Meeting Today’s Security Needs With IPsec VPN and IPFilter
description
Transcript of Meeting Today’s Security Needs With IPsec VPN and IPFilter
![Page 1: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/1.jpg)
1
Meeting Today’s Security Needs With IPsec VPN and IPFilter
![Page 2: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/2.jpg)
2
Defense Against The Dark Arts
![Page 3: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/3.jpg)
3
Presentation Overview
IPFilter (firewall/NAT) IPsec (VPN)
![Page 4: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/4.jpg)
4
What is IPFilter?
Very popular open-source package, written by Darren Reed Runs on many UNIX/Linux versions, including all SCO
platforms Version 4.1.3 ships with OSr600 and UW714mp2 Version 3.4.24 ships with OSr507
Provides: Packet filtering (firewall) Network address translation (NAT)
Usage notes Filtering and NAT take place inside kernel ("ipf" driver). There is
no daemon. To configure, create configuration files, then run command-line
utilities ("ipf", "ipnat", etc) to load them into the kernel System is normally configured and boot time, but can be
reconfigured on the fly
![Page 5: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/5.jpg)
5
Configuring a firewall
What is a "firewall"? A means of preventing packets from traversing a
network if they violate the network's security policy
Creating a filter configuration file Run mkdev ipfilter on OSr5, OSr6 Or, edit file /etc/ipf.conf Run ipf -v -Fa -f /etc/ipf.conf
![Page 6: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/6.jpg)
6
Sample firewall configurations
To block spoofing: pass in on net0 all block in quick on net0 from 192.168.0.0/16 to any block in quick on net0 from 10.0.0.0/8 to any block in log quick on net0 from <mynetwork> to any
![Page 7: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/7.jpg)
7
Sample firewall configurations
To block spoofing: pass in on net0 all block in quick on net0 from 192.168.0.0/16 to any block in quick on net0 from 10.0.0.0/8 to any block in log quick on net0 from <mynetwork> to any
To block smurf attacks: block in quick on net0 from any to 20.20.20.0/32 to any block in quick on net0 from any to 20.20.20.255/32 to
any
![Page 8: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/8.jpg)
8
Sample firewall configurations
To block spoofing: pass in on net0 all block in quick on net0 from 192.168.0.0/16 to any block in quick on net0 from 10.0.0.0/8 to any block in log quick on net0 from <mynetwork> to any
To block smurf attacks: block in quick on net0 from any to 20.20.20.0/32 to any block in quick on net0 from any to 20.20.20.255/32 to
any
To allow a single port: pass in quick on net0 proto tcp from any to <myaddr>/32 port 80 block in all
![Page 9: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/9.jpg)
9
Sample firewall configurations
"keep state" and established connections: block in quick on net0 all
pass out quick on net0 proto tcp from <myaddr>/32 to any keep state
pass out quick on net0 proto udp from <myaddr>/32 to any keep state
pass out quick on net0 proto icmp from <myaddr>/32 to any keep state
![Page 10: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/10.jpg)
10
Sample firewall configurations
"keep state" and established connections: block in quick on net0 all
pass out quick on net0 proto tcp from <myaddr>/32 to any keep state
pass out quick on net0 proto udp from <myaddr>/32 to any keep state
pass out quick on net0 proto icmp from <myaddr>/32 to any keep state
To log certain packets: block in log quick on net0 from 20.20.20.0/24 to any
![Page 11: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/11.jpg)
11
Monitoring the system
ipfstat shows filter status, keeps statistics on network
traffic on all interfaces, in and out
ipmon shows logged packets in real time (can even
include contents)
![Page 12: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/12.jpg)
12
Configuring NAT
What is NAT? Modification of source and/or destination
addresses of packets
Enables: Connecting a network of "unregistered" IP
addresses to the internet Mapping a large address space to a smaller one LAN-wide change of IP addresses Temporary re-routing of a LAN Redirection of incoming connections
![Page 13: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/13.jpg)
13
Enabling NAT
Run mkdev ipfilter on OSr5, OSr6 Or, edit /etc/ipnat.conf Run ipnat -v -f /etc/ipnat.conf
![Page 14: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/14.jpg)
14
Sample NAT configurations
To map non-routable network to internet: map net0 192.168.100.0/24 -> <myaddr>/32
To do the same but with a dynamic address map net0 192.168.100.0/24 -> 0/32
(run ipf -y each time dynamic address is changed)
To redirect inbound traffic to a particular "natted" machine:
rdr net0 <myaddr>/32 port 80 -> 192.168.100.15 port 80 tcp
![Page 15: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/15.jpg)
15
What is IPsec?
Comprehensive data security architecture for IP and upper-level protocols
Designed for (and obligatory on) IPv6. Optional on IPv4.
Supported on OSR6, UW714 SCO IPsec based on KAME, an open source
implementation for *BSD
![Page 16: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/16.jpg)
16
Why IPsec?
Code economy and flexibility: Applications need not be aware of security architecture
Lower costs: Can establish secure links (e.g. between home and brance offices) using public networks rather than private, dedicated circuits
![Page 17: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/17.jpg)
17
What is IPsec?
IPsec provides: Confidentiality (encryption) Integrity (tampering detection) Access control Replay protection Source address authentication Virtual private network (VPN)
![Page 18: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/18.jpg)
18
IPsec Modes
Transport (host to host) Only the original packet's payload is protected Traffic analysis can see IP protocol types and port
numbers
Tunnel (network to network) All traffic protected IP packets fully encrypted and encapsulated
within new IP packets Traffic analysis can only see encrypted data
![Page 19: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/19.jpg)
19
IPsec Protocols
Four protocols: AH: Authentication Header ESP: Encapsulating Security Payload IPcomp: Compression IKE: Internet Key Exchange
![Page 20: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/20.jpg)
20
AH: Authentication Header
Provides data source authentication, replay protection, and integrity Does *not* provide encryption A new header, inserted between IP header and packet data,
containing a cryptographically-secure checksum on the whole packet
Before: --------------------------- | IP | TCP | DATA ... ---------------------------
After: ---------------------------------- | IP | AH | TCP | DATA ... ----------------------------------
![Page 21: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/21.jpg)
21
ESP: Encapsulating Security Payload
Provides payload encryption Can be used together with AH, but isn't
ordinarily Provides most of the services of AH (doesn't
account for IP header)
![Page 22: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/22.jpg)
22
ESP: Encapsulating Security Payload
A new header, similar to AH
Before: --------------------------- | IP | TCP | DATA ... ---------------------------
After (transport mode): ----------------------------------------------------------- | IP | ESP Hdr | TCP | DATA | ESP Trailer | ESP Auth | ----------------------------------------------------------- |<-------- encrypted --------->| |<----------- authenticated ------------>|
Or (tunnel mode): ----------------------------------------------------------------- | New | | Orig | | | | | | IP | ESP Hdr | IP | TCP | DATA | ESP Trailer | ESP Auth | | Hdr | | Hdr | | | | | ----------------------------------------------------------------- |<----------- encrypted ------------>| |<-------------- authenticated --------------->|
![Page 23: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/23.jpg)
23
IPcomp: IP Compression
Compresses data prior to encryption Needed because encryption makes data
hard to compress
![Page 24: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/24.jpg)
24
IPsec encryption algorithms
Data integrity: MD5, SHA1, SHA2 Confidentiality: AES, DES, 3DES, blowfish,
cast128, RC4 Modular design; can acquire new algorithms
as they are developed
![Page 25: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/25.jpg)
25
IKE: Internet Key Exchange
Implemented by user daemon racoon Runs as a UDP service, port 500 Uses Diffie-Hellman key exchange to
establish shared secrets on two systems Updates shared secrets as needed according
to Security Policy (e.g., every N hours, or every M bytes)
![Page 26: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/26.jpg)
26
Security Associations (SA's) and theSecurity Association Database
An SA represents a single active unidirectional "connection" between two endpoints
Contains parameters controlling security and encryption - algorithm, key, etc
Stored in the SAD, which is controlled by ipseckey
![Page 27: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/27.jpg)
27
Security Policies (SP's) and theSecurity Policy Database
An SP defines the actions to take on packets that meet a given set of criteria (e.g., source or destination address/port, protocol, etc).
Like SA's, SP's are unidirectional: There must be separate IN and OUT SP's for each full-duplex connection
Stored in the SPD, which is controlled by ipseckey
![Page 28: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/28.jpg)
28
Configuring IPsec
Activating IPsec edit /etc/conf/pack.d/inet/space.c set “ipsec_enable” to 1 /etc/conf/bin/idbuild -M inet reboot the system
IPsec support utilities ipseckey (aka setkey) to configure SAD, SPD racoon for IKE
![Page 29: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/29.jpg)
29
Manually setting keys (transport mode)
Create ipseckey files (e.g., /etc/inet/ipsec.cf) on two hosts:
# associate ESP with the two systems; add SAD entries add 10.10.1.100 10.10.2.100 esp 0x10001 -m transport -E 3des-cbc "scoforum2005scoforum2005" ; add 10.10.2.100 10.10.1.100 esp 0x10002 -m transport -E 3des-cbc "scoforum2005scoforum2005" ; # OPTIONAL: associate AH with the two systems add 10.10.1.100 10.10.2.100 ah 0x10003 -m transport -A hmac-md5 "scoforumscoforum" ; add 10.10.2.100 10.10.1.100 ah 0x10003 -m transport -A hmac-md5 "scoforumscoforum" ;
![Page 30: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/30.jpg)
30
Manually setting keys (transport mode)
ipseckey files (continued): # set the security policy for the two systems -- add SPD entries # on the peer host, these lines must have "out" and "in" reversed spdadd 10.10.1.100 10.10.2.100 any -P out ipsec esp/transport/10.10.1.100-10.10.2.100/require ah/transport/10.10.1.100-10.10.2.100/require ; spdadd 10.10.2.100 10.10.1.100 any -P in ipsec esp/transport/10.10.2.100-10.10.1.100/require ah/transport/10.10.2.100-10.10.1.100/require ;
Clear ipsec configuration if necessary: # ipseckey -FP; ipseckey -F Load ipsec configuration: # ipseckey -f /etc/inet/ipsec.cf Test configuration: # tcpdump host <peer> # netstat -nsp ipsec
![Page 31: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/31.jpg)
31
Manually setting keys (tunnel mode)
Same as transport mode, but with "transport" changed to "tunnel" in ipsec.cf
Shows different behavior in tcpdump
![Page 32: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/32.jpg)
32
Automated key management
Create psk.txt files on both hosts, such as:
10.10.1.100 scoforum2005scoforum2005
Create ipsec.conf files:
spdadd 10.10.2.100/32 10.10.1.100/32 all -P out ipsec
esp/tunnel/10.10.2.100-10.10.1.100/require ;
spdadd 10.10.1.100/32 10.10.2.100/32 all -P in ipsec
esp/tunnel/10.10.1.100-10.10.2.100/require ;
![Page 33: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/33.jpg)
33
Automated key management
Create racoon.conf files: path pre_shared_key "/etc/inet/psk.txt" ; log debug; remote anonymous { exchange_mode aggressive ; my_identifier address 10.10.2.100 ; lifetime time 1 hour ; # sec,min,hour # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } # the following makes racoon (as a # responder) obey the initiator's # lifetime and PFS group proposal. # this makes testing easier. proposal_check obey; }
sainfo anonymous { pfs_group 2; lifetime time 10 hour ; encryption_algorithm 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; }
![Page 34: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/34.jpg)
34
Road Warrior mode
Create ipsec.conf file on server: spdadd <myaddr> 0.0.0.0 any -P out ipsec
esp/tunnel/<myaddr>-0.0.0.0/require;
spdadd 0.0.0.0 <myaddr> any -P in ipsec
esp/tunnel/0.0.0.0-<myaddr>/require;
Create psk.txt on server: <domain name> scoforum2005scoforum2005
![Page 35: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/35.jpg)
35
Road Warrior mode
Create racoon.conf files: path pre_shared_key "/etc/inet/psk.txt" ; timer { phase1 60 seconds ; phase2 60 seconds ; }
remote anonymous { exchange_mode main, aggressive, base ; doi ipsec_doi ; situation identity_only ; lifetime time 1 hour ; generate_policy on; passive on; my_identifier address <myaddr> ; peers_identifier fqdn "<domain name>" ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } proposal_check obey ; }
sainfo anonymous { pfs_group modp1024; lifetime time 1 hour ; encryption_algorithm 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; }
![Page 36: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/36.jpg)
36
Creating an IP tunnel for connecting two networks through a VPN
Generic tunnel interfaces (ipencap) not supported; planned for Fusion
However, Morning Star PPP can create a tunnel between two OSr6 systems, or with a bit more hassle, between OSr6 and any UNIX system with PPP and an open telnet port
![Page 37: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/37.jpg)
37
IPsec and IPFilter together
To allow VPN through a firewall, add IPFilter rules:
pass out on net0 from any to any keep state pass in quick on net0 proto esp from any to any pass in quick on net0 proto udp from any port = 500
to any port = 500 block in on net0 all
![Page 38: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/38.jpg)
38
IPsec limitations
Arcane Long development cycle (e.g. IKE) Interoperability problems Difficult to traverse NAT
![Page 39: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/39.jpg)
39
SSL VPN
Limited access control Poorer performance than IPsec
![Page 40: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/40.jpg)
40
Future
New IKEv2 protocol (racoon2) NAT traversal support (RFC3948, RFC3715) Generic IP-over-IP tunneling interfaces
(ipencap)
![Page 41: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/41.jpg)
41
Online resources - IPFilter
SCO IP Filter documentation: http://osr600doc.sco.com/en/NET_tcp/ipfintro.html
IP Filter website (with source):http://coombs.anu.edu.au/~avalon/
IP Filter FAQ:http://www.phildev.net/ipf
IP Filter HOWTO:http://www.obfuscation.org/ipf/
![Page 42: Meeting Today’s Security Needs With IPsec VPN and IPFilter](https://reader034.fdocuments.us/reader034/viewer/2022051216/568151b5550346895dbfe1b3/html5/thumbnails/42.jpg)
42
Online resources - IPsec
SCO IPsec documentation:http://osr600doc.sco.com/en/NET_ipsec/ipsec_top.html
KAME site (with source):http://www.kame.org
IPsec related RFCs, 2401 - 2412:http://www.ietf.org/rfc2401.txt - Security Architecture for IP
http://www.ietf.org/rfc2402.txt - Authentication Header http://www.ietf.org/rfc2406.txt - Encapsulating Security Payload http://www.ietf.org/rfc2407.txt - IPsec DoI for ISAKMP http://www.ietf.org/rfc2408.txt - ISAKMP http://www.ietf.org/rfc2409.txt - Internet Key Exchange http://www.ietf.org/rfc2410.txt - NULL encryption algorithm http://www.ietf.org/rfc2411.txt - IP Security Document Roadmap http://www.ietf.org/rfc2412.txt - OAKLEY Key Determination Protocol