Your authorization file may use rules to activate EtherGuard
for additional protection against potentially vulnerable
computers, including those with unsecure dial-up access.
For an overview of EtherGuard's basic features, see Section
.
EtherGuard consists of two main components: the first component is more general and resolves host addresses for all machines. The second component secures those personal computer hosts which have potential modem connections.
Since every network device on your network has an identifiable hardware address, your authorization file can map physical-addresses to IP-addresses for authorized hosts on your local network. The mapping is specified by entering a source host in the following format:
hostname=ab:cd:ef:gh:ij:kl allow host1, host2
The `=' is followed by octet pairs which identify the host's network interface board's physical address. Use of the octet pairs signals EtherGuard to verify the host's mapping to a specified Ethernet address using the Address Resolution Protocol (ARP). This option only works for machines which are physically connected to the same network or subnet as the Eagle, since the ARP protocol cannot pass through network routers. EtherGuard cannot be used to identify and limit hosts on remote networks or subnets; the Eaglet network partitioner, however, can implement EtherGuard in other subnets.
Since PC's are inherently vulnerable (users can easily change the IP address, for example) we recommend that you include Etherguard rules for all PC's in your network.
EtherGuard also can protect your network against access from personal computers on the network which have dial-in modem connections. The format of the source hostname may be modified by adding a `@' character to the end of the PC's host name, and following it with the octet pairs, as illustrated below. The `@' character signals EtherGuard that the machine may have dial-in modem connections:
pchostname@=ab:cd:ef:gh:ij:kl allow host1, host2
EtherGuard uses special authentication for such a host, provided the PC is running Raptor Systems' modified, secure version of the NCSA telnet software. This software checks for a live modem connection and denies access if one is found. Thus, an outsider dialing into the PC would not be able to use the PC's network software to access the rest of your network or outside networks. PC's which do not have the modified NCSA telnet software are not granted network access when they are specified using `@'.