Re: Access control and accountability

Charles Hedrick (
Wed, 8 Apr 87 08:59:14 EDT

There are fairly widely-available patches to Unix to allow you to
control access to TCP. It restricts the ability to open a network
connection based on the network number. That is, you create a list of
"local" networks. (We assume you want users to be able to access
local machines, and are concerned only about the Arpanet, etc. If you
want to restrict all access, you can make this list empty.) Attempts
to open connections to networks not in this list fail unless the user
is in a certain specified user group. However this does not control
daemons. E.g. mail will still work because the mailer has to have
network access. You will need to insert the access control in
sendmail also. We have done all of this stuff in the past, but are
not doing it now. It is nearly impossible to control mail. There are
now so many gateways, that you can always find some machine on the
local network that will forward your mail to the Arpanet for you. Not
to mention UUCP or Bitnet to Arpanet gateways. However other services
should work. Cisco gateways allow access control lists to be attached
to various operations. This includes incoming and outgoing telnet
connections (applied only when the connection opens), and packets
going out a specified interface. We have an access control list on
our Arpanet gateway. The lists can use wildcards or individual hosts,
however for performance reasons there is a limit to the number of
wildcard conditions you can have.

I know that people are working on accounting and performance
monitoring of the type you mention, but I don't know of anything that
is available now. Of course most gateways and TCP/IP implementations
maintain packet and event counts of various sorts. So if you just
mean counts of packets per interface in and out, the Unix TCP/IP
implementations and Cisco gateways do this. I presume other vendors'
gateways do as well.

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:38:07 GMT