Outline for April 4, 1997

  1. Greetings and Felicitations
    1. Web page is now up and running; use
    2. Homework will be given out Monday
    3. Handout will be given out Wednesday
  2. Penetration study (Red teaming, Tiger teaming)
    1. A method of testing for problems
    2. Failure does not demonstrate security; success shows that security problems exist
    3. Goals must be set with respect to site policy
  3. Goals
    1. What's the policy?
    2. What's the criteria for success (gaining privileges, gaining access, finding a specific numbe of flaws, etc.)
    3. What are the constraints (money, time, etc.)
    4. Contrast Orange book testing with site testing
  4. Structure of the testing
    1. stage 1: external attacker with no knowledge (rare)
    2. stage 2: external attacker with access to the system (network, modem, etc.)
    3. stage 3: internal user with access to system
  5. Our test
    1. Two targets, not yet installed: one a Solaris system, another a DG/UX B2 system
    2. Split up into groups
    3. Work independently or together?
  6. System areas for first stage: network security
    1. Determine protocols
    2. Figure out how they should work
    3. Figure out how they DO work
  7. The protocols
    1. FTP, TFTP
    2. Finger
    3. SMTP
    4. RPC
    5. NFS
    6. NIS
    7. rsh/rcp
    8. LPD
    9. X protocol
    10. UUCP

You can get this document in Postscript, ASCII text, or Framemaker version 5.1.
Send email to cs253@csif.cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 4/9/97