Re: Access control and accountability


Howard Berkowitz (sundc!cos!howard@seismo.CSS.GOV)
8 Apr 87 14:46:42 GMT


In article <8704071037.AA04224@ucbvax.Berkeley.EDU>, HANK@TAUNIVM.BITNET (Hank Nussbacher) writes:
> With that behind me I would like to know about solutions in Tcp/Ip for
> the following two areas:
> As a side note, anyone who is up on ISO: what is the status of accounting
> and access control in ISO? Has it even been thought of?

Here are some answers, or directions, for the questions raised, but
from an ISO context:

The ISO OSI Management Framework, a draft appendix to the OSI Reference
Model, defines five missions in OSI management: configuration,
fault, performance, security, and accounting management. This is
an architectural definition of the problem, not an implementation
specification. Associated with this architecture are the
Common Management Information Service (CMIS)
and the Common Management Information Protocol (CMIP)
definitions, which describe mechanisms for management entities to
exchange general management information.

There is a subtle distinction between "security" and
"security management". Such mechanisms as link or end-to-end
encryption are security mechanisms,
part of the data link or transport layer definitions.
If these mechanisms are not implemented,
there is no need to manage them and thus no
need for security management. Once you decide to have them, security
management then logically should exist to provide such supporting
services as breach attempt logging, key distribution, etc. Similar
distinctions apply in accounting; accounting data collection is
a layer function, but data distribution is a management function.

> 1) Access control:
>On a system level: How do I go about restricting the use of users
> from using Tcp/Ip?
>On a gateway level: If I have a gateway (say something like Bridge
> or cisco) do I have any capability of performing any sort of access
> control? If yes, is this access control based on connected machines
> or can I even exercise access control on a user level (i.e. restrict
> FTP or TELNET to a certain group of users on a certain machine).
Association Control Service Elements (ACSE --formerly CASE)
, a layer 7 function, does
deal with access control to OSI applications. Other applications,
such as FTAM (File Transfer, Access, and Management) do have
their own access control mechanisms, including optional anonymous
user access.
> 2) Accounting:
> System level: Is there any accounting package that can measure things
> like packet transfer (FTP always tells you how many Kb/sec you sent
> so it isn't impossible to figure out) levels and
> Telnet connect time?
ANSI standards X3.102 and X3.141, the latter in publication,
define general models for describing such things as packet transfer
time; draft ANSI work in the T1Q1.3 committee and the Question 29
Rapporteur's group in CCITT Study Group VII also are dealing
with such problems. Neal Seitz, at the U.S. Commerce Department's
Institute for Telecommunications Sciences in Boulder, CO,
is the chair of the latter groups and a major author of the
preceding standards. He has some public domain software available
from his group (telephone 303-497-3106; I don't have a net address).
> Gateway level: Is there some gateway or monitoring PC that can do
> accounting? Is the accounting per system or can it be broken down
> per user (I assume very difficult to do)?
There are general, hardware-based monitoring systems which can
do this. They are not cheap, and the mindset of their sales
forces is primarily dealing with response time measurement
in IBM 3270 and similar environments. Nevertheless,
systems made by Tesdata (also the OEM for Infinet and Paradyne),
Avant-Garde, and Dynatech do have some ability to track
applications, users, or other high-level entities. Several]
years ago, I did the first Tesdata design, and know that
it's quite internally capable of tracking network addresses,
user ID's, etc.



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:38:07 GMT