- Email: [email protected]
Managers get third access security spec
Abstracts of Recent Arficles and Literature
vendors as soon as holes are found in products, and some forward vendors’ security bulletins to subscribers. CERT and FIRST have joined forces with networking andunixvendors to modify the TCP/IP protocol.They aim to close a loophole which hackers could use to overwhelm a network’s security, partly by flooding it with bogus log-in requests. CERT relies on users volunteering information about break-ins, but the organization cannot issue detailed warnings about security problems until there are patches available - by which time hackers may have had a field day CERT and its sister bodies have no powers of search, arrest or investigation and security experts agree that keeping the problem-solving process distinct from criminal investigation is vital. Just as important is the debate over openness and publicity in combatting hacking. Controversy revolves around whether CERT and users should publicize loopholes in the hope that systems administrators will plug these gaps. As hacking increases and the focus of hackers switches to more serious crimes, bodies such as CERT will inevitably be overwhelmed unless companies change. A more open attitude to security is required, especially in the relatively secretive world of IT Ultimately, users cannot rely on CERT for protection - they have to tackle security problems themselves. FIRST and CERT have already
520
started discussing how to develop more proactive education initiatives. Computing, October 11,1996,pp. 26-27. Managers get third access security spec,]oe Paone. Microsoft has proposed a new security standard called, at least temporarily, Yet Another Authentication Protocol (YAAP). This puts the future of two other protocols - Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Control Access Control Plus (TACAS+) -in jeopardy. The standards are intended to help maintain user identification, authentication, authorization and accounting policies. By implementing the standards’ features, network managers can ensure that users dialhng in to networks are accessing only the information and applications for which they are authorized. RADIUS and TACACS+ are widely supported by authentication and remote-access server vendors, but the standards are only moderately used by network managers. Microsoft is planning to take the best virtues of RADIUS and TACACS+ and combine them with new technology to create a new protocol. YAAP is still in draft stage and so far contains a list of requirements for what a new protocol should do. But opponents of the proposal fear YAAP is a typical move by Microsoft to gain control of a technology and advance its own agenda. LANTimes, September 16, 1996.
vendors as soon as holes are found in products, and some forward vendors’ security bulletins to subscribers. CERT and FIRST have joined forces with networking andunixvendors to modify the TCP/IP protocol.They aim to close a loophole which hackers could use to overwhelm a network’s security, partly by flooding it with bogus log-in requests. CERT relies on users volunteering information about break-ins, but the organization cannot issue detailed warnings about security problems until there are patches available - by which time hackers may have had a field day CERT and its sister bodies have no powers of search, arrest or investigation and security experts agree that keeping the problem-solving process distinct from criminal investigation is vital. Just as important is the debate over openness and publicity in combatting hacking. Controversy revolves around whether CERT and users should publicize loopholes in the hope that systems administrators will plug these gaps. As hacking increases and the focus of hackers switches to more serious crimes, bodies such as CERT will inevitably be overwhelmed unless companies change. A more open attitude to security is required, especially in the relatively secretive world of IT Ultimately, users cannot rely on CERT for protection - they have to tackle security problems themselves. FIRST and CERT have already
520
started discussing how to develop more proactive education initiatives. Computing, October 11,1996,pp. 26-27. Managers get third access security spec,]oe Paone. Microsoft has proposed a new security standard called, at least temporarily, Yet Another Authentication Protocol (YAAP). This puts the future of two other protocols - Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Control Access Control Plus (TACAS+) -in jeopardy. The standards are intended to help maintain user identification, authentication, authorization and accounting policies. By implementing the standards’ features, network managers can ensure that users dialhng in to networks are accessing only the information and applications for which they are authorized. RADIUS and TACACS+ are widely supported by authentication and remote-access server vendors, but the standards are only moderately used by network managers. Microsoft is planning to take the best virtues of RADIUS and TACACS+ and combine them with new technology to create a new protocol. YAAP is still in draft stage and so far contains a list of requirements for what a new protocol should do. But opponents of the proposal fear YAAP is a typical move by Microsoft to gain control of a technology and advance its own agenda. LANTimes, September 16, 1996.