
even if you do not actively go out and retrieve files overtly. Any
file which you have loaded over the network should be considered
possibly dangerous (even files in the web browser's cache). Do not
execute them by accident, as they may be malicious programs.
(Remember, programs are files, too. You may believe you have
downloaded a text file, when in fact it is a Trojan Horse program,
script, etc.)
Web browsers may download and execute programs on your behalf, either
automatically or after manual intervention. You may disable these
features. If you leave them enabled, be sure that you understand the
consequences. You should read the security guide which accompanies
your web browser as well as the security policy of your company. You
should be aware that downloaded programs may be risky to execute on
your machine. See "What program is this, anyway?".
Web pages often include forms. Be aware that, as with Email, data
sent from a web browser to a web server is not secure. Several
mechanisms have been created to prevent this, most notably Secure
Sockets Layer [SSL]. This facility has been built into many web
browsers. It encrypts data sent between the user's web browser and
the web server so no one along the way can read it.
It is possible that a web page will appear to be genuine, but is, in
fact, a forgery. It is easy to copy the appearance of a genuine web
page and possible to subvert the network protocols which contact the
desired web server, to misdirect a web browser to an imposter.
Guttman, et. al. Informational [Page 5]
RFC 2504 Users' Security Handbook February 1999
That threat may be guarded against using SSL to verify if a web page
is genuine. When a 'secure' page has been downloaded, the web
browser's 'lock' or 'key' will indicate so. It is good to
double-check this: View the 'certificate' associated with the web
page you have accessed. Each web browser has a different way to do
this. The certificate will list the certificate's owner and who
issued it. If these look trustworthy, you are probably OK.
3.3 Email Pitfalls
All the normal concerns apply to messages received via Email that you
could receive any other way. For example, the sender may not be who
he or she claims to be. If Email security software is not used, it
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -