jew@rt.sunquest.com (/87336) (04/13/91)
I am trying to determine if we can tighten internet access security on our systems. Under HP-UX, there is a /usr/adm/inetd.sec file that allows you to deny or allow access to a range of hosts for each service. Is there anything like that under Ultrix? Thanks in advance. -- James E. Ward (jew@sunquest.com) Confucious say... Nice guys finish last. -- Leo Durocher
mogul@pa.dec.com (Jeffrey Mogul) (04/18/91)
In article <JEW.91Apr12104732@rt.sunquest.com> jew@rt.sunquest.com (/87336) writes: >I am trying to determine if we can tighten internet access security on >our systems. Under HP-UX, there is a /usr/adm/inetd.sec file that >allows you to deny or allow access to a range of hosts for each >service. Is there anything like that under Ultrix? Thanks in >advance. Not precisely the same thing, but Ultrix 4.2 will include the "screend" program. If you use an Ultrix system as a router, screend will allow you to control access at the router (instead of at the end system). This is more convenient when you are dealing with a large collection of hosts that have to be protected. For more information, see my paper in Proc. USENIX Summer '89, or wait for the documentation on the Ultrix 4.2 kit. Several people have suggested that the screend mechanism be extended to provide the same kind of function as on HP-UX. There would be some performance problems with a simple-minded implementation of this idea, but I might give it more thought. -Jeff
emv@ox.com (Ed Vielmetti) (04/18/91)
In article <1991Apr18.010503.28085@pa.dec.com> mogul@pa.dec.com (Jeffrey Mogul) writes:
Not precisely the same thing, but Ultrix 4.2 will include the "screend"
program. If you use an Ultrix system as a router, screend will allow
you to control access at the router (instead of at the end system). This
is more convenient when you are dealing with a large collection of hosts
that have to be protected.
For more information, see my paper in Proc. USENIX Summer '89, or wait
for the documentation on the Ultrix 4.2 kit.
I would bet that the software in
decuac.dec.com:/public/sources/screend.tar.Z
would give you a taste of what's in 4.2, though from looking at the
package it's a beta version rather than final product.
If you don't have the USENIX Summer '89 proceedings, the papers in
this package (or at least the preprint is). It would appear that it
might also be available by mail to "wrl-techreports@decwrl.dec.com";
send a message with the subject "help" for more instructions. The
paper is "Simple and Flexible Datagram Access Controls for Unix-based
Gateways", March 1989.
Note that port-based router security doesn't help you anything if you
have evil people on the inside connecting to their accomplices
outside; even the most innocuous of "well-known ports" can be hijacked
to use to tunnel datagrams through. I don't recall the exact
reference, but I believe something along these lines was presented at
a Usenix by some Bell Labs folks, the name "greyer" (instead of
"blacker") comes to mind.
--
Msen Edward Vielmetti
/|--- moderator, comp.archives
emv@msen.com
"With all of the attention and publicity focused on gigabit networks,
not much notice has been given to small and largely unfunded research
efforts which are studying innovative approaches for dealing with
technical issues within the constraints of economic science."
RFC 1216