Chapter 8 Using Security Administration

This chapter describes the Security Administration modules:

• "Administration Web Server"

• "Network Service Access Administration"

Administration Web Server

The Administration Web Server serves the administration pages through which the Netra administration modules are configured. To protect access to the administration web server from unauthorized users, access to the web server is protected through a password (mandatory), and an access list (optional). If an access list is specified, connections from machines that are not on the list are refused. Connections from machines on the list are permitted access, provided the user knows the password.

To Change the Administration Password

1. From the Main Administration page, under "Security Administration," click Administration Web Server.

   The Administration Web Server Administration page is displayed.

2. Click Change Administration Password.

   The Administration Password page is displayed.

3. Complete the form using the information in the following table.

   Table 8-1 Web Server Password Administration

   Option	Description
   Current Administration Password	Type existing administration password. The administration password for an unconfigured Netra system is setup. A password can be a combination of any characters.
   New Administration Password	Type a new password to access your Netra server. The password is not echoed as you type it. If you change the existing password, you must re-authenticate the browser connection using the new password you provide.
   Re-enter New Administration Password	Type the new administration password. Because the password is not echoed as you type it the first time, you must verify it by typing it a second time.

To Modify Host Access Control

The Host Access Control enables you to set the hosts that can access the administration web server. There are two possible access modes: Administration access can be granted to all hosts, or access can be restricted to a specified list of hosts and networks (an access control list). The Netra system is always allowed administration access, even when it is not specified in the access control list. If security is important, set restrictions, particularly when the Netra system is connected to the Internet.

1. From the Main Administration page, under "Security Administration," click Administration Web Server.

   The Administration Web Server Administration page is displayed.

2. Click Modify Host Access Control.

   The Host Access Administration page is displayed.

3. Complete the form using the following table for reference.

   Table 8-2 Host Access Control Administration

   Option	Description
   All hosts	Access to the administration web server is permitted to all hosts. Any specified host or network addresses are ignored.
   Specified host and network addresses	The host and network addresses that are allowed access to the administration modules.

   ---

   Note -

   If you do not specify any hosts, all hosts are allowed access.

   ---

UDP-based services, which are not connection-oriented, may linger after the client has disconnected. Reboot the Netra j server after modifying the access control to these services.

Network Service Access Administration

The Netra server provides a number of generic network services that do not have administration modules associated with them. These services enable users to access information and facilities on the server. You can restrict access to any or all of these services using the Network Service Access module. Restricting access to all services helps ensure the security of your network.

Each network service has three access modes:

• The service can be denied to all hosts.

• The service can be made available to a specified list of hosts and networks (using a control list).

• The service can be made available to all hosts.

All services using the control list access mode share one access control list.

The following network services are available on your Netra server:

• File Transfer Protocol (FTP) - Enables an authorized user to transfer files between a remote machine and the Netra server.

• TELNET Protocol (telnet) - Enables an authorized remote user to log in to the Netra server and interact as a normal user.

• Remote User Information (finger) - Enables network users to display information about users logged in to the Netra server.

• Remote Shell (rsh) - Enables an authorized remote user to open a command-line interpreter (shell) on the Netra server and run commands there.

• Remote Login (rlogin) - Enables an authorized remote user to log in to the Netra server and interact as a normal user.

• Remote Execution (rexec) - Enables a library routine to be run on a remote machine and return streams to the local machine.

• Remote System Statistics (rstat) - Enables a remote user to get performance data from the Netra server.

• Mail Notification (comsat) - Enables the Netra server to detect incoming mail and notify local users logged into the Netra server.

• Talk Program (talk) - Enables users on remote systems to enter lines of text on one machine and display them on the terminal of someone logged into the Netra server. (Remote users can thus "chat" with users on the Netra server.)

• Distributed System Admin (sadmind) - Enables remote users to perform distributed system administration operations on the Netra server.

• Network File System Quota (quotad) - Enables for notification if users use more than an allocated amount of disk space on the Netra server.

• User Info (rusers) - Enables a remote user to check which users are logged into the Netra server.

• Diagnostic Packet Tester (spray) - Enables a remote user to send a one-way stream of packets to the Netra server to see how many are received and at what rate.

• Broadcast Messages (rwall) - Enables a single message from a remote user to be sent to all users logged into the Netra server.

• UNIX-to-UNIX Copy (uucp) - Enables remote copy exchanges between a remote machine and the Netra server.

• Trivial Name Server (tnamed) - A server that supports the DARPA trivial name server protocol.

• Calendar Manager (cmsd) - Enables remote users to check the Calendar Manager entries of a user with an account on the Netra server.

To Control Access to Network Services

1. From the Main Administration page, under "Security Administration," click Network Service Access.

   The Network Service Access Administration page is displayed with a list of the server's network services and corresponding access levels.

2. Choose the access mode for each network service using the information in the following table.

   Table 8-3 Security Levels for Network Services

   Option	Description
   None	Denies access to all hosts for this service.
   Control List	Permits access by hosts and networks specified in the Control List Host and Network Addresses field.
   All	Allows access to all hosts.
   Control List Host and Network Addresses	The host or network addresses of the hosts and networks of hosts that are allowed access to the services. This field is required for services using the Control List access mode.