|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
All vendors of IT systems or IT components offer various forms of support and information for purchasers of their products. These include, for example, assistance in dealing with problems (support, hotline, updates, patches etc.) and access to information on security solutions (www sites, news groups, mailing lists etc.). Some of these are free of charge, others are not.
Already when purchasing IT systems or products, consideration should be given to the question of which forms of support provided by the vendor should be taken up, especially when these incur ongoing costs.
Steps should be taken to ensure that for all IT systems and products used regular checks are made as to whether new information regarding security problems and possible solutions is available from the vendor. This is especially important for all server operating systems as a security weakness on the server can cause significantly more damage than one which affects only a single IT system.
Security-specific updates, when these are not supplied directly from the vendor on CD-ROM, should only be obtained from trustworthy sources, e.g. from CERTs (see also S 2.35 Obtaining information on security weaknesses of the system). Updates should be checked to ensure they are intact using cryptographic methods (e.g. MD5, PGP) if they are offered appropriately encrypted and digitally signed.
To ensure that security-relevant advice from the vendor can be accessed at any time, a summary should be maintained for all operating systems and all major IT products used. This should show clearly the www addresses where security-specific updates and patches and information provided by the operating system vendor can be found.
A table like the one set out below, which provides a summary of the relevant links to known server operating systems, can be used for this purpose. The lines marked with U contain the URLs for (security-specific) updates and patches for the vendor concerned, while the lines marked with I contain the addresses from where security-specific information can be obtained.
Berkeley Software Design, Inc. - BSD/OS
U ftp://ftp.bsdi.com/bsdi/patches/Caldera OpenLinux
U ftp://ftp.caldera.com/pub/openlinux/updates/Deban Linux
U http://cgi.debian.org/www-master/debian.org/security/ (German)Digital Equipment Corporation - DEC
U http://www.service.digital.com/patches/The FreeBSD Project - FreeBSD
U ftp://ftp.FreeBSD.org/pub/FreeBSD/Hewlett Packard - HP
U http://europe-support.external.hp.com/IBM
U http://service.software.ibm.com/aixsupport/The Open BSD Project - OpenBSD
U http://www.openbsd.org/errata.htmlRedHat Linux
U ftp://www.redhat.com/pub/updates/S.u.S.E. Linux
U ftp.suse.de/pub/suse_update/Santa Cruz Operation - SCO
U ftp://ftp.sco.com/SSE/Silicon Graphic Inc. - SGI
U ftp://sgigate.sgi.com/patches/Sun MicroSystems Inc. - Sun
U http://sunsolve.sun.de/pub-cgi/us/pubpatchpage.plWindows NT
U http://www.microsoft.com/security/Novell
U http://support.novell.de/Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |