17.2 Controlling Access to ServersAs it is delivered by most vendors, UNIX is intended to be a friendly and trusting operating system; by default, network services are offered to every other computer on the network. Unfortunately, this practice is not an advisable policy in today's networked world. While you may want to configure your network server to offer a wide variety of network services to computers on your organization's internal network, you probably want to restrict the services that your computer offers to the outside world. A few UNIX servers have built-in facilities for limiting access based on the IP address or hostname of the computer making the service request.[5] For example, NFS allows you to specify which hosts can mount a particular filesystem, and nntp allows you to specify which hosts can read netnews. Unfortunately, these services are in the minority: most UNIX servers have no facility for host-by-host access control.
There are several techniques that you can use for controlling access to servers that do not provide their own systems for access control. These include:
We see tcpwrapper and firewalls as complementary technologies, rather than competing ones. For example, you can run tcpwrapper on each of your computers, and then you protect your entire network with a firewall. This combination is an example of defense in depth, the philosophy of not depending on one particular technology for all your protection. |
|