Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)

ManualsBrandsHP ManualsSoftwareTru64 UNIX 5.1B

171

172

173

174

175

176

177

178

179

180

9 Network Security Administration

This chapter describes how to manage the following network security components:

• TCP Wrapper (Section 9.1: TCP Wrapper Administration)

• FireScreen Firewall (Section 9.2: FireScreen Administration)

• Snort Intrusion Detection System (Section 9.3: Snort Intrusion Detection System )

• FreeRADIUS Server Administration (Section 9.4: FreeRADIUS Server Administration)

9.1 TCP Wrapper Administration

TCP Wrapper lets you control access to network services. TCP Wrapper intercepts an incoming

network connection, and verifies whether the connection is allowed before passing the connection

to the actual network daemon. For example, you can restrict access to a network service, such

as telnet, to exclude all hosts outside of a local domain. After you modify the access to a service,

you can use the Administration utility to test the modification.

9.1.1 Network Services Wrapped by Internet Express

During installation, the TCP service entries in the /etc/inetd.conf file that match the service

entries specified in the /usr/internet/security/config.tcp file are modified to include

the TCP Wrapper (tcpd) daemon. The syntax of service entries in the /etc/inetd.conf file

is:

ServiceName SocketType ProtocolName Wait/NoWait UserName ServerPath ServerArgs

On Tru64 UNIX Version 5.1 or later, the ProtocolName field for TCP services can be tcp or

tcp6, depending on the type of socket that the network service is using (that is, AF_INET or

AF_INET6). For example, the following entry appears in the /etc/inetd.conf file for the

telnetd service after installation:

telnet stream tcp6 nowait root /usr/bin/tcpd /usr/sbin/telnetd

Notice the placement of the TCP Wrapper daemon, /usr/bin/tcpd, in this entry. Also notice

that the ProtocolName field is tcp6. Services that specify tcp6 respond to both IPv4-enabled

and IPv6-enabled clients over either network protocol. For more information, see the inetd.conf(4)

reference page.

Table 9-1 lists the network services that are wrapped by the Internet Express installation and the

default access setting for each service. (Section 9.1.3 explains how to modify access settings.)

To see a list of the services that are wrapped on your system, select Display/Update Configuration

from the TCP Wrapper Administration menu. The service name and description on this form

are retrieved from the /usr/internet/security/config.tcp file. Depending on which

services were installed on your system, you might not see all the services listed in this table.

Table 9-1 Network Services Wrapped by Internet Express

Default Access SettingNetwork Service

Allows you to boot a remote system

bootpd

Works with the kernel load server, kloadsrv, to manage subsystems that are

dynamically configured or loaded

cfgmgr

Displays information about users on a remote system

fingerd

Transfers files to and from a remote system

ftpd

Allows you to run the IMAP (Internet Message Access Protocol Version 4)

e-mail server

imapd

Notifies a user, or callee, on a remote system that a client, or caller, wants to

initiate a conversation with talk

ntalkd

9.1 TCP Wrapper Administration 171