HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

271

272

273

274

275

276

277

278

279

280

invoked with UNKNOWN arguments, as process with

p id 22125 and ppid 22124 and running with

effective uid=101 and with effective gid=10

See “Limitations” (page 139) for details.

Using HP-UX HIDS with IPFilter and SecureShell

The HP-UX implementation of the IPFilter firewall system can be configured to allow

communication among the HP-UX HIDS administration and agent systems. IPFilter is

a stateful system that maintains the state of communications across multiple packets

or that monitors (proxies) an entire TCP/UDP session.

This section contains a sample set of the IPFilter rules that are needed to enable

communication among the HP-UX HIDS components. The IPFilter configuration for

HP-UX HIDS can be helpful for configuring another vendor’s firewall to allow proper

communication among the HP-UX HIDS components.

IPFilter rules for HP-UX HIDS

This is a sample set of IPFilter rules needed to enable HP-UX HIDS. If you use a firewall

other than IPFilter, the explanation presented here should give you enough pointers

to set up your own firewall rules.

1. HP-UX HIDS agent listens on port hpidsagent (2985) for incoming connections

initiated by HP-UX HIDS System Manager on a remote host.

So if the host running IPFilter is also running an HP-UX HIDS agent, then allow

incoming connections initiated by HP-UX HIDS System Manager.

pass in quick proto tcp from any to any port = hpidsagent keep state

2. HP-UX HIDS System Manager listens on port hpidsadmin (2984) for incoming

connections initiated by HP-UX HIDS agents.

If the host running IPFilter is also running an HP-UX HIDS System Manager, then

allow incoming connections initiated by HP-UX HIDS agents.

pass in quick proto tcp from any to any port = hpidsadmin keep state

3. HP-UX HIDS System Manager uses ephemeral ports to send requests to agent

host’s port hpidsagent. Also, HP-UX HIDS agents use ephemeral ports to send

responses to the System Manager host’s port hpidsadmin.

To allow communications back to these ephemeral ports, use the “keep state”

rule in IPFilter.

pass out quick proto tcp all keep state

4. Allow queries to DNS servers by HP-UX HIDS agents and HP-UX HIDS System

Manager

pass out quick proto udp all keep state

5. Since the HP-UX HIDS System Manager requires X11 connections, which can and

should be forwarded over the secure channel with SecureShell, allow SecureShell

incoming connections.

Troubleshooting 279