1. Administrator's Guide
  2. Firewall Security Option
  3. Addressing Security Areas

Addressing Security Areas

ACSLS has addressed the following security concerns:

RPC

The use of RPC within ACSLS is a concern for some sites in trying to run within a firewall environment. Preserving compatibility with the current installed client base precludes the ability to remove RPC completely from the ACSLS.

The ACSLS firewall-secure feature has addressed the concerns inherent in RPC, which are:

  • The need to allow outside (untrusted) parties to initiate connections to the trusted host across an unrestricted range of ports (1024-65535).

  • The exposure of the mapping of available services on a platform through the portmap (or rpcbind) daemon running on well-known port 111.

Security

In a firewall solution, the fundamental security comes from restricting access from the non-secure side into the trusted (secure) side. In all cases, some limited and controlled access must be allowed in order to perform communications and allow data exchange. The goal is to allow that data exchange within a well-defined and restricted set of entry points, allowing you to control those access points and their corresponding communications. This goal is met by this solution.

Note:

If you have an IPv4-based edge firewall, it should be configured to drop all outbound IPv4 protocol 41 packets and UDP port 3544 packets to prevent Internet hosts from using any IPv6-over-IPv4 tunnelled traffic to reach internal hosts.

Communications Components

ACSLS/Client communications rely on two network interface components to handle network communications between client platforms and the ACSLS platform. Software acting as a client or proxy-server for ACSLS implements one of these two components in order to be compatible with ACSLS platforms and existing clients. The component residing on the client platform is known as the SSI; the component residing on the ACSLS platform is known as the CSI. While it would be desirable to implement all changes within one side (such as the ACSLS platform), in order to maintain client compatibility and to provide all of the firewall-secure features, it is necessary that corresponding changes be made to each side to get the benefits. The positive, is that each side can independently implement the features and achieve the firewall-secure benefits on its own side (such as, changes to the ACSLS allow the ACSLS platform to run behind a secured firewall).