NIST seeks comment on IT security guides

The National Institute of Standards and Technology has released draft versions of three publications for public comment. They include new publications on hash algorithms and Bluetooth security and a revised version of firewall guidelines.

SP 800-107, titled 'Recommendation for Applications Using Approved Hash Algorithms,' is in its second draft release. It provides guidelines for achieving the appropriate level of security when using approved hash functions.

Cryptographic hash functions compute a message digest, or hash, of a fixed length when run against the contents of a message, providing a way to authenticate a message. Government systems, except national security systems, must use approved cryptographic hash functions specified in Federal Information Processing Standard 180-3, such as digital signature applications, Keyed-Hash Message Authentication Codes and Hash-Based Key Derivation Functions. FIPS 180-3 specifies five approved hash algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.

Comments on these guidelines should be submitted via e-mail by Oct. 9 to [email protected] with "Comments on Draft 800-107" in the subject line.

Draft SP 800-121, titled 'Guide to Bluetooth Security,' describes the security capabilities of Bluetooth technologies and gives recommendations on securing them effectively.

Bluetooth is a protocol for personal area wireless networking commonly used to connect peripherals with desktop or handheld computing devices.

Much of this document originally was included in a draft of NIST's SP 800-48 Revision 1, 'Wireless Network Security for IEEE 802.11a/b/g and Bluetooth.' But because of comments received on that publication, the Bluetooth material has been placed in its own publication. NIST would like to receive comments on draft SP 800-121 by Aug. 22 to [email protected] with "Comments SP 800-121" in the subject line.

Draft SP 800-41 Revision 1, titled 'Guidelines on Firewalls and Firewall Policy,' updates the original publication released in 2002. It provides recommendations on developing firewall policies and selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.

'Network designers now often include firewall functionality at places other than the network perimeter to provide an additional layer of security, as well as to protect mobile devices that are placed directly onto external networks,' the guide states. 'Also, threats have gradually moved from lower layers of network traffic to the application layer, reducing the effectiveness of firewalls that focus on lower layers.'

Recommendations for firewall implementation include:
  • Creating a firewall policy that specifies how firewalls should handle network traffic.
  • Identifying all requirements that should be considered when determining which firewall to implement.
  • Picking rules that implement the organization's firewall policy while supporting firewall performance.
  • Managing firewall architectures, policies, software and other components throughout the life of the firewall solutions.

Comments on draft SP 800-41 Revision 1 should be sent by Aug. 15 to [email protected] with 'Comments SP 800-41' in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected