Table Of ContentNIST" Special Publication 800-46
National Institute of
Standards and Technology
Technology Administration
U.S. Department of Commerce
Telecommuting
Security for
and Broadband
Communications
Recommendations of the National Institute
of Standards and Technology
D. Richard Kuhn, Miles C. Tracy, and Sheila E. Frankel
QC
/oO
LLS1
*
<&oo- y&
nist special Publication soo-46 Security for Telecommuting and
Broadband Communications
Recommendations ofthe National
Institute ofStandards and Technology
D. Richard Kuhn, Miles C. Tracy, and Sheila E. Frankel
COMPUTER SECURITY
ComputerSecurityDivision
InformationTechnologyLaboratory
National Institute ofStandards and Technology
MD
Gaithersburg, 20899-8930
August2002
U.S. DepartmentofCommerce
Donald L. Evans, Secretary
TechnologyAdministration
PhillipJ. Bond, UnderSecretary forTechnology
National InstituteofStandardsandTechnology
Arden L. Bement,Jr., Director
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) atthe National Institute ofStandards and
Technology (NIST) promotes the U.S. economy and public welfare by providing
technical leadership for the Nation's measurement and standards infrastructure. ITL
develops tests, test methods, reference data, proof of concept implementations, and
technical analysis to advance the development and productive use of information
technology. ITL's responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective
security and privacy of sensitive unclassified information in Federal computer
systems. This Special Publication 800-series reports on ITL's research, guidance, and
outreach efforts in computer security and its collaborative activities with industry,
government, and academic organizations.
National InstituteofStandardsandTechnologySpecial Publication800-46
NatL Inst.Stand.Technol.Spec. PuBbl.B80H0-46,xx pages(Mon.2002)
CODEN:
Certaincommercialentities,equipment, ormaterialsmaybeidentified inthisdocumentin
ordertodescribeanexperimental procedureorconceptadequately. Suchidentificationis
notintendedto implyrecommendationorendorsementbytheNational Instituteof
StandardsandTechnology,noris itintendedto implythattheentities,materials,or
equipmentarenecessarilythebestavailableforthepurpose.
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2002
Forsalebythe Superintende—nt ofDocuments, U.S. Gove—rnment PrintingOffice
Internet: bookstore.gpo.gov Phone: (202)512-1800 Fax:(202)512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
ui
Note to Readers
ThisdocumentisapublicationoftheNational InstituteofStandardsandTechnology(NIST) and isnot
subjectto U.S. copyright D.R. Kuhn and S.E. FrankelareemployeesofNIST; M. Tracy is an
employeeofBoozAllenHamilton(BAH). Certaincommercial productsaredescribed in this
documentas examples only. Inclusionorexclusionofanyproductdoesnotimplyendorsementornon-
endorsement byNISToranyagencyoftheU.S. Government. Inclusionofaproductname doesnot
implythattheproductis thebestoronlyproductsuitableforthe specifiedpurpose. Portions ofthis
documentwereusedwith permission fromDemystifyingtheIPsecPuzzle, by SheilaFrankel, Artech
HousePublishers, 2001.
Forquestions orcomments onthis document, contactRichardKuhnatkuhn@nist.gov.
Acknowledgements
Murugiah Souppayaauthoredrecommendations in Section3.2. Theauthorswishto express their
thanks to staffatNIST andBAH whorevieweddrafts ofthis document. Inparticular, Timothy Grance,
Murugiah Souppaya Wayne Jansen, andJohn Wack ofNIST andAlexis FeringaandKevinKulhkin
,
ofBAH providedvaluableandsubstantial contributions to thetechnical contentofthis publication.
BenjaminA. KupermanofPurdueUniversity providedanespecially valuable critique.
iv
51
SecurityforTelecommuting and Broadband Communications
TABLE OF CONTENTS V
LIST OF FIGURES VII
EXECUTIVE SUMMARY X
INTRODUCTION
1 1
authority
1.1 1
documentpurposeandscope
1.2 1
audienceandassumptions
1.3 1
1.4 documentorganization 2
1.5 Background 2
OVERVIEWOF BROADBAND COMMUNICATION
2 4
2.1 CableModemNetworkArchitecture 4
2.2 DSLNetworkArchitecture 4
2.3 Satellite 5
2.4 RisksofBroadbandConnections 6
PERSONAL FIREWALLS
3 8
3.l FirewallFeatures 10
3.2 Establishinga SecureFirewallConfiguration 11
3.3 RunninganOnlineSecurityAssessment 13
3.4 SummaryRecommendations 14
SECURING WEB BROWSERS
4 15
4.1 BROWSERPLUGINS 1
ACTIVEX
4.2 17
4.3 JavaScript 18
4.4 JavaApplets 19
4.5 Cookies 20
4.6 InternetProxies 23
4.7 SummaryRecommendations 25
SECURING PC CONFIGURATIONS
5 26
5.1 StrongPasswords 26
5.2 SecuringFileandPrinterSharing 26
.•
5.3 ReducingOperatingSystemandApplicationVulnerabilities 27
5.4 antiVirusSoftware 30
5.5 ProtectingYourself from E-mailwormsandViruses 3
5.6 SpywareRemovalTools 32
5.7 EncryptionSoftwaretoProtectPrivacy 33
5.8 SummaryRecommendations 36
HOME NETWORKING TECHNOLOGIES
6 37
6.1 EthernetNetworking 37
6.2 Phone-LineNetworktng 39
V
11
SecurityforTelecommuting and Broadband Communications
6.3 power-LineNetworking 40
6.4 WirelessNetworking 41
6.5 WirelessNetworkingSecurityIssues 44
6.6 SummaryRecommendations 46
7 VIRTUAL PRIVATE NETWORKS 47
7.1 VPN Security 47
7.2 VPNModesofOperation 47
7.3 VPNProtocols 48
7.4 peerAuthentication 50
7.5 policyConfiguration 50
7.6 VPN Operation 5
SummaryRecommendations
7.7 5
TELECOMMUTINGARCHITECTURES
8 53
8.1 voiceCommunication 53
8.2 ElectronicMail 54
8.3 documentanddataexchange 55
8.4 SelectingComponents 56
8.5 SummaryRecommendations 58
9 ORGANIZATIONAL CONSIDERATIONS FORTELECOMMUTINGSECURITY.....59
9.1 CONTROLLINGSYSTEMACCESS 59
9.2 PROTECTINGINTERNALSYSTEMS 60
9.3 PROTECTINGHOMESYSTEMS 61
9.4 UsingPublicWirelessLANs 63
GLOSSARY
64
A
APPENDIX SECURITY CHECKLISTS A-l
.
HOMECOMPUTERSECURITYCHECKLIST A-l
LaptopsecurityChecklist A-2
TELECOMMUTINGSECURITYCHECKLIST A-3
APPENDLX B. USING MICROSOFT BASELINE SECURITYADVISOR B-l
DOWNLOADINGTHEMBSATOOL B-l
MBSA WELCOMEWINDOW B-l
Scanninga SingleComputer B-3
ScanningMultipleComputers B-5
SecurityReport... B-7
ViewingaSecurityReport B-8
AdditionalResources B-9
1^fcjI^JDI U^^II^JOr I^fDO Uf^D/^TEj ••••••••••••••••••••••«••••••••••••••••••••••••••••••••••••••••••••••••••••••••• 1
APPENDIXD. HOME NETWORKING INSTALLATION TIPS D-l
APPENDIXE. ONLINE RESOURCES E-l
APPENDIXF: REFERENCESAND FURTHER READING F-l
INDEX INDX-1
vi
1
SecurityforTelecommuting and Broadband Communications
List of Figures
Figure2.1: CableModemConnectionstoInternet 4
Figure2.2: SatelliteBroadbandNetworkArchitecture 5
Figure2.3: 10-DayRecordofIntrusionAttempts 6
Figure3.1: HardwareFirewallNetworkDiagram 9
Figure4.1: NetscapePlugins 16
Figure4.2: InternetExplorerPlugins 17
Figure4.3: WebProxyExample 24
Figure5.1: WindowsUpdateFeature 29
Figure5.2: SecretKey(Symmetric) encryption 34
Figure5.3: PublicKey(Asymmetric)Encryption 35
Figure7.1: VPNExample 48
FigureB.1: MBSAWelcomeScreen B-2
FigureB.2: MBSANavigationMenu B-2
FigureB.3: UnabletoScanAllComputersScreen B-3
FigureB.4: WelcomeScreenOptions B-3
FigureB.5: PickaComputertoScanScreen B-4
MBSA
FigureB.6: ScanningScreen B-5
FigureB.7: PickMultipleComputerstoScanScreen B-5
FigureB.8: MBSA ScanningScreen B-6
FigureB.9: MBSA ScanSummaryInformation B-7
MBSA
FigureB.10: Vulnerabilityassessment : B-8
FigureB.11: PickaSecurityReporttoViewScreen B-9
FigureB.12: PrintandCopyOptions B-9
FigureC.1: AccessingWindowsUpdateThoughInternetExplorer C-
FigureC.2: accessingWindowsUpdatethoughthe 'Start' Menu C-2
FigureC.3: WindowsUpdateHomepage C-2
FigureC.4: WindowsUpdateScan C-3
FigureC.5: WindowsUpdateRecommendUpdates C-4
FigureC.6: WindowsUpdateMultipleDownloadsnotPermittedWarning C-4
FigureC.7: WindowsUpdateDownloadChecklist C-5
FigureC.8: WindowsUpdateConfirmationandLicenseAgreement C-5
FigureC.9: WpndowsUpdateDownloadStatusWindow C-6
vu
SecurityforTelecommuting and Broadband Communications
FigureC.10: WindowsUpdateInstallStatusWindow C-6
FigureC.11: WindowsUpdateInstallSuccessConfirmationWindow C-7
FigureC.12: WindowsUpdateRestartDialogBox C-7
viii
SecurityforTelecommuting and Broadband Communications
Table3.1: Manufacturersof SoftwarePersonalFirewalls 8
Table3.2: OnlineSecurityAssessmentWebSites 13
Table4.1: CookieManagementandRemovalTools 22
Table4.2: WebProxyServices 25
Table8.1: AlternativesforVoice, E-mail, andFileTransfer 56
Table8.2: SummaryofTelecommutingARCHrrECTURES 58
ix
SecurityforTelecommutingand Broadband Communications
Executive Summary
Telecommutinghasbecomeapopulartrend intheworkplace. As employeesand
organizationsemployremote connectivityto corporateand governmentnetworks, the security
oftheseremote endpointsbecomes increasinglyimportantto theoverall securityofanetwork.
Accompanyingandcontributingtothis trendis theexplosive growthinthepopularityof
broadbandconnections fortelecommuters. Thesedevelopmentscomplicatetheprocessof
securing organizational andhomenetworks. This documentassists organizations in
addressingsecurity issuesbyprovidingrecommendations onsecuring avariety ofapplications,
protocols, andnetworkingarchitectures. Recommendations inthispublicationare designed
forFederal agencies, butmaybe useful tocommercial organizations andhomeusersaswell.
Homebroadbandarchitectures facea variety ofthreatsthat, whilepresentondial-up
connections, areeasiertoexploitusingthefaster, always-onqualitiesofbroadband
connections. Therelativelyshortdurationofmostdial-upconnectionmakes itmoredifficult
forattackers to compromisetelecommutersdialed-up tothe Internet. "Always on"broadband
connectionsprovide attackers withthe speedandcommunicationsbandwidthnecessary to
compromisehomecomputersandnetworks. Ironically, as governmental andcorporate
organizations havehardenedtheirnetworksandbecome more sophisticatedatprotectingtheir
computingresources, theyhave driven some malicious entities to pursue othertargetsof
opportunity. Telecommuters withbroadbandconnections arethesenewtargets ofopportunity
both fortheirowncomputing resourcesandas analternative methodforattackingandgaining
access togovernmentandcorporatenetworks.
Federal agencies andtheiremployeescan takeavariety ofactions tobettersecuretheir
telecommutingandhomenetworkingresources:
All home networks connected tothe Internetvia a broadband connection should have
some firewalldeviceinstalled. Personal software firewalls installedoneachcomputerare
useful andeffective, butseparate, dedicated, andrelatively inexpensivehardware firewalls that
connectbetweenthebroadband connectionandthetelecommuter's computerornetworkcan
provide greaterprotection. NISTstrongly recommends thatorganizations considerusingboth
personal andhardware firewall devices forhigh-speedconnections. Whenboth asoftware
personal firewall anda separatedevice are inoperation, theorganizationcanscreenout
intrudersandidentifyanyrogue software thatattempts totransmitmessages fromtheuser's
computertoan external system. See Section3 fordetails.
Web browsers should beconfigured to limitvulnerabilityto intrusion. Webbrowsers also
representathreatofcompromise andrequireadditional configurationbeyondthedefault
installation. Browserpluginsshouldbe limitedto only thoserequiredby the enduser. Active
code shouldbedisabledorusedonly inconjunction withtrustedsites. The browsershould
always be updatedto the latestormostsecureversion. Privacy is always aconcernwithweb
browsers. The two greatestthreats to thisprivacy are theuseofcookies andmonitoringof
web browsinghabits ofusersby thirdparties. Cookies can be disabled orselectivelyremoved
usingavarietyofbuilt-in web browserfeatures orthird-party applications. See Section4 for
details.
Operatingsystem configuration options should be selected to increase security. The
defaultconfigurationofmosthome operating systems is generally inadequate from asecurity
standpoint. Fileandprintersharing shouldalmostalways bedisabled The operatingsystem
x
