> -----Original Message-----
> Behalf Of Art Bahrs
> 
>     While there are issues of internal misconduct... the 
> firewall logs and
> things like Snort are a good first defense, ACL's will help 
> really well.
> But the best is the security on the 3k... which is usually so lax with
> respect to 'Best Practices' that any audit, internal or external, will
> produce 'Findings'.
> 
>     Passwords need to be a minium of 7 characters (my current 
> 'fav' is 13)
> and should have "special characters" (Not doable on a 3k at 
> the OS level).
> Passwords should change every 90 days at a minimum or more 
> often if the
> data is priviledged.

I recall that one of the original determinants of password
"length" used to be the frequency of intrusion attempts 
versus the turn around time of the speed of the connection.

If so many passwords could be attempted at 180bps the 
number of attempts to be successful over a period of
time was estimated and mitigated thus creating a 
minimum password length.

(Oh and lets not forget 3 bad passwords and DTR got
dropped, causing the attacker to take time to re-dial.)

Then the speed of serial connections got faster and
faster, so did the minimum password size.

Then came LANs and the Internet, and all bets were off
for password length.  One might as well compare them
to the length of the best current encryption key.

- - - - - - - - - - - - - - - - -

So the better bet these days is to peruse the logs
after the fact.  Because one will probably NOT find
them as they occur.


BT


Tracy Johnson
MSI Schaevitz Sensors 

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *