Previous Topic: Protecting TCP/IP ServicesNext Topic: Using the TCP Class


Restricting TCP/IP Services

In an open network, any station can request services from other computers on the network. The TCP/IP protocol can be used to supply many services. Some of these services, such as rlogin, rcp, rsh, ftp, telnet, and rexec, are common to all UNIX‑based operating systems. Others are provided by in‑house and third‑party software.

CA ControlMinder intercepts the accept processes of TCP/IP at the host computer and determines whether the accept program should continue normally or be overridden. CA ControlMinder bases its decision on access rules governing hosts and services that you define. You can create TCP/IP access rules in the database to specify the computers and networks that are allowed to receive services such as file transfers, remote login, and remote shell from a specific computer.

The following examples show how TCP/IP access rules can be defined and set to efficiently block unwanted outsiders. If you have not yet had time to develop a complete database, you may want to let any station that is not defined in the database receive any service. If so, set the HOST record in the UACC class as follows:

chres UACC HOST defaccess(READ)

A station that is to have access rules for TCP/IP services from the local host is defined in a record in the database under the HOST class. For each of these stations, the services allowed are listed in the record. For example, the following command sequence defines a record for station ws5 and denies it from receiving any TCP/IP service from the local host:

newres HOST ws5
authorize HOST ws5 service(*) access(NONE)

The following command allows ws5 to perform telnet to the local computer:

authorize HOST ws5 service(telnet)

These settings allow users to telnet to the local computer, which means that the remote user must specify a user name and password before using the local system. To allow a station to receive all TCP/IP services from the local computer, you can use an asterisk in the service keyword. For example, the following command allows ws5 to invoke any TCP/IP service from the local computer:

authorize HOST ws5 service(*)

The service can be specified in several ways, some of which involve the port number. The port number is an identification number for a service. All services have port numbers, and the port numbers are mapped to the services in the file /etc/services. You can specify a service in the following ways:

For example, the following command permits ws5 to receive any TCP/IP service whose port number falls between 7045 and 7050:

authorize HOST ws5 service(7045-7050)

In many cases, it is more economical to define a group of hosts and set its permissions once, instead of making permissions for each individual computer. CA ControlMinder provides the GHOST class, where each GHOST record defines a group of hosts. To define a GHOST record and add hosts to its member list, enter the following commands:

newres GHOST gh1 mem(ws2, ws3, ws5)
authorize GHOST gh1 service(ftp)

The newres command defines a group of hosts called gh1 that contain the members ws2, ws3, and ws5. The authorize command allows all three stations to receive ftp (file transfer) services.

Managing host groups is easier than managing individual stations, but to supply more flexibility, CA ControlMinder also supports the definition of network access rules. Networks are defined in the HOSTNET class. For example, consider the following set of commands:

newres HOSTNET hn1 mask(255.555.0.0) match(192.168.0.0)
authorize HOSTNET hn1 service(*) access(NONE)
authorize HOSTNET hn1 service(ftp)

Another method CA ControlMinder provides for defining TCP/IP access rules is name‑pattern access rules. CA ControlMinder supports the definition of generic records in the HOSTNP class (host name pattern) with wildcards.

Note: For information on how CA ControlMinder performs string matching, see the selang Reference Guide.

For example, the following command sequence permits all hosts whose names start with the characters “lin” and end with the characters “.org.com” to receive all TCP/IP services on the local host:

newres HOSTNP lin*.org.com
authorize HOSTNP lin*.org.com service(*).

Note: Hosts that are managed by NIS must be identified by their official names that appear in a NIS map and not by their aliases. The chart in the following section summarizes the TCP/IP check flow.