HostedDB - Dedicated UNIX Servers

fips191_16 FIPS PUB 191 considering connecting their LANs to outside networks, particularly the Internet, should examine [BJUL93]  before  doing  so. If,  after  considering  all  authentication  options,  LAN  policy determines  that  password-only  systems  are  acceptable,  the  proper  management  of  password creation, storage, expiration and destruction become all the more important.  [FIPS 112] provides guidance  on  password  management.    [NCSC85]  provides  additional  guidance  that  may  be considered appropriate. Because of the vulnerabilities that still exist with the use of password-only mechanisms, more robust mechanisms can be used.  [BNOV91] discusses advances that have been made in the areas of  token-based  authentication  and  the  use  of  biometrics. A  smartcard  based  or  token  based mechanism requires that a user be in possession of the token and additionally may require the user   to   know   a   PIN   or   password. These   devices   then   perform   a   challenge/response authentication  scheme  using  realtime  parameters.   Using  realtime  parameters  helps  prevent  an intruder from gaining unauthorized access through a login session playback.  These devices may also   encrypt   the   authentication   session,   preventing   the   compromise   of   the   authentication information through monitoring and capturing. Locking mechanisms for LAN devices, workstations, or PCs that require user authentication to unlock can be useful to users who must leave their work areas frequently.   These locks allow users to remain logged into the LAN and leave their work areas (for an acceptable short period of time ) without exposing an entry point into the LAN. Modems that provide users with LAN access may require additional protection.  An intruder that can  access  the  modem  may  gain  access  by  successfully  guessing  a  user  password.     The availability of modem use to legitimate users may also become an issue if an intruder is allowed continual access to the modem. Mechanisms that provide a user with his or her account usage information may alert the user that the account was used in an abnormal manner (e.g. multiple login failures).   These mechanisms include  notifications  such  as  date,  time,  and  location  of  last  successful  login,  and  number  of previous login failures.   The type of security mechanisms that could be implemented to provide the identification and authentication service are listed below. Mechanisms •     password based mechanism, •     smartcards/smart tokens based mechanism, •     biometrics based mechanism, •     password generator, •     password locking, •     keyboard locking, •     PC or workstation locking, 18