The Center for Internet Security (CIS) is offering free benchmarking tools designed to help users better secure their Windows 2000 systems, Cisco Systems routers, and Sun Microsystems Solaris systems—-the three common points intruders attack. CIS states the motive for the center's benchmarks in a document on the organization's Web site: "A key element currently missing in Internet security is useful and widely accepted, non-proprietary, security-enhancing benchmarks specifying in greater detail how systems should be configured and operated."
The center said it operates independently of vendor interests in order to provide impartial, objective guidance. The benchmarks consist of guidelines and downloadable tools that analyze and scan various aspects of system security. For Win2K, CIS offers its "Level 1 Benchmark and Scoring Tools," which consist of two documents (available in PDF format) and a scoring tool. For Cisco routers, the center offers its "CIS Level-1/Level-2 Benchmark and Audit Tool for Cisco IOS Routers." The package includes a router audit tool and two guideline documents (available in HTML and PDF format). The audit tool runs on UNIX and operates using Perl. The Solaris package contains one document (in PDF format) and one tool that scans and scores system security. All three packages are available at CIS' Web site, and the organization is in the process of developing similar packages for Linux, AIX, HP-UX, Windows NT, Win2K bastion hosts, Internet Information Services (IIS) 5.0, Apache, and Checkpoint's firewall and VPN solutions.
Companies and individuals can become members of the center, but membership isn't necessary to obtain the security packages that CIS currently offers. Yearly member dues for consultants, auditors, and commercial software companies is $11,000; for large user organizations, the cost is $7000; for small user organizations, the cost is $2000; and for individuals, the cost is $250. Membership benefits include having a voice in the development of security benchmarking packages, the right to redistribute benchmarking packages within an organization, notification of updates to packages, and the right to claim compliance with benchmarks as well as using CIS logo and having visibility in the center's roster of members. More information is available at the center's Web site.