With that behind me I would like to know about solutions in Tcp/Ip for
the following two areas:
1) Access control:
A) On a system level: How do I go about restricting the use of users
from using Tcp/Ip? I realize that every operating system may have
a different solution but I am interested in hearing concepts and
whether anyone is actually doing it.
B) On a gateway level: If I have a gateway (say something like Bridge
or cisco) do I have any capability of performing any sort of access
control? If yes, is this access control based on connected machines
or can I even exercise access control on a user level (i.e. restrict
FTP or TELNET to a certain group of users on a certain machine).
2) Accounting:
A) System level: Is there any accounting package that can measure things
like packet transfer (FTP always tells you how many Kb/sec you sent
so it isn't impossible to figure out) levels and Telnet connect time?
B) Gateway level: Is there some gateway or monitoring PC that can do
accounting? Is the accounting per system or can it be broken down
per user (I assume very difficult to do)?
As a side note, anyone who is up on ISO: what is the status of accounting
and access control in ISO? Has it even been thought of?
Thanks in advance,
Hank
Little has been developed for access control and accounting. Some gateways
(e.g. BBN?) can filter IP packets based on source/destination address.
I don't know of any which filter with knowledge of the protocol being used.
I do not know of any gateways that provide accounting data, although such
information as packet counts from a given host can be obtained from,
e.g. the ARPANET. I would not be surprised to hear that some gateways and
even some bridges keep some statistics about traffic loads, but probably
not by source or destination.
Thus far, the TCP/IP software has gone into private or gov't-owned systems
which have not demanded much inthe way of accounting (or of access control).
Vint
The early days of networking had a notion of what it was that
was being hooked up to the netowrk: a timesharing system with a
responsible adminstration ensuring some kind of access restrictions
or at least a place to call to register a complaint. Today's
technological advances have made is so that everyone on earth
is a "timesharing system administrator". Clearly the
"responsibility" for hooking up to the network has to be placed
elsewhere. The owner of the "cable" is teh obvious choice,
but that does not take into account radio based networks...
IN short: It looks like the "gateway owners" are going to
have to become the administrators of the future! Yikes, back
to the future???
Dan
-------
I know that people are working on accounting and performance
monitoring of the type you mention, but I don't know of anything that
is available now. Of course most gateways and TCP/IP implementations
maintain packet and event counts of various sorts. So if you just
mean counts of packets per interface in and out, the Unix TCP/IP
implementations and Cisco gateways do this. I presume other vendors'
gateways do as well.
Here are some answers, or directions, for the questions raised, but
from an ISO context:
The ISO OSI Management Framework, a draft appendix to the OSI Reference
Model, defines five missions in OSI management: configuration,
fault, performance, security, and accounting management. This is
an architectural definition of the problem, not an implementation
specification. Associated with this architecture are the
Common Management Information Service (CMIS)
and the Common Management Information Protocol (CMIP)
definitions, which describe mechanisms for management entities to
exchange general management information.
There is a subtle distinction between "security" and
"security management". Such mechanisms as link or end-to-end
encryption are security mechanisms,
part of the data link or transport layer definitions.
If these mechanisms are not implemented,
there is no need to manage them and thus no
need for security management. Once you decide to have them, security
management then logically should exist to provide such supporting
services as breach attempt logging, key distribution, etc. Similar
distinctions apply in accounting; accounting data collection is
a layer function, but data distribution is a management function.
> 1) Access control:
>On a system level: How do I go about restricting the use of users
> from using Tcp/Ip?
>On a gateway level: If I have a gateway (say something like Bridge
> or cisco) do I have any capability of performing any sort of access
> control? If yes, is this access control based on connected machines
> or can I even exercise access control on a user level (i.e. restrict
> FTP or TELNET to a certain group of users on a certain machine).
Association Control Service Elements (ACSE --formerly CASE)
, a layer 7 function, does
deal with access control to OSI applications. Other applications,
such as FTAM (File Transfer, Access, and Management) do have
their own access control mechanisms, including optional anonymous
user access.
> 2) Accounting:
> System level: Is there any accounting package that can measure things
> like packet transfer (FTP always tells you how many Kb/sec you sent
> so it isn't impossible to figure out) levels and
> Telnet connect time?
ANSI standards X3.102 and X3.141, the latter in publication,
define general models for describing such things as packet transfer
time; draft ANSI work in the T1Q1.3 committee and the Question 29
Rapporteur's group in CCITT Study Group VII also are dealing
with such problems. Neal Seitz, at the U.S. Commerce Department's
Institute for Telecommunications Sciences in Boulder, CO,
is the chair of the latter groups and a major author of the
preceding standards. He has some public domain software available
from his group (telephone 303-497-3106; I don't have a net address).
> Gateway level: Is there some gateway or monitoring PC that can do
> accounting? Is the accounting per system or can it be broken down
> per user (I assume very difficult to do)?
There are general, hardware-based monitoring systems which can
do this. They are not cheap, and the mindset of their sales
forces is primarily dealing with response time measurement
in IBM 3270 and similar environments. Nevertheless,
systems made by Tesdata (also the OEM for Infinet and Paradyne),
Avant-Garde, and Dynatech do have some ability to track
applications, users, or other high-level entities. Several]
years ago, I did the first Tesdata design, and know that
it's quite internally capable of tracking network addresses,
user ID's, etc.