TCP Wrappers: Part 2
Last week, we had a look at the concept of TCP Wrappers from the theoretical perspective. As we have already mentioned, TCP Wrappers isn't meant to fulfill the security measures you would want for an enterprise network. But it surely does fall into the greater scheme of rule sets that would make up a comprehensive strategy to protect an enterprise network. The author of TCP Wrappers mentions this stating, that TCP Wrappers could be made use of along with a firewall box on your corporate gateway with minimum services running. While building a firewall, we suggest, that you pipe all the firewall logging off the gateway. Although complicated to set up, this is the best way to secure your logs incase your firewall machine is compromised.
With the TCP Wrapper package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. It supports both, 4.3BSD-style sockets and System V.4-style TLI. Count yourself lucky if you don't know what that means.
The package provides tiny daemon wrapper programs that can be installed without any change to the existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service. Neither do they exchange information with the client or server applications, nor impose overhead on the actual conversation between the client and server applications.
Optional features include:
·Access control to restrict what systems can connect to what network daemons
·Client user name lookups with the RFC 931 etc. protocol
·Additional protection against hosts that pretend to have someone else’s host name or address
The programs are portable. `Build’ procedures are provided for many common (and not so common) environments and guidelines are a great help incase your environment is not among them.
·Network daemons should be spawned by a super server such as the inetd 4.3BSD-style socket programming interface and/or System V.4-style TLI programming interface
·Availability of a syslog(3) library and of a syslogd(8) daemon.
The wrappers should run without modification on any system that satisfies these requirements. Workarounds have been implemented for several common bugs in systems software.
TCP Wrapper vulnerabilities