NIST seeks comment on IT security guides

The National Institute of Standards and Technology has released draft versions of three publications for public comment. They include new publications on hash algorithms and Bluetooth security and a revised version of firewall guidelines.

SP 800-107, titled 'Recommendation for Applications Using Approved Hash Algorithms,' is in its second draft release. It provides guidelines for achieving the appropriate level of security when using approved hash functions.

Cryptographic hash functions compute a message digest, or hash, of a fixed length when run against the contents of a message, providing a way to authenticate a message. Government systems, except national security systems, must use approved cryptographic hash functions specified in Federal Information Processing Standard 180-3, such as digital signature applications, Keyed-Hash Message Authentication Codes and Hash-Based Key Derivation Functions. FIPS 180-3 specifies five approved hash algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.

Comments on these guidelines should be submitted via e-mail by Oct. 9 to quynh.dang@nist.gov with "Comments on Draft 800-107" in the subject line.

Draft SP 800-121, titled 'Guide to Bluetooth Security,' describes the security capabilities of Bluetooth technologies and gives recommendations on securing them effectively.

Bluetooth is a protocol for personal area wireless networking commonly used to connect peripherals with desktop or handheld computing devices.

Much of this document originally was included in a draft of NIST's SP 800-48 Revision 1, 'Wireless Network Security for IEEE 802.11a/b/g and Bluetooth.' But because of comments received on that publication, the Bluetooth material has been placed in its own publication. NIST would like to receive comments on draft SP 800-121 by Aug. 22 to 800-121comments@nist.gov with "Comments SP 800-121" in the subject line.

Draft SP 800-41 Revision 1, titled 'Guidelines on Firewalls and Firewall Policy,' updates the original publication released in 2002. It provides recommendations on developing firewall policies and selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.

'Network designers now often include firewall functionality at places other than the network perimeter to provide an additional layer of security, as well as to protect mobile devices that are placed directly onto external networks,' the guide states. 'Also, threats have gradually moved from lower layers of network traffic to the application layer, reducing the effectiveness of firewalls that focus on lower layers.'

Recommendations for firewall implementation include:
  • Creating a firewall policy that specifies how firewalls should handle network traffic.
  • Identifying all requirements that should be considered when determining which firewall to implement.
  • Picking rules that implement the organization's firewall policy while supporting firewall performance.
  • Managing firewall architectures, policies, software and other components throughout the life of the firewall solutions.

Comments on draft SP 800-41 Revision 1 should be sent by Aug. 15 to 800-41comments@nist.gov with 'Comments SP 800-41' in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • cybersecurity (vs148/Shutterstock.com)

    NIST lays groundwork for encrypting IoT devices

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group