you think you have protected and may be monitoring access to thislayer within the previous layers, does not mean that use ofcomputers and other resources within your local-area networkshould become a free for all.  Again, this depends on what youidentify in your own particular security policy but, at thislayer you should do some routine checking for possible breachesof your firewall that would leave its mark at this layer and payclose attention to effective password handling, etc.  This isalso the layer of this model at which you want to concernyourself with training your users, after all this is where theycan potentially make their mistakes (and harm your network).<P><H4>3.4.1  Computer Oracle and Password System (COPS)</H4><P>     COPS is a UNIX security status checker.  Essentially what itdoes is check various files and software configurations to see ifthey have been compromised (edited to plant a trojan horse orback door), and checks to see that files have the appropriatemodes and permissions set to maintain the integrity of yoursecurity level (make sure that your file permissions don't leavethemselves wide open to attack/access).<P>     Many vendors of UNIX are now bundling a security statuschecker with the OS, usually under the nomenclature of a "C2" or"trusted system."  You may still find that this package has morefeatures than your canned package.  Compare them.<P>     Additional Comments:  The current version of COPS (1.04)makes a limited attempt to detect bugs that are posted in CERTadvisories.  Also, it has an option to generate a limited scriptthat can correct various security problems that are discovered.   Dan also offers a quick hint that should easily get you startedusing COPS.  After you have unarchived the COPS package, performthe following steps:  './reconfig', 'make', and './cops -v -s . -b bit_bucket'. -- There is a lot of README documentation includedif you need more help.<P>     Availability:  COPS can be retrieved via anonymous FTP fromcert.org in ~/pub/tools/cops.<P>   <H4>3.4.2  Chkacct</H4><P>     Chkacct [11] is a COPS for the ordinary user.  This tool ismade available to the users to run, or it is run for them onceper day.  It will do an integrity check on the status of files intheir own account and then mail them the results (such as "Dearuser:  Your .rhosts file is unsafe").  This package can help makeyour users more aware of security controls and raise their levelof participation in the program.<P>     Availability:  Chkacct is distributed with the COPS package(>= COPS 1.04), for additional information contactshabby@mentor.cs.purdue.edu.<P><H4>3.4.3  Crack</H4><P>     Crack helps the security administrator identify weakpasswords by checking for various weaknesses and attempting todecrypt them.  If Crack can figure out your password, then youmust choose a better password.  It is very likely that adetermined intruder will be able to get the password too (usingsimilar techniques, or the Crack program itself, since it ispublicly available).<P>     Availability:  Crack is available via anonymous FTP fromcert.org in ~/pub/tools/crack/crack_4.1-tar.Z.<P><H4>3.4.4  Shadow</H4><P>     The shadow password suite of programs [12] replaces thenormal password control mechanisms on your system to remove theencrypted password from the publicly readable file /etc/passwdand hides them in a place that only this program has permissionto read.  It consists of optional, configurable components,provides password aging to force users to change their passwordsonce in awhile, adds enhanced syslog logging, and can allow usersto set passwords up to a length of sixteen characters.<P>     Many vendors of UNIX are now bundling a shadow passwordsuite with the OS, usually under the nomenclature of a "C2" or"trusted system."  You may still find that this package has morefeatures than your canned package.  Compare them.<P>     Availability:  Shadow is available from USENET archiveswhich store the comp.sources.misc newsgroup.  Distribution ispermitted for all non-commercial purposes.  For more informationcontact the author, John F. Haugh III (jfh@rpp386.cactus.org).<P><H4>3.4.5  Passwd+</H4><P>     Passwd+ is a proactive password checker [13] that replaces/bin/passwd on your system.  It is rule-based and easilyconfigurable.  It prevents users from selecting a weak password   so that programs like "CRACK" can't guess it, and it providesenhanced syslog logging.<P>     Many vendors of UNIX are now bundling a proactive passwordchecker with the OS, usually under the nomenclature of a "C2" or"trusted system."  You may still find that this package has morefeatures than your canned package.  Compare them.<P>     Availability:  Passwd+ (developed by Matt Bishop) isavailable via anonymous FTP from dartmouth.edu in~/pub/passwd+tar.Z.<P><H4>3.4.6  Audit</H4><P>     Audit is a policy-driven security checker for aheterogeneous environment [14].  It is fully configurable so thatyou can set up Audit to exactly match your site's securitypolicy.  This program functionally does what COPS is intended todo, but does not hard-code your policy decisions for you the waythat COPS does.<P>     Many vendors of UNIX are now bundling an auditing subsystemwith the OS, usually under the nomenclature of a "C2" or "trustedsystem."  You may still find that this package has more featuresthan your canned package.  Compare them.  One particular subjectto note is that most (IMHO) vendors auditing subsystems onlycollect and regurgitate tons of raw data, with no guidance andassistance for using that information.  They leave that up toyou.  The Audit and/or Swatch tools are probably better.<P>     Availability:  The final version of Audit will eventually beposted to USENET.  However, the beta release will only be madeavailable on a limited basis, to larger, heterogeneous sites. Ifyour interested in participating in the beta test, send e-mail tothe auther, Bjorn Satdeva (bjorn@sysadmin.com).<P><H4>3.4.7  Miro</H4><P>     Miro [14] is a suite of tools for specifying and checkingsecurity contraints (like COPS and Audit), including a coupleprogramming languages.  It is general because it is not tied toany particular OS, and it is flexible because securityadministrators express site policies via a formal specificationlanguage.  It is easy to extend or modify a policy by simplyaugmenting or changing the specification of the current policy.<P>     Availability:  Miro is the product of a large researchproject, and to understand it you need more than the paragraphI've written above.  For more information about the Miro projectsend e-mail to (miro@cs.cmu.edu), there is even a videoavailable.  The authors Ph.D thesis, as well as the sources forthe Miro tools, are available via anonymous FTP fromftp.cs.cmu.edu.  When you connect there, type "cd/afs/cs/project/miro/ftp" and "get ftp-instructions"; this willexplain how to get the thesis and/or software.<P>   <H3>3.5  ADDITIONAL SECURITY ENHANCEMENTS</H3><p>     The tools described in firewall layers {1...4} (sections 3.1to 3.4) above, are what I consider part of a "base" set of toolsand functional requirements for general security administration.   The tools and methods described in this section are additionalmeasures that can be combined with or added to your overallsecurity program at any of the other levels.<P><H4>3.5.1  One-time Password Key-Card</H4><P>     Since reusable passwords can be captured and used/reused byintruders, consider a "one-time password" scheme.  One-timepasswords can be implemented using software-only solutions orsoftware/hardware solutions, and there are several commercialproducts available.  The following is an example of what CERTuses.  Each user is assigned a "Digital Pathways" key-card(approximately $60 per user).  When you enter your PIN code, itsupplies a password that is good only one time.  The only otherpiece to this, is software that replace the login shell on your"firewall" server.<P>     Availability:  The source-code for this shell is based oncode from the key card vendor and is currently not available tothe public domain via anonymous FTP.  For additional informationabout this, send e-mail to (cert@cert.org).<P><H4>3.5.2  Privacy Enhanced Mail (PEM)</H4><P>     PEM is a RSA-based encryption scheme that encrypts sensitiveinformation, but more than that it checks for message integrityand non-repudiation of origin, so that the originator cannot denyhaving sent the message. PEM is actually a protocol that isdesigned to allow use of symmetric (private-key) and asymmetric(public-key) cryptography methods.  In this example, TrustedInformation Systems, Inc. (TIS) has implemented a PEM packageusing the public-key technique together with the Rand MH MessageHandling System (version 6.7.2).  TIS/PEM libraries [16] can beadapted for implementation of non-mail applications as well.<P>     Availability:  TIS/PEM is a commercially available product,for additional information send e-mail to (pem-info@tis.com).<P><H4>3.5.3  Kerberos</H4><P>     Kerberos is a DES-based encryption scheme that encryptssensitive information, such as passwords, sent via the networkfrom client software to the server daemon process. The networkservices will automatically make requests to the Kerberos serverfor permission "tickets."  You will need to have the source toyour client/server programs so that you can use the Kerberoslibraries to build new applications.  Since Kerberos tickets arecached locally in /tmp, if there is more than one user on a givenworkstation, then a possibility for a collision exists.  Kerberosalso relies upon the system time to operate, therefore it shouldbe enhanced in the future to include a secure time server (timedis not appropriate). There are two versions of Kerberos, one forOSF ported by HP, and one BSD-based developed by the author.<P>     Availability:  Kerberos is distributed via anonymous FTPfrom athena-dist.mit.edu in ~/pub/kerberos or ~/pub/kerberos5.<P><H4>3.5.4  Private-Key Certificates</H4><P>     This is not really a product, but rather a design proposal[17] that is an alternative method to PEM for adding networksecurity to applications such as mail. Simply put, it uses thepublic-key style of implementation with private-key cryptography.   It can be adapted to different types of applications and it isboilerplate so that you can essentially plug-in any encryptionalgorithm.  This is designed so that public-key protocols nolonger have to rely on public-key encryption.<P>     Availability:  Unknown.  For more information, contact DonDavis, at Geer Zolot Assoc., Boston, MA (formerly of ProjectAthena at MIT).  His paper "Network Security via Private-KeyCertificates" better describes this techique.<P><H4>3.5.5  Multilevel Security (MLS)</H4><P>     After you've done everything else (above) to make your   network secure, then MLS will probably be one of your nextlogical steps.  That doesn't mean you have to wait until you'vedone everything else before implementing MLS, it's just (IMHO)that you would be wasting your time to go to the n'th degreebefore covering the fundamentals.  However, if you are just nowdeciding to which variant of the UNIX operating system to buy,consider buying an MLS variant now.  After you configure it tomanage your security policy, go back through layers {1...4} tosee what you might add to make it more secure in a networkedenvironment.  Many UNIX vendors are now shipping or preparing toship a MLS version.  A couple examples that immediately come tomind is SecureWare CMW+ 2.2 (based on A/UX or SCO ODT 1.1) andAT&T USL System V-Release 4-Version 2-Enhanced Security(SVR4.2ES).<P>     For additional information regarding MLS implementationswithin the Department of Defense (DoD), contact Charles West at(703) 696-1891, Multilevel Security Technology Insertion Program(MLS TIP), Defense Information Systems Agency (DISA).<P>     For additional information regarding SecureWare CMW+, sende-mail to info@sware.com.  For additional information regardingAT&T USL SVR4.2ES, send e-mail to fate@usl.com.<P><H4>3.5.6  File Encryption</H4><P>     Users should get into the habit of encrypting sensitivefiles whenever they are stored in a public place or transmittedvia public communication circuits. File encryption isn'tbulletproof, but it is better than clear text for sensitiveinformation.  The UNIX crypt utility is the least secure of thesetools, since it can be broken using well-known decryptiontechniques.  The UNIX des utility (US export restriction apply)is more secure.  It has not been known to be broken, however DoDdoes not sanction its use for transmitting classified material.   A new UNIX tool PGP 2.2 is available (uses RSA encryption),however there may be licensing issues to be concerned with.<P><H4>3.5.7  Secure Programming Methods</H4><P>