>> Paranoid TCP
Status | Content

Status
This document describes current policy.

Content

Overview

When a client connects to an AcIS managed Solaris host, the IP address of the client is examined by TCP Wrappers, a program that restricts access to services based on origin. While IP addresses can be spoofed, and DNS can be hacked, this examination provides one step in a multi-layered security process to help reduce the number of malicious connections to AcIS servers.

The process works like this:

  1. The client IP address (eg: 128.59.59.134) is determined.
  2. The numerical address is examined to determine the hostname (eg: aloha.cc.columbia.edu).
  3. The hostname is looked up to match the IP address obtained in step #1.
If step #3 fails, the connection is rejected. The reason for this rejection is that certain services on the AcIS network are restricted by hostname. An attacker controlling a block of addresses could configure the name lookup in step #2 to return the name of the privileged host. Performing step #3 prevents this attack by assuring the name maps back to the originating IP address, which cannot be the IP address of the privileged host if the originating connection comes from outside the AcIS network.

The problem must be fixed by the client's Internet Service Provider. The ISP should be asked to fix the problem.

Sample ISP Message

Dear ISP,

Your customer joebob attempted to connect to our servers from your
service.  While joebob is an authorized user of our network, we were
required by policy to reject joebob's connection because it came from
a network where reverse DNS is not accurately provided.

Your customer connected from 10.0.192.34.  A lookup of this address
obtains the name dynamic-customer.isp.net.  However, a lookup of
dynamic-customer.isp.net does not return 10.0.192.34.  Because this
creates a security vulnerability to our network (an attacker could be
returning names on our network or on a network other than the origin),
we cannot permit the connection.

In order to fix this problem and allow your customer to connect to our
servers, you must do one of the following:

 1. Remove the name from the IP address so that no name is found
    when 10.0.192.34 is looked up.

 2. Correctly map names back to their IP number.  For example,
    10.0.192.34 would map to dynamic-192-34.isp.net, which would
    map back to, and only to, 10.0.192.34.

On behalf of your customer, we appreciate your assistance in securing
the network.

Love,
AcIS