[comp.unix.ultrix] Internet security?

jew@rt.sunquest.com (/87336) (04/13/91)

I am trying to determine if we can tighten internet access security on
our systems.  Under HP-UX, there is a /usr/adm/inetd.sec file that
allows you to deny or allow access to a range of hosts for each
service.  Is there anything like that under Ultrix?  Thanks in
advance.


--
James E. Ward  (jew@sunquest.com)

Confucious say...
Nice guys finish last. -- Leo Durocher

mogul@pa.dec.com (Jeffrey Mogul) (04/18/91)

In article <JEW.91Apr12104732@rt.sunquest.com> jew@rt.sunquest.com (/87336) writes:
>I am trying to determine if we can tighten internet access security on
>our systems.  Under HP-UX, there is a /usr/adm/inetd.sec file that
>allows you to deny or allow access to a range of hosts for each
>service.  Is there anything like that under Ultrix?  Thanks in
>advance.

Not precisely the same thing, but Ultrix 4.2 will include the "screend"
program.  If you use an Ultrix system as a router, screend will allow
you to control access at the router (instead of at the end system).  This
is more convenient when you are dealing with a large collection of hosts
that have to be protected.

For more information, see my paper in Proc. USENIX Summer '89, or wait
for the documentation on the Ultrix 4.2 kit.

Several people have suggested that the screend mechanism be extended to
provide the same kind of function as on HP-UX.  There would be some
performance problems with a simple-minded implementation of this idea,
but I might give it more thought.

-Jeff

emv@ox.com (Ed Vielmetti) (04/18/91)

In article <1991Apr18.010503.28085@pa.dec.com> mogul@pa.dec.com (Jeffrey Mogul) writes:

   Not precisely the same thing, but Ultrix 4.2 will include the "screend"
   program.  If you use an Ultrix system as a router, screend will allow
   you to control access at the router (instead of at the end system).  This
   is more convenient when you are dealing with a large collection of hosts
   that have to be protected.

   For more information, see my paper in Proc. USENIX Summer '89, or wait
   for the documentation on the Ultrix 4.2 kit.

I would bet that the software in
	decuac.dec.com:/public/sources/screend.tar.Z 
would give you a taste of what's in 4.2, though from looking at the
package it's a beta version rather than final product.  

If you don't have the USENIX Summer '89 proceedings, the papers in
this package (or at least the preprint is).  It would appear that it
might also be available by mail to "wrl-techreports@decwrl.dec.com";
send a message with the subject "help" for more instructions.  The
paper is "Simple and Flexible Datagram Access Controls for Unix-based
Gateways", March 1989.

Note that port-based router security doesn't help you anything if you
have evil people on the inside connecting to their accomplices
outside; even the most innocuous of "well-known ports" can be hijacked
to use to tunnel datagrams through.  I don't recall the exact
reference, but I believe something along these lines was presented at
a Usenix by some Bell Labs folks, the name "greyer" (instead of
"blacker") comes to mind.

-- 
 Msen	Edward Vielmetti
/|---	moderator, comp.archives
	emv@msen.com

"With all of the attention and publicity focused on gigabit networks,
not much notice has been given to small and largely unfunded research
efforts which are studying innovative approaches for dealing with
technical issues within the constraints of economic science."  
							RFC 1216