home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 17.1 Understanding UNIX Internet Servers Chapter 17
TCP/IP Services
Next: 17.3 Primary UNIX Network Services

17.2 Controlling Access to Servers

As it is delivered by most vendors, UNIX is intended to be a friendly and trusting operating system; by default, network services are offered to every other computer on the network. Unfortunately, this practice is not an advisable policy in today's networked world. While you may want to configure your network server to offer a wide variety of network services to computers on your organization's internal network, you probably want to restrict the services that your computer offers to the outside world.

A few UNIX servers have built-in facilities for limiting access based on the IP address or hostname of the computer making the service request.[5] For example, NFS allows you to specify which hosts can mount a particular filesystem, and nntp allows you to specify which hosts can read netnews. Unfortunately, these services are in the minority: most UNIX servers have no facility for host-by-host access control.

[5] Restricting a service by IP address or hostname is a fundamentally unsecure way to control access to a server. Unfortunately, because more sophisticated authentication services such as Kerberos and DCE are not in widespread use, address-based authentication is the only choice available at most sites.

There are several techniques that you can use for controlling access to servers that do not provide their own systems for access control. These include:

  • The tcpwrapper program written by Wietse Venema. tcpwrapper is a simple utility program that can be "wrapped" around existing Internet servers. The program allows you to restrict servers according to connecting host, and a number of other parameters. This program also allows incoming connections to be logged via syslog . It is described in Chapter 22, Wrappers and Proxies .

  • You can place a firewall between your server and the outside network. A firewall can protect an entire network, whereas tcpwrapper can only protect services on a specific machine. Unfortunately, most firewalls do not allow the fine-grained control that tcpwrapper permits, and do not permit the logging of accepted or rejected connections. Firewalls are described in Chapter 21, Firewalls .

We see tcpwrapper and firewalls as complementary technologies, rather than competing ones. For example, you can run tcpwrapper on each of your computers, and then you protect your entire network with a firewall. This combination is an example of defense in depth, the philosophy of not depending on one particular technology for all your protection.

Previous: 17.1 Understanding UNIX Internet Servers Practical UNIX & Internet Security Next: 17.3 Primary UNIX Network Services
17.1 Understanding UNIX Internet Servers Book Index 17.3 Primary UNIX Network Services