Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!cbatt!ucbvax!TOPAZ.RUTGERS.EDU!hedrick From: hedrick@TOPAZ.RUTGERS.EDU.UUCP Newsgroups: mod.protocols.tcp-ip Subject: Re: Access control and accountability Message-ID: <8704081259.AA17700@topaz.rutgers.edu> Date: Wed, 8-Apr-87 07:59:14 EST Article-I.D.: topaz.8704081259.AA17700 Posted: Wed Apr 8 07:59:14 1987 Date-Received: Sat, 11-Apr-87 06:31:51 EST Sender: daemon@ucbvax.BERKELEY.EDU Distribution: world Organization: The ARPA Internet Lines: 30 Approved: tcp-ip@sri-nic.arpa There are fairly widely-available patches to Unix to allow you to control access to TCP. It restricts the ability to open a network connection based on the network number. That is, you create a list of "local" networks. (We assume you want users to be able to access local machines, and are concerned only about the Arpanet, etc. If you want to restrict all access, you can make this list empty.) Attempts to open connections to networks not in this list fail unless the user is in a certain specified user group. However this does not control daemons. E.g. mail will still work because the mailer has to have network access. You will need to insert the access control in sendmail also. We have done all of this stuff in the past, but are not doing it now. It is nearly impossible to control mail. There are now so many gateways, that you can always find some machine on the local network that will forward your mail to the Arpanet for you. Not to mention UUCP or Bitnet to Arpanet gateways. However other services should work. Cisco gateways allow access control lists to be attached to various operations. This includes incoming and outgoing telnet connections (applied only when the connection opens), and packets going out a specified interface. We have an access control list on our Arpanet gateway. The lists can use wildcards or individual hosts, however for performance reasons there is a limit to the number of wildcard conditions you can have. I know that people are working on accounting and performance monitoring of the type you mention, but I don't know of anything that is available now. Of course most gateways and TCP/IP implementations maintain packet and event counts of various sorts. So if you just mean counts of packets per interface in and out, the Unix TCP/IP implementations and Cisco gateways do this. I presume other vendors' gateways do as well.