GETTING INTO STANDARDS
========================

Notes from a presentation of Phil Hunter, Owl River Company
	Columbus, OH	info@owlriver.com
for the Central Ohio Linux Users Group
	October, 1998 meeting


A worked example, related to 'properly' setting up an IP address
space, for Linux IP Masquerading, with pointers into security
matters, from a standards prospective.



A.	Quotes to ponder:
=========================

The nice thing about standards is, that there are so many of
them to choose between.

There is generally no need to reinvent the wheel.  Look further by
standing on the shoulders of those who went before.
(see Exhibit 6)


B.	Primary sources
=======================

RFC and related documents are generally available at:

	ftp://ftp.isi.edu/in-notes/


1.	INTERNET OFFICIAL PROTOCOL STANDARDS
ftp://ftp.isi.edu/in-notes/std/std1.txt

(There is NO requirement that there be two GPL implementations of
a proposed standard -- merely two independent, interoperable ones.)

 It is general practice that no proposed standard can be promoted
 to draft standard without at least two independent
 implementations (and the recommendation of the IESG).	Promotion
 from draft standard to standard generally requires operational
 experience and demonstrated interoperability of two or more
 implementations (and the recommendation of the IESG).

The document also classifies, by protocol, and service, various
active RFCs, to allow identification of related and the current
version RFC.


2.	Address Allocation for Private Internets
ftp://ftp.isi.edu/in-notes/rfc1597.txt
	(See Attachment A)


3.	Site Security Handbook
ftp://ftp.isi.edu/in-notes/fyi/fyi8.txt


4.	[RFC 2196], the Site Security Handbook, as an RFC
ftp://ftp.isi.edu/in-notes/rfc2196.txt


5.	Expectations for Computer Security Incident Response
ftp://ftp.isi.edu/in-notes/bcp/bcp21.txt


6.	Security primary sources:
	http://www.auscert.org.au/	Australian Computer
					Emergency Response Team
	http://www.cert.org	CERT Coordination Center
				Software Engineering Institute
				Carnegie Mellon University
	http://www.replay.com/		Replay Associates, L.L.P.


D.	Network diagram
====================================================
(see Exhibit 1)


E.	Extracted list of Services
====================================================
(see Exhibit 2)


F.	TCP-Wrappers
====================================================
... Who's been knocking at my door.

ftp://ftp.win.tue.nl/

[root@pokey tcp_wrappers-7.6]# pwd
/usr/doc/tcp_wrappers-7.6
[root@pokey tcp_wrappers-7.6]# less README

7.5 - Other applications
------------------------

(snip)


The tcpd program can even be used to control access to the mail
service.  This can be useful when you suspect that someone is
trying out some obscure sendmail bug, or when a remote site is
misconfigured and keeps hammering your mail daemon.

In that case, sendmail should not be run as a stand-alone network
listener, but it should be registered in the inetd configuration
file.  For example:

    smtp    stream  tcp	    nowait  root    \
		/usr/etc/tcpd /usr/lib/sendmail -bs {***}

You will still need to run one sendmail background process to
handle queued-up outgoing mail. A command like:

    /usr/lib/sendmail -q15m


(no `-bd' flag) should take care of that. You cannot really
prevent people from posting forged mail this way, because
there are many unprotected smtp daemons on the network.

 {***} -- NOT a set of linux FSSTD, etc. file locations

==============
Notify example
(see Exhibit 3) -- also to pager for Duty Op
(see Exhibit 4) -- also to pager for Duty Op


G.	Physical security
====================================================
... Who's been knocking at my door, part 2.

Notify example
(see Exhibit 5) -- also to pager for Duty Op


H.	Tool Tips
====================================================

1.	Retrieve a copy of a document:

$	wget ftp://ftp.isi.edu/in-notes/rfc1597.txt


2.	Print two-up copies by, eg,:

$	mpage -2 rfc1597.txt | lpr

	(See Attachment A)


3.	FIND a man page:

$ apropos wrapper
tcpdchk (8)	     - tcp wrapper configuration checker
tcpdmatch (8)	     - tcp wrapper oracle
CPAN::Nox (3)	     - Wrapper around CPAN.pm without using any XS module
$ apropos hosts
ftphosts (5)	     - ftpd individual user host access file
gs (1)		     - Aladdin Ghostscript version 3.0 interpreter/previewer
hosts_access (5)     - format of host access control files
hosts_access, hosts_ctl, request_init, request_set (3) - access control library
hosts_options (5)    - host access control language extensions
ping (8)	     - send ICMP ECHO_REQUEST packets to network hosts
make-ssh-known-hosts (1) - make ssh_known_hosts file from DNS data
XAddHost, XAddHosts, XListHosts, XRemoveHost, XRemoveHosts, XSetAccessControl, X
EnableAccessControl, XDisableAccessControl, XHostAddress (3x) - control host acc
ess and host control structure
ibm_hosts host database for x3270
$


4.	Pretty-print (ie, as Postscript output) a man page, two-up:

$	man -t hosts_access | mpage -2 | lpr


5.	RTFM --


====================================================
(COLUG9810.txt)
Copyright (c) 1998 Owl River Company
	info@owlriver.com
	614 - 221 - 0695