Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 17.1 Understanding UNIX Internet ServersChapter 17
TCP/IP Services
Next: 17.3 Primary UNIX Network Services
 

17.2 Controlling Access to Servers

As it is delivered by most vendors, UNIX is intended to be a friendly and trusting operating system; by default, network services are offered to every other computer on the network. Unfortunately, this practice is not an advisable policy in today's networked world. While you may want to configure your network server to offer a wide variety of network services to computers on your organization's internal network, you probably want to restrict the services that your computer offers to the outside world.

A few UNIX servers have built-in facilities for limiting access based on the IP address or hostname of the computer making the service request.[5] For example, NFS allows you to specify which hosts can mount a particular filesystem, and nntp allows you to specify which hosts can read netnews. Unfortunately, these services are in the minority: most UNIX servers have no facility for host-by-host access control.

[5] Restricting a service by IP address or hostname is a fundamentally unsecure way to control access to a server. Unfortunately, because more sophisticated authentication services such as Kerberos and DCE are not in widespread use, address-based authentication is the only choice available at most sites.

There are several techniques that you can use for controlling access to servers that do not provide their own systems for access control. These include:

We see tcpwrapper and firewalls as complementary technologies, rather than competing ones. For example, you can run tcpwrapper on each of your computers, and then you protect your entire network with a firewall. This combination is an example of defense in depth, the philosophy of not depending on one particular technology for all your protection.


Previous: 17.1 Understanding UNIX Internet ServersPractical UNIX & Internet SecurityNext: 17.3 Primary UNIX Network Services
17.1 Understanding UNIX Internet ServersBook Index17.3 Primary UNIX Network Services