- 论坛徽章:
- 0
|
TCP/IP Security
For any number of reasons, the person who administers your system may have to meet a certain level of security. For instance, the security level might be a matter of corporate policy. Or a system might need access to U.S. government systems and thus be required to communicate at a certain security level. These security standards might be applied to the network, the operating system, application software, even programs written by the person who administers your system.
This section describes the security features provided with Transmission Control Protocol/Internet Protocol (TCP/IP), both in standard mode and as a secure system, and discusses some security considerations that are appropriate in a network environment.
The topics discussed in this section are:
Operating System-Specific Security
Many of the security features available for TCP/IP are based on those available through the operating system. The following sections outline TCP/IP security.
Access Control
The security policy for networking is an extension of the security policy for the operating system, and it consists of the following major components:
- User authentication
- Connection authentication
- Data import and export security
User authentication is provided at the remote host by a user name and password, the same as when a user logs in to the local system. Trusted TCP/IP commands, such as ftp, rexec, and telnet, have the same requirements and go through the same verification process as trusted commands in the operating system.
Connection authentication is provided to ensure that the remote host has the expected Internet Protocol (IP) address and name. This prevents a remote host from masquerading as another remote host.
Data import and export security permits data at a specified security level to flow to and from network interface adapters at the same security and authority levels. For example, top secret data can flow only between adapters that are set to the top secret security level.
Auditing
Network auditing is provided by TCP/IP, using the audit subsystem to audit both kernel network routines and application programs. The purpose of auditing is to record those actions that affect the security of the system and the user responsible for those actions.
The following types of events are audited:
Kernel Events
Change configuration
Change host ID
Change route
Connection
Create socket
Export object
Import object
Application Events
Access the network
Change configuration
Change host ID
Change static route
Configure mail
Connection
Export data
Import data
Write mail to a file
Creation and deletion of objects are audited by the operating system. Application audit records suspend and resume auditing to avoid redundant auditing by the kernel.
Network Trusted Computing Base (NTCB)
The Network Trusted Computing Base consists of hardware and software for ensuring network security. The hardware security features are provided by the network adapters used with TCP/IP. The software portion of the NTCB contains only trusted processes and their associated files.
Trusted Path, Trusted Shell, and Secure Attention Key (SAK)
The operating system provides the trusted path to prevent unauthorized programs from reading data from a user terminal. This path is used when a secure communication path with the system is required, such as when you are changing passwords or logging in to the system. The operating system also provides the trusted shell feature (tsh), which executes only trusted programs that have been tested and verified as secure. TCP/IP supports both of these features, along with the secure attention key (SAK), which establishes the environment necessary for secure communication between you and the system. The local SAK is available whenever you are using TCP/IP. A remote SAK is available through the telnet command.
The local SAK has the same function in telnet that it has in other operating system application programs: it terminates the telnet process and all other processes associated with the terminal in which telnet was running. Inside the telnet program, however, you can send a request for a trusted path to the remote system using the telnet send sak command (while in telnet command mode). You can also define a single key to initiate the SAK request using the telnet set sak command.
TCP/IP-Specific Security
Some portions of security are specific to TCP/IP. These features (TCP/IP commands and TCP/IP trusted processes) work together with the operating system security features discussed to provide the security for TCP/IP.
TCP/IP Command Security
Some commands in TCP/IP provide a secure environment during operation. These commands are ftp, rexec, and telnet. The ftp function provides security during file transfer. The rexec command provides a secure environment for executing commands on a foreign host. The telnet (TELNET) function provides security for login to a foreign host.
These commands provide security during their operation only. That is, they do not set up a secure environment for use with other commands. For securing your system for other operations, use the securetcpip command. This command gives you the ability to secure your system by disabling the nontrusted daemons and applications, and by giving you the option of securing your IP layer network protocol as well.
The ftp, rexec, securetcpip, and telnet commands provide the following forms of system and data security:
securetcpip
The securetcpip command enables TCP/IP security features. Access to commands that are not trusted is removed from the system when this command is issued. Each of the following commands are removed by running the securetcpip command:
The securetcpip command is used to convert a system from the standard level of security to a higher security level. Once your system has been converted, you do not need to issue the securetcpip command again unless you reinstall TCP/IP.
ftp
The ftp command provides a secure environment for transferring files. When a user invokes the ftp command to a foreign host, the user is prompted for a login ID. A default login ID is shown: the user's current login ID on the local host. The user is prompted for a password for the remote host.
The automatic login process searches the local user's $HOME/.netrc file for the user's ID and password to use at the foreign host. For security, the permissions on the $HOME/.netrc file must be set to 600 (read and write by owner only). Otherwise, automatic login fails.
Note: Since use of the .netrc file requires storage of passwords in a nonencrypted file, the automatic login feature of the ftp command is not available when your system has been configured with the securetcpip command. This feature can be reenabled by removing the ftp command from the tcpip: stanza in the /etc/security/config file.
To use the file transfer function, the ftp command requires two TCP/IP connections, one for the File Transfer Protocol (FTP) and one for data transfer. The protocol connection is primary and is secure because it is established on reliable communicating ports. The secondary connection is needed for the actual transfer of data, and both the local and remote host verify that the other end of this connection is established with the same host as the primary connection. If the primary and secondary connections are not established with the same host, the ftp command first displays an error message stating that the data connection was not authenticated, and then it exits. This verification of the secondary connection prevents a third host from intercepting data intended for another host.
rexec
The rexec command provides a secure environment for executing commands on a foreign host. The user is prompted for both a login ID and a password.
An automatic login feature causes the rexec command to search the local user's $HOME/.netrc file for the user's ID and password on a foreign host. For security, the permissions on the $HOME/.netrc file must be set to 600 (read and write by owner only). Otherwise, automatic login fails.
Note: Because use of the .netrc file requires storage of passwords in a nonencrypted file, the automatic login feature of rexec is not available when your system is operating in secure. This feature can be reenabled by removing the rexec entry form the tcpip: stanza in the /etc/security/config file.
telnet
or tn
The telnet (TELNET) command provides a secure environment for login to a foreign host. The user is prompted for both a login ID and a password. The user's terminal is treated just like a terminal connected directly to the host. That is, access to the terminal is controlled by permission bits. Other users (group and other) do not have read access to the terminal, but they can write messages to it if the owner gives them write permission. The telnet command also provides access to a trusted shell on the remote system through the secure attention key (SAK). This key sequence differs from the sequence that invokes the local trusted path and can be defined within the telnet command.
Remote Command Execution Access (/etc/hosts.equiv)
Users on the hosts listed in the /etc/hosts.equiv file can run certain commands on your system without supplying a password.
Remote Command Execution Access Tasks
Web-based System Manager: wsm network fast path
(Network application)
-OR-
Task
SMIT Fast Path
Command or File
List Remote Hosts That Have Command Execution Access
smit lshostsequiv
view /etc/hosts.equiv
Add a Remote Host for Command Execution Access
smit mkhostsequiv
*edit /etc/hosts.equiv
Remove a Remote Host from Command Execution Access
smit rmhostsequiv
*edit /etc/hosts.equiv
For more information about file procedures preceded by an asterisk (*), refer to the
"hosts.equiv File Format for TCP/IP"
in the AIX Version 4.3 Files Reference.
Restricted File Transfer Program Users (/etc/ftpusers)
Users listed in the /etc/ftpusers file are protected from remote FTP access. For example, suppose user ross is logged into a remote system, and he knows the password of user carl on your system. If carl is listed in /etc/ftpusers, ross will not be able to FTP files to or from carl's account, even though ross knows carl's password.
Remote FTP Users Tasks
Web-based System Manager: wsm network fast path
(Network application)
-OR-
Task
SMIT Fast Path
Command or File
List Restricted FTP Users
smit lsftpusers
view /etc/ftpusers
Add a Restricted User
smit mkftpusers
*edit /etc/ftpusers
Remove a Restricted User
smit rmftpusers
*edit /etc/ftpusers
For more information about file procedures preceded by an asterisk (*), refer to the
"ftpusers File Format for TCP/IP"
in the AIX Version 4.3 Files Reference.
Trusted Processes
A trusted program, or trusted process, is a shell script, a daemon, or a program that meets a particular standard of security. These security standards are set and maintained by the U.S. Department of Defense, which also certifies some trusted programs.
Trusted programs are trusted at different levels. Security levels include A1, B1, B2, B3, C1, C2, and D, with level A1 providing the highest security level. Each security level must meet certain requirements. For example, the C2 level of security incorporates the following standards:
program integrity
Ensures that the process will do what it is supposed to do, no more and no less.
modularity
Means that the process source code is broken down into modules that cannot be directly affected or accessed by other modules.
principle of least privilege
States that at all times a user is operating at the lowest level of privilege authorized. That is, if a user has access only to view a certain file, then the user does not inadvertently also have access to alter that file.
limitation of object reuse
Keeps a user from, for example, accidentally stumbling across a section of memory that has been flagged for overwriting but not yet cleared, and may contain sensitive material.
TCP/IP contains several trusted daemons and many nontrusted daemons. The trusted daemons have been tested to ensure that they operate within particular security standards.
Examples of trusted daemons are:
ftpd
rexecd
telnetd
Examples of nontrusted daemons are:
rshd
rlogind
tftpd
For a system to be trusted, it must operate with a trusted computing base. This means, for a single host, that the machine must be secure. For a network, this means that all file servers, gateways, and other hosts must be secure.
Network Trusted Computing Base (NTCB)
The network contains both hardware and software mechanisms to implement the networking security features. This section defines the components of the Network Trusted Computing Base as they relate to TCP/IP.
The hardware security features for the network are provided by the network adapters used with TCP/IP. These adapters are programmed to control incoming data by receiving only data destined for the local system and to broadcast data receivable by all systems.
The software component of the NTCB consists of only those programs that are considered trusted. The programs and associated files that are part of a secure system are listed in the following tables on a directory-by-directory basis.
/etc Directory
Name
Owner
Group
Mode
Permissions
gated.conf
root
system
0664
rw-rw-r--
gateways
root
system
0664
rw-rw-r--
hosts
root
system
0664
rw-rw-r--
hosts.equiv
root
system
0664
rw-rw-r--
inetd.conf
root
system
0644
rw-r--r--
named.conf
root
system
0644
rw-r--r--
named.data
root
system
0664
rw-rw-r--
networks
root
system
0664
rw-rw-r--
protocols
root
system
0644
rw-r--r--
rc.tcpip
root
system
0774
rwxrwxr--
resolv.conf
root
system
0644
rw-rw-r--
services
root
system
0644
rw-r--r--
3270.keys
root
system
0664
rw-rw-r--
3270keys.rt
root
system
0664
rw-rw-r--
/usr/bin Directory
Name
Owner
Group
Mode
Permissions
host
root
system
4555
r-sr-xr-x
hostid
bin
bin
0555
r-xr-xr-x
hostname
bin
bin
0555
r-xr-xr-x
finger
root
system
0755
rwxr-xr-x
ftp
root
system
4555
r-sr-xr-x
netstat
root
bin
4555
r-sr-xr-x
rexec
root
bin
4555
r-sr-xr-x
ruptime
root
system
4555
r-sr-xr-x
rwho
root
system
4555
r-sr-xr-x
talk
bin
bin
0555
r-xr-xr-x
telnet
root
system
4555
r-sr-xr-x
/usr/sbin Directory
Name
Owner
Group
Mode
Permissions
arp
root
system
4555
r-sr-xr-x
fingerd
root
system
0554
r-xr-xr--
ftpd
root
system
4554
r-sr-xr--
gated
root
system
4554
r-sr-xr--
ifconfig
bin
bin
0555
r-xr-xr-x
inetd
root
system
4554
r-sr-xr--
named
root
system
4554
r-sr-x--
ping
root
system
4555
r-sr-xr-x
rexecd
root
system
4554
r-sr-xr--
route
root
system
4554
r-sr-xr--
routed
root
system
0554
r-xr-x---
rwhod
root
system
4554
r-sr-xr--
securetcpip
root
system
0554
r-xr-xr--
setclock
root
system
4555
r-sr-xr-x
syslogd
root
system
0554
r-xr-xr--
talkd
root
system
4554
r-sr-xr--
telnetd
root
system
4554
r-sr-xr--
/usr/ucb Directory
Name
Owner
Group
Mode
Permissions
tn
root
system
4555
r-sr-xr-x
/var/spool/rwho Directory
Name
Owner
Group
Mode
Permissions
rwho (directory)
root
system
0755
drwxr-xr-x
Data Security and Information Protection
The security feature for TCP/IP does not encrypt user data transmitted through the network. Therefore, it is suggested that users identify any risk in communication that could result in the disclosure of passwords and other sensitive information, and based on that risk, apply appropriate countermeasures.
The use of this product in a Department of Defense (DOD) environment may require adherence to DOD 5200.5 and NCSD-11 for communications security.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/2984/showart_130532.html |
|
免费注册
发表于 2006-06-20 23:22