Integrate TCP Wrapper into Nutanix Security

Nutanix Integrated TCP Wrapper Security

Nutanix Controller VM: CVM integrated TCP Wrappers to add an additional layer of protection / security by defining which hosts are or are not allowed to connect to “wrapped” network services . The TCP Wrappers packages: tcp_wrappers and tcp_wrappers-libs are installed by default and provide host-based access control to network services.

The most important component within the package is the /lib/libwrap.so or /lib64/libwrap.so library.

In general terms, a Nutanix TCP-wrapped service is one that has been compiled against the libwrap.solibrary. When a connection attempt is made to a TCP-wrapped service, the service first references the host’s access files /etc/hosts.allow and /etc/hosts.deny to determine whether or not the client is allowed to connect.

In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.

If a client is allowed to connect, TCP Wrappers release control of the connection to the requested service and take no further part in the communication between the client and the server.

In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service.

TCP Wrapper Integration

Nutanix Controller VM: CVM uses the tcp_wrappers package to allow TCP supported daemons to control the network subnets which can access the libwrapped daemons.

By default, SCMA controls the /etc/hosts.allow file in /srv/salt/security/CVM/network/hosts.allow and contains a generic entry to allow access to NFS, secure shell, and SNMP.

Make following entry in /srv/salt/security/CVM/network/hosts.allow file to allow services.

sshd: ALL : ALLOW
rpcbind: ALL : ALLOW
snmpd: ALL : ALLOW
snmptrapd: ALL : ALLOW

Nutanix recommends that the above configuration is changed to include only the localhost entries and the management network subnet for the restricted operations; this applies to both production and high governance compliance environments.

Conclusion

Nutanix integrated TCP wrapper security on Nutanix Controller VM: CVM to take the Nutanix infra security on next level to provide highly secure environment.
TCP Wrapper provide flexility to allow and deny the service for specific host IP address or subnet.