 |  |
Appendix B. Tools
Contents:
Authentication ToolsAnalysis Tools
Packet Filtering Tools
Proxy Systems Tools
Daemons
Utilities
Although we have used most of the software listed here, we can't take responsibility for ensuring that the copy you get will work properly and won't cause any damage to your system. As with any software, test it before you use it.
any packages have verifiable digital signatures; the software supplier provides a cryptographic checksum for the package that has been encrypted with the supplier's private key. You can verify that you have the correct package by decrypting the checksum with the supplier's public key and calculating the checksum on the package yourself, and making sure that they match. We encourage you to take the trouble to use these signatures when you are dealing with security-sensitive software. Many people have distributed booby-trapped versions of popular software packages.
B.1. Authentication Tools
The tools in this category provide support for various types of authentication. See Chapter 21, "Authentication and Auditing Services", for information about different authentication approaches.B.1.1. TIS Internet Firewall Toolkit (FWTK)
ftp://ftp.tis.com/pub/firewalls/toolkit/The TIS Internet Firewall Toolkit (TIS FWTK), from Trusted Information Systems, is a very useful, well-designed, and well-written set of programs you might find useful for authentication and other purposes. It includes:
- An authentication server that provides several mechanisms for supporting nonreusable passwords (described in Chapter 21, "Authentication and Auditing Services")
- An access control program, netacl (described in Chapter 11, "Unix and Linux Bastion Hosts")
- Proxy servers for a variety of protocols (FTP, HTTP, Gopher, rlogin, Telnet, and X11) (described in Chapter 9, "Proxy Systems")
- A generic proxy server for simple TCP-based protocols using one-to-one or many-to-one connections, such as NNTP (described in Chapter 9, "Proxy Systems")
- A wrapper (the smap package) for SMTP servers such as Sendmail to protect them from SMTP-based attacks (described in Chapter 16, "Electronic Mail and News")
- A wrapper for inetd-started servers such as telnetd and ftpd to control where they can be contacted from (much like the TCP Wrapper package described later in this appendix and in Chapter 11, "Unix and Linux Bastion Hosts")
Some parts of the toolkit (the server for the nonreusable password system, for example) require a Data Encryption Standard (DES) library in some configurations. If your system doesn't already have one (look for a file named libdes.a in whatever directories code libraries are kept on your system), you can get one from:
ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/TIS FWTK maintains a mailing list for discussions of improvements, bugs, fixes, and other issues among people using the toolkit; Send email to [email protected] to subscribe to this list.
B.1.2. Kerberos
ftp://athena-dist.mit.edu/pub/kerberos/ftp://coast.cs.purdue.edu/pub/tools/unix/kerberos/Kerberos was developed by Project Athena at the Massachusetts Institute of Technology. From the Kerberos Frequently Asked Questions (FAQ) file:
Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data-stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.
|  | |
| A.9. Books |  | B.2. Analysis Tools |
