For any number of reasons, the person who administers your system may have to meet a certain level of security. For instance, the security level might be a matter of corporate policy. Or a system might need access to U.S. government systems and thus be required to communicate at a certain security level. These security standards might be applied to the network, the operating system, application software, even programs written by the person who administers your system.
This section describes the security features provided with Transmission Control Protocol/Internet Protocol (TCP/IP), both in standard mode and as a secure system, and discusses some security considerations that are appropriate in a network environment.
The topics discussed in this section are:
Many of the security features available for TCP/IP are based on those available through the operating system. The following sections outline TCP/IP security.
The security policy for networking is an extension of the security policy for the operating system, and it consists of the following major components:
User authentication is provided at the remote host by a user name and password, the same as when a user logs in to the local system. Trusted TCP/IP commands, such as ftp, rexec, and telnet, have the same requirements and go through the same verification process as trusted commands in the operating system.
Connection authentication is provided to ensure that the remote host has the expected Internet Protocol (IP) address and name. This prevents a remote host from masquerading as another remote host.
Data import and export security permits data at a specified security level to flow to and from network interface adapters at the same security and authority levels. For example, top secret data can flow only between adapters that are set to the top secret security level.
Network auditing is provided by TCP/IP, using the audit subsystem to audit both kernel network routines and application programs. The purpose of auditing is to record those actions that affect the security of the system and the user responsible for those actions.
The following types of events are audited:
Creation and deletion of objects are audited by the operating system. Application audit records suspend and resume auditing to avoid redundant auditing by the kernel.
The Network Trusted Computing Base consists of hardware and software for ensuring network security. The hardware security features are provided by the network adapters used with TCP/IP. The software portion of the NTCB contains only trusted processes and their associated files.
The operating system provides the trusted path to prevent unauthorized programs from reading data from a user terminal. This path is used when a secure communication path with the system is required, such as when you are changing passwords or logging in to the system. The operating system also provides the trusted shell feature (tsh), which executes only trusted programs that have been tested and verified as secure. TCP/IP supports both of these features, along with the secure attention key (SAK), which establishes the environment necessary for secure communication between you and the system. The local SAK is available whenever you are using TCP/IP. A remote SAK is available through the telnet command.
The local SAK has the same function in telnet that it has in other operating system application programs: it terminates the telnet process and all other processes associated with the terminal in which telnet was running. Inside the telnet program, however, you can send a request for a trusted path to the remote system using the telnet send sak command (while in telnet command mode). You can also define a single key to initiate the SAK request using the telnet set sak command.
Some portions of security are specific to TCP/IP. These features (TCP/IP commands and TCP/IP trusted processes) work together with the operating system security features discussed to provide the security for TCP/IP.
Some commands in TCP/IP provide a secure environment during operation. These commands are ftp, rexec, and telnet. The ftp function provides security during file transfer. The rexec command provides a secure environment for executing commands on a foreign host. The telnet (TELNET) function provides security for login to a foreign host.
These commands provide security during their operation only. That is, they do not set up a secure environment for use with other commands. For securing your system for other operations, use the securetcpip command. This command gives you the ability to secure your system by disabling the nontrusted daemons and applications, and by giving you the option of securing your IP layer network protocol as well.
The ftp, rexec, securetcpip, and telnet commands provide the following forms of system and data security:
|securetcpip|| The securetcpip command enables TCP/IP security features. Access to commands that are not trusted is removed from the system when this command is issued. Each of the following commands are removed by running the securetcpip command:
The securetcpip command is used to convert a system from the standard level of security to a higher security level. Once your system has been converted, you do not need to issue the securetcpip command again unless you reinstall TCP/IP.
|ftp|| The ftp command provides a secure environment for transferring files. When a user invokes the ftp command to a foreign host, the user is prompted for a login ID. A default login ID is shown: the user's current login ID on the local host. The user is prompted for a password for the remote host.
The automatic login process searches the local user's $HOME/.netrc file for the user's ID and password to use at the foreign host. For security, the permissions on the $HOME/.netrc file must be set to 600 (read and write by owner only). Otherwise, automatic login fails.
Note: Since use of the .netrc file requires storage of passwords in a nonencrypted file, the automatic login feature of the ftp command is not available when your system has been configured with the securetcpip command. This feature can be reenabled by removing the ftp command from the tcpip: stanza in the /etc/security/config file.
To use the file transfer function, the ftp command requires two TCP/IP connections, one for the File Transfer Protocol (FTP) and one for data transfer. The protocol connection is primary and is secure because it is established on reliable communicating ports. The secondary connection is needed for the actual transfer of data, and both the local and remote host verify that the other end of this connection is established with the same host as the primary connection. If the primary and secondary connections are not established with the same host, the ftp command first displays an error message stating that the data connection was not authenticated, and then it exits. This verification of the secondary connection prevents a third host from intercepting data intended for another host.
|rexec|| The rexec command provides a secure environment for executing commands on a foreign host. The user is prompted for both a login ID and a password.
An automatic login feature causes the rexec command to search the local user's $HOME/.netrc file for the user's ID and password on a foreign host. For security, the permissions on the $HOME/.netrc file must be set to 600 (read and write by owner only). Otherwise, automatic login fails.
Note: Because use of the .netrc file requires storage of passwords in a nonencrypted file, the automatic login feature of rexec is not available when your system is operating in secure. This feature can be reenabled by removing the rexec entry form the tcpip: stanza in the /etc/security/config file.
|telnet or tn||The telnet (TELNET) command provides a secure environment for login to a foreign host. The user is prompted for both a login ID and a password. The user's terminal is treated just like a terminal connected directly to the host. That is, access to the terminal is controlled by permission bits. Other users (group and other) do not have read access to the terminal, but they can write messages to it if the owner gives them write permission. The telnet command also provides access to a trusted shell on the remote system through the secure attention key (SAK). This key sequence differs from the sequence that invokes the local trusted path and can be defined within the telnet command.|
Users on the hosts listed in the /etc/hosts.equiv file can run certain commands on your system without supplying a password.
|Remote Command Execution Access Tasks|
|Web-based System Manager: wsm network
|Task||SMIT Fast Path||Command or File|
|List Remote Hosts That Have Command Execution Access||smit lshostsequiv||view /etc/hosts.equiv|
|Add a Remote Host for Command Execution Access||smit mkhostsequiv||*edit /etc/hosts.equiv|
|Remove a Remote Host from Command Execution Access||smit rmhostsequiv||*edit /etc/hosts.equiv|
For more information about file procedures preceded by an asterisk (*), refer to the "hosts.equiv File Format for TCP/IP" in the AIX Version 4.3 Files Reference.
Users listed in the /etc/ftpusers file are protected from remote FTP access. For example, suppose user ross is logged into a remote system, and he knows the password of user carl on your system. If carl is listed in /etc/ftpusers, ross will not be able to FTP files to or from carl's account, even though ross knows carl's password.
|Remote FTP Users Tasks|
|Web-based System Manager: wsm network
|Task||SMIT Fast Path||Command or File|
|List Restricted FTP Users||smit lsftpusers||view /etc/ftpusers|
|Add a Restricted User||smit mkftpusers||*edit /etc/ftpusers|
|Remove a Restricted User||smit rmftpusers||*edit /etc/ftpusers|
For more information about file procedures preceded by an asterisk (*), refer to the "ftpusers File Format for TCP/IP" in the AIX Version 4.3 Files Reference.
A trusted program, or trusted process, is a shell script, a daemon, or a program that meets a particular standard of security. These security standards are set and maintained by the U.S. Department of Defense, which also certifies some trusted programs.
Trusted programs are trusted at different levels. Security levels include A1, B1, B2, B3, C1, C2, and D, with level A1 providing the highest security level. Each security level must meet certain requirements. For example, the C2 level of security incorporates the following standards:
|program integrity||Ensures that the process will do what it is supposed to do, no more and no less.|
|modularity||Means that the process source code is broken down into modules that cannot be directly affected or accessed by other modules.|
|principle of least privilege||States that at all times a user is operating at the lowest level of privilege authorized. That is, if a user has access only to view a certain file, then the user does not inadvertently also have access to alter that file.|
|limitation of object reuse||Keeps a user from, for example, accidentally stumbling across a section of memory that has been flagged for overwriting but not yet cleared, and may contain sensitive material.|
TCP/IP contains several trusted daemons and many nontrusted daemons. The trusted daemons have been tested to ensure that they operate within particular security standards.
Examples of trusted daemons are:
Examples of nontrusted daemons are:
For a system to be trusted, it must operate with a trusted computing base. This means, for a single host, that the machine must be secure. For a network, this means that all file servers, gateways, and other hosts must be secure.
The network contains both hardware and software mechanisms to implement the networking security features. This section defines the components of the Network Trusted Computing Base as they relate to TCP/IP.
The hardware security features for the network are provided by the network adapters used with TCP/IP. These adapters are programmed to control incoming data by receiving only data destined for the local system and to broadcast data receivable by all systems.
The software component of the NTCB consists of only those programs that are considered trusted. The programs and associated files that are part of a secure system are listed in the following tables on a directory-by-directory basis.
The security feature for TCP/IP does not encrypt user data transmitted through the network. Therefore, it is suggested that users identify any risk in communication that could result in the disclosure of passwords and other sensitive information, and based on that risk, apply appropriate countermeasures.
The use of this product in a Department of Defense (DOD) environment may require adherence to DOD 5200.5 and NCSD-11 for communications security.