Specifications

ManualsBrandsCabletron Systems ManualsNetwork CardE2100

201

202

203

204

205

206

207

208

209

210

Network Security

Local security is concerned with keeping different users on one system apart

from each other, especially from root. Network security, on the other hand,

means that the system needs to be protected from an attack originating in the

network.

The typical login procedure requiring a user name and a password for user

authentication is a local security issue. However, in the particular case of log-

ging in over a network, we need to differentiate between both security as-

pects. What happens until the actual authentication is network security and

anything that happens afterwards is local security.

X Window System (X11 authentication)

As mentioned at the beginning, network transparency is one of the central

characteristics of a UNIX system. X11, the windowing system of UNIX op-

erating systems, can make use of this feature in an impressive way. With

X11, it is basically no problem to log in at a remote host and start a graphi-

cal program that will then be sent over the network to be displayed on your

computer. The protocol to communicate between the X application and the

X server (which is the local process that draws the windows with the help of

your video card) is relatively lightweight as far as bandwidth usage is con-

cerned. This is because the protocol was designed in the eighties when net-

work bandwidth was still a scarce resource.

Now if we want an X client to be displayed remotely using our X server,

the latter is supposed to protect the resource managed by it (i. e. the display)

from unauthorized access. In more concrete terms, certain permissions must

be given to the client program. With the X Window System, there are two

ways to do this, called host-based access control and cookie-based access con-

trol. The former relies on the IP address of the host where the client is sup-

posed to run; the program to control this is xhost. What xhost does is to

enter the IP address of a legitimate client into a tiny database belonging to

the X server. Note, however, that relying on IP addresses for authentication

is not very secure. For example, if there were a second user working on the

host sending the client program, that user would have access to the X server

as well — just like someone stealing the IP address. Because of these short-

comings, we will not describe this authentication method in more detail here,

but you can learn about the way it functions if you read the man page of

xhost, which includes a similar warning.

In the case of cookie-based access control, a character string is generated

which is only known to the X server and to the legitimate user, just like an

202 Security and Conﬁdentiality