30.6 Other Security- Related Terms DMZ : Short for a De-Militarized Zone. It comes from the military term that relates to a buffer zone between two enemies. A DMZ in our context is usually a small network that sits between our trusted (and valuable ) corporate network and an untrusted network such as the Internet. The DMZ contains machines acting as proxy servers for resources such as Web, SMTP, FTP, and DNS servers. These servers will be hardened against individual attacks, i.e., bastion hosts . A DMZ offers the administrator a chance to place a choke on traffic going to and coming from connected networks. This choke can be controlled to allow or deny access. The DMZ and associated chokes also provide the opportunity for the administrator to record and log all allowed and denied access attempts. Firewall : The firewall comes from the construction industry where it is used to describe a physical wall between two areas that is fire-resistant. In a similar way, we can think of a firewall as keeping the fire that is external attackers from gaining access to our networks and servers. Firewalls can be considered conceptually the same as a DMZ . Bastion host : According to the Oxford Dictionary, a bastion is "a projecting part of a fortification ." In our context, a bastion host is a machine that has been locked down to provide only the absolute minimum service required. A bastion host needs to be monitored for external attacks. We looked at using HP-UX Bastille as a first step in setting up a bastion host. Appendix E contains the PDF file Building a Bastion Host Using HP-UX 11 . See this for more details. Proxy server : A machine located between a client machine and its intended target. For example, a Web proxy would (normally) reside in the DMZ and offer Web browsing services to all clients within the corporate network. Individual clients would be blocked from browsing directly on the Internet but must go via the proxy server . The Web proxy will forward requests to the relevant Internet server and return responses to the client. Only the proxy server has direct access to the Internet. Kerberos : A secret key based authentication system originally designed and developed at MIT. When a user logs in to the network, he is given a unique key or ticket , which identifies him and the access permissions he has been granted. This ticket can be used to access additional network services that are designed to understand and decipher the ticket . An important concept in Kerberos is a secure server known as the Key Distribution Center (KDC), which is responsible for distributing keys. On HP-UX, we can also use Kerberos as a means of securing basic Internet Services; see man inetsvc_sec for more details. NOTE: Kerberos in Greek mythology is a three-headed dog that guards the gated of the underworld, Haedes. (Why would it be guarding the entrance ? Is it a cool place to be? And if so, why don't we all want to go there?) A dog with three heads is going to be efficient, I would think. VPN : A Virtual Private Network whereby two machines, e.g., a remote user and an in-house server (located in the DMZ ), can use the Internet (or some other large network) to transport information securely. Privacy, authentication, and authenticity are ensured by using secure protocols/software, e.g., IPSec. PGP : Stands for Pretty Good Privacy and was written by Phil Zimmerman. Although it is most commonly thought of in conjunction with email, it is a system that can perform encryption and integrity protection for files. It uses public key encryption systems such as RSA and IDEA. Due to licensing issues and royalty payments for the use of certain crypto-systems, PGP has had a checkered ownership; see http://www.pgpi.org. VirtualVault : A separate software installation version of HP-UX currently known as 11.04. Many of the features of this implementation of HP-UX 11.04 make up the requirements for a B1-level (Orange Book classification; VVOS includes Mandatory Access Control labels) operating system. Allied with the VirtualVault operating system are various applications components such as Netscape Enterprise Server, Trusted Gateway Agent, Trusted Gateway Proxy, Java Servlet Proxy, and Web QoS. A VirtualVault server need not have a root account. PAM : The Pluggable Authentication Module. This allows other authentication mechanisms to authenticate users at login time. PAM can support any number of authentication modules including DCE, Kerberos, NTLM, and Radius pluggable authentication modules. At its heart is the / etc/pam.conf configuration file. We saw extensive use of PAM in Chapter 20: Common Internet Filesystems (CIFS/9000). DCE : The Distributed Computing Environment. DCE is an industry-standard , vendor-neutral set of distributed computing technologies. It provides security services to protect and control access to data, name services that make it easy to find distributed resources, and a highly scalable model for organizing widely scattered users, services, and data. DCE runs on all major computing platforms and is designed to support distributed applications in heterogeneous hardware and software environments. DCE services include Remote Procedure Calls, Security Service, Directory Service, Time Service, Threads Service, and Distributed File Service. RADIUS : Stands for Remote Authentication Dial-In User Service. It is an authentication and auditing system used by many ISPs. Commonly, you have to supply a username and password to the RADIUS server before gaining access. HP's implementation of RADIUS is known as HP AAA Server (AAA standing for authentication, authorization, and accounting). SSL : Secure Sockets Layer was developed as a non-proprietary protocol. SSL provides data encryption, client and server authentication, and data integrity for TCP/IP connections. SSL utilizes asymmetric, public key cryptography with X.509 version 3 certificates. Web servers (such as Apache) with SSL enabled can include certificates to authenticate transactions between servers and clients. For more details, see http://wp.netscape.com/eng/ssl3/, http://www.openssl.org, http://www.modssl.org, and http://www.sslreview.com. tcpwrapper : Originally, tcpwrapper was available only as a third-party freeware addition to HP-UX. HP now offers this software as a free download from http://software.hp.com - Security and Manageability. The idea behind tcpwrapper is to provide a mechanism of controlling and verifying services spawned by inetd . Instead of running the actual service program, inetd will run tpcd , which performs additional security checks before spawning the intended service program. Some people say the inetd has sufficient security on HP-UX with the use of /var/adm/inetd.sec . tcpwrapper does supply additional functionality over and above inetd.sec . Have a look for yourself. X.509 v3 certificates : X.509 is a popular standard for certificates. An X.509v3 certificate includes the following: -
Version, serial number, and identity information -
Algorithm-related information -
Signature of Certification Authority issuing authority -
Subjects public key An X.509v3 certificate instills confidence in the user that the certificate has been signed by a CA-trusted third party or Certificating Authority. On a user's Web browser, the user will see a closed padlock signifying that the certificate is an X.509v3 certificate. See http://www.ietf.org/html. charters /pkix-charter.html for more details. | 