rfc2504.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                        E. Guttman
Request for Comments: 2504                             Sun Microsystems
FYI: 34                                                        L. Leong
Category: Informational                                   COLT Internet
                                                              G. Malkin
                                                           Bay Networks
                                                          February 1999


                        Users' Security Handbook

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   The Users' Security Handbook is the companion to the Site Security
   Handbook (SSH).  It is intended to provide users with the information
   they need to help keep their networks and systems secure.

Table of Contents

   Part One: Introduction . . . . . . . . . . . . . . . . . . . .  2
   1.   READ.ME . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.   The Wires have Ears . . . . . . . . . . . . . . . . . . .  3
   Part Two: End-users in a centrally-administered network  . . .  4
   3.   Watch Out! . . . . . . . . . . . . . . . . . . . .  . . .  4
   3.1.   The Dangers of Downloading  . . . . . . . . . . . . . .  4
   3.2.   Don't Get Caught in the Web . . . . . . . . . . . . . .  5
   3.3.   Email Pitfalls  . . . . . . . . . . . . . . . . . . . .  6
   3.4.   Passwords . . . . . . . . . . . . . . . . . . . . . . .  7
   3.5.   Viruses and Other Illnesses . . . . . . . . . . . . . .  7
   3.6.   Modems  . . . . . . . . . . . . . . . . . . . . . . . .  8
   3.7.   Don't Leave Me... . . . . . . . . . . . . . . . . . . .  9
   3.8.   File Protections  . . . . . . . . . . . . . . . . . . .  9
   3.9.   Encrypt Everything  . . . . . . . . . . . . . . . . . . 10
   3.10.  Shred Everything Else . . . . . . . . . . . . . . . . . 10
   3.11.  What Program is This, Anyway? . . . . . . . . . . . . . 11
   4.   Paranoia is Good  . . . . . . . . . . . . . . . . . . . . 11
   Part Three: End-users self administering a networked computer  14
   5.   Make Your Own Security Policy . . . . . . . . . . . . . . 14



Guttman, et. al.             Informational                      [Page 1]

RFC 2504                Users' Security Handbook           February 1999


   6.   Bad Things Happen . . . . . . . . . . . . . . . . . . . . 15
   6.1.   How to Prepare for the Worst in Advance . . . . . . . . 15
   6.2.   What To Do if You Suspect Trouble . . . . . . . . . . . 16
   6.3.   Email . . . . . . . . . . . . . . . . . . . . . . . . . 17
   7.   Home Alone  . . . . . . . . . . . . . . . . . . . . . . . 17
   7.1.   Beware of Daemons . . . . . . . . . . . . . . . . . . . 17
   7.2.   Going Places  . . . . . . . . . . . . . . . . . . . . . 19
   7.3.   Secure It!  . . . . . . . . . . . . . . . . . . . . . . 20
   8.   A Final Note  . . . . . . . . . . . . . . . . . . . . . . 20
   Appendix: Glossary of Security Terms . . . . . . . . . . . . . 21
   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 31
   References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
   Security Considerations  . . . . . . . . . . . . . . . . . . . 32
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33

Part One:  Introduction

   This document provides guidance to the end-users of computer systems
   and networks about what they can do to keep their data and
   communication private, and their systems and networks secure. Part
   Two of this document concerns "corporate users" in small, medium and
   large corporate and campus sites.  Part Three of the document
   addresses users who administer their own computers, such as home
   users.

   System and network administrators may wish to use this document as
   the foundation of a site-specific users' security guide; however,
   they should consult the Site Security Handbook first [RFC2196].

   A glossary of terms is included in an appendix at the end of this
   document, introducing computer network security notions to those not
   familiar with them.

1.  READ.ME

   Before getting connected to the Internet or any other public network,
   you should obtain the security policy of the site that you intend to
   use as your access provider, and read it.  A security policy is a
   formal statement of the rules by which users who are given access to
   a site's technology and information assets must abide.  As a user,
   you are obliged to follow the policy created by the decision makers
   and administrators at your site.

   A security policy exists to protect a site's hardware, software and
   data.  It explains what the security goals of the site are, what
   users can and cannot do, what to do and who to contact when problems
   arise, and generally informs users what the "rules of the game" are.



Guttman, et. al.             Informational                      [Page 2]

RFC 2504                Users' Security Handbook           February 1999


2.  The Wires have Ears

   It is a lot easier to eavesdrop on communications over data networks
   than to tap a telephone conversation.  Any link between computers may
   potentially be insecure, as can any of the computers through which
   data flows.  All information passing over networks may be
   eavesdropped on, even if you think "No one will care about this..."

   Information passing over a network may be read not only by the
   intended audience but can be read by others as well.  This can happen
   to personal Email and sensitive information that is accessed via file
   transfer or the Web.  Please refer to the "Don't Get Caught in the
   Web" and "Email Pitfalls" sections for specific information on
   protecting your privacy.

   As a user, your utmost concerns should, firstly, be to protect
   yourself against misuse of your computer account(s) and secondly, to
   protect your privacy.

   Unless precautions are taken, every time you log in over a network,
   to any network service, your password or confidential information may
   be stolen.  It may then be used to gain illicit access to systems you
   have access to.  In some cases, the consequences are obvious:  If
   someone gains access to your bank account, you might find yourself
   losing some cash, quickly.  What is not so obvious is that services
   which are not financial in nature may also be abused in rather costly
   ways.  You may be held responsible if your account is misused by
   someone else!

   Many network services involve remote log in.  A user is prompted for
   his or her account ID (ie. user name) and password.  If this
   information is sent through the network without encryption, the
   message can be intercepted and read by others.  This is not really an
   issue when you are logging in to a "dial-in" service where you make a
   connection via telephone and log in, say to an online service
   provider, as telephone lines are more difficult to eavesdrop on than
   Internet communications.

   The risk is there when you are using programs to log in over a
   network.  Many popular programs used to log in to services or to
   transfer files (such as telnet and ftp, respectively) send your user
   name and password and then your data over the network without
   encrypting them.

   The precaution commonly taken against password eavesdropping by
   larger institutions, such as corporations, is to use one-time
   password systems.




Guttman, et. al.             Informational                      [Page 3]

RFC 2504                Users' Security Handbook           February 1999


   Until recently, it has been far too complicated and expensive for
   home systems and small businesses to employ secure log in systems.
   However, an increasing number of products enable this to be done
   without fancy hardware, using cryptographic techniques.  An example
   of such a technique is Secure Shell [SSH], which is both freely and
   commercially available for a variety of platforms.  Many products
   (including SSH-based ones) also allow data to be encrypted before it
   is passed over the network.

Part Two: End-users in a centrally-administered network

   The following rules of thumb provide a summary of the most important
   pieces of advice discussed in Part Two of this document:

    - Know who your security point-of-contact is.
    - Keep passwords secret at all times.
    - Use a password-locked screensaver or log out when you leave your
      desk.
    - Don't let simply anyone have physical access to your computer or
      your network.
    - Be aware what software you run and very wary of software of
      unknown origin.  Think hard before you execute downloaded
      software.
    - Do not panic.  Consult your security point-of-contact, if
      possible, before spreading alarm.
    - Report security problems as soon as possible to your security
      point-of-contact.

3. Watch Out!

3.1. The Dangers of Downloading

   An ever expanding wealth of free software has become available on the
   Internet.  While this exciting development is one of the most
   attractive aspects of using public networks, you should also exercise
   caution.  Some files may be dangerous.  Downloading poses the single
   greatest risk.

   Be careful to store all downloaded files so that you will remember
   their (possibly dubious) origin.  Do not, for example, mistake a
   downloaded program for another program just because they have the
   same name.  This is a common tactic to fool users into activating
   programs they believe to be familiar but could, in fact, be
   dangerous.







Guttman, et. al.             Informational                      [Page 4]

RFC 2504                Users' Security Handbook           February 1999


   Programs can use the network without making you aware of it.  One
   thing to keep in mind is that if a computer is connected, any program
   has the capability of using the network, with or without informing
   you.  Say, for example:

     You download a game program from an anonymous FTP server. This
     appears to be a shoot-em-up game, but unbeknownst to you, it
     transfers all your files, one by one, over the Internet to a
     cracker's machine!

   Many corporate environments explicitly prohibit the downloading and
   running of software from the Internet.

3.2. Don't Get Caught in the Web

   The greatest risk when web browsing is downloading files.  Web
   browsers allow any file to be retrieved from the Internet.  See "The
   Dangers of Downloading".

   Web browsers are downloading files even when it is not entirely
   obvious.  Thus, the risk posed by downloading files may be present
   even if you do not actively go out and retrieve files overtly.  Any
   file which you have loaded over the network should be considered
   possibly dangerous (even files in the web browser's cache).  Do not
   execute them by accident, as they may be malicious programs.
   (Remember, programs are files, too.  You may believe you have
   downloaded a text file, when in fact it is a Trojan Horse program,
   script, etc.)

   Web browsers may download and execute programs on your behalf, either
   automatically or after manual intervention.  You may disable these
   features.  If you leave them enabled, be sure that you understand the
   consequences.  You should read the security guide which accompanies
   your web browser as well as the security policy of your company.  You
   should be aware that downloaded programs may be risky to execute on
   your machine.  See "What program is this, anyway?".

   Web pages often include forms.  Be aware that, as with Email, data
   sent from a web browser to a web server is not secure.  Several
   mechanisms have been created to prevent this, most notably Secure
   Sockets Layer [SSL].  This facility has been built into many web
   browsers.  It encrypts data sent between the user's web browser and
   the web server so no one along the way can read it.

   It is possible that a web page will appear to be genuine, but is, in
   fact, a forgery.  It is easy to copy the appearance of a genuine web
   page and possible to subvert the network protocols which contact the
   desired web server, to misdirect a web browser to an imposter.



Guttman, et. al.             Informational                      [Page 5]

RFC 2504                Users' Security Handbook           February 1999


   That threat may be guarded against using SSL to verify if a web page
   is genuine.  When a 'secure' page has been downloaded, the web
   browser's 'lock' or 'key' will indicate so.  It is good to
   double-check this: View the 'certificate' associated with the web
   page you have accessed.  Each web browser has a different way to do
   this.  The certificate will list the certificate's owner and who
   issued it.  If these look trustworthy, you are probably OK.

3.3 Email Pitfalls

   All the normal concerns apply to messages received via Email that you
   could receive any other way.  For example, the sender may not be who
   he or she claims to be.  If Email security software is not used, it
   is very difficult to determine for sure who sent a message.  This
   means that Email itself is a not a suitable way to conduct many types
   of business.  It is very easy to forge an Email message to make it
   appear to have come from anyone.

   Another security issue you should consider when using Email is
   privacy.  Email passes through the Internet from computer to
   computer.  As the message moves between computers, and indeed as it
   sits in a user's mailbox waiting to be read, it is potentially
   visible to others. For this reason, it is wise to think twice before