IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.107 Use of vendor resources
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
All vendors of IT systems or IT components offer various forms of support
and information for purchasers of their products. These include, for example,
assistance in dealing with problems (support, hotline, updates, patches etc.)
and access to information on security solutions (www sites, news groups,
mailing lists etc.). Some of these are free of charge, others are not.
Already when purchasing IT systems or products, consideration should be
given to the question of which forms of support provided by the vendor should
be taken up, especially when these incur ongoing costs.
Steps should be taken to ensure that for all IT systems and products used
regular checks are made as to whether new information regarding security
problems and possible solutions is available from the vendor. This is
especially important for all server operating systems as a security weakness on
the server can cause significantly more damage than one which affects only a
single IT system.
Security-specific updates, when these are not supplied directly from the
vendor on CD-ROM, should only be obtained from trustworthy sources, e.g.
from CERTs (see also S 2.35 Obtaining information on security weaknesses of
the system). Updates should be checked to ensure they are intact using
cryptographic methods (e.g. MD5, PGP) if they are offered appropriately
encrypted and digitally signed.
To ensure that security-relevant advice from the vendor can be accessed at any
time, a summary should be maintained for all operating systems and all major
IT products used. This should show clearly the www addresses where
security-specific updates and patches and information provided by the
operating system vendor can be found.
A table like the one set out below, which provides a summary of the relevant
links to known server operating systems, can be used for this purpose. The
lines marked with U contain the URLs for (security-specific) updates and
patches for the vendor concerned, while the lines marked with I contain the
addresses from where security-specific information can be obtained.
Berkeley Software Design, Inc. - BSD/OS
U ftp://ftp.bsdi.com/bsdi/patches/
I http://www.bsdi.com/services/support/
Caldera OpenLinux
U ftp://ftp.caldera.com/pub/openlinux/updates/
I http://www.calderasystems.com/support/security/
Deban Linux
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000