Meeting Today - PowerPoint PPT Presentation

About This Presentation
Title:

Meeting Today

Description:

Very popular open-source package, written by Darren Reed. Runs on many UNIX/Linux versions, ... Confidentiality: AES, DES, 3DES, blowfish, cast128, RC4 ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 43
Provided by: DeanZim
Category:

less

Transcript and Presenter's Notes

Title: Meeting Today


1
Meeting Todays Security Needs With IPsec VPN and
IPFilter
2
Defense Against The Dark Arts
3
Presentation Overview
  • IPFilter (firewall/NAT)
  • IPsec (VPN)

4
What is IPFilter?
  • Very popular open-source package, written by
    Darren Reed
  • Runs on many UNIX/Linux versions, including all
    SCO platforms
  • Version 4.1.3 ships with OSr600 and UW714mp2
  • Version 3.4.24 ships with OSr507
  • Provides
  • Packet filtering (firewall)
  • Network address translation (NAT)
  • Usage notes
  • Filtering and NAT take place inside kernel ("ipf"
    driver). There is no daemon.
  • To configure, create configuration files, then
    run command-line utilities ("ipf", "ipnat", etc)
    to load them into the kernel
  • System is normally configured and boot time, but
    can be reconfigured on the fly

5
Configuring a firewall
  • What is a "firewall"?
  • A means of preventing packets from traversing a
    network if they violate the network's security
    policy
  • Creating a filter configuration file
  • Run mkdev ipfilter on OSr5, OSr6
  • Or, edit file /etc/ipf.conf
  • Run ipf -v -Fa -f /etc/ipf.conf

6
Sample firewall configurations
  • To block spoofing
  • pass in on net0 all
  • block in quick on net0 from 192.168.0.0/16 to
    any
  • block in quick on net0 from 10.0.0.0/8 to any
  • block in log quick on net0 from ltmynetworkgt
    to any

7
Sample firewall configurations
  • To block spoofing
  • pass in on net0 all
  • block in quick on net0 from 192.168.0.0/16 to
    any
  • block in quick on net0 from 10.0.0.0/8 to any
  • block in log quick on net0 from ltmynetworkgt
    to any
  • To block smurf attacks
  • block in quick on net0 from any to
    20.20.20.0/32 to any
  • block in quick on net0 from any to
    20.20.20.255/32 to any

8
Sample firewall configurations
  • To block spoofing
  • pass in on net0 all
  • block in quick on net0 from 192.168.0.0/16 to
    any
  • block in quick on net0 from 10.0.0.0/8 to any
  • block in log quick on net0 from ltmynetworkgt
    to any
  • To block smurf attacks
  • block in quick on net0 from any to
    20.20.20.0/32 to any
  • block in quick on net0 from any to
    20.20.20.255/32 to any
  • To allow a single port
  • pass in quick on net0 proto tcp from any to
    ltmyaddrgt/32 port 80
  • block in all

9
Sample firewall configurations
  • "keep state" and established connections
  • block in quick on net0 all
  • pass out quick on net0 proto tcp from
    ltmyaddrgt/32 to
    any keep state
  • pass out quick on net0 proto udp from
    ltmyaddrgt/32 to
    any keep state
  • pass out quick on net0 proto icmp from
    ltmyaddrgt/32
    to any keep state

10
Sample firewall configurations
  • "keep state" and established connections
  • block in quick on net0 all
  • pass out quick on net0 proto tcp from
    ltmyaddrgt/32 to
    any keep state
  • pass out quick on net0 proto udp from
    ltmyaddrgt/32 to
    any keep state
  • pass out quick on net0 proto icmp from
    ltmyaddrgt/32
    to any keep state
  • To log certain packets
  • block in log quick on net0 from
    20.20.20.0/24 to any

11
Monitoring the system
  • ipfstat
  • shows filter status, keeps statistics on network
    traffic on all interfaces, in and out
  • ipmon
  • shows logged packets in real time (can even
    include contents)

12
Configuring NAT
  • What is NAT?
  • Modification of source and/or destination
    addresses of packets
  • Enables
  • Connecting a network of "unregistered" IP
    addresses to the internet
  • Mapping a large address space to a smaller one
  • LAN-wide change of IP addresses
  • Temporary re-routing of a LAN
  • Redirection of incoming connections

13
Enabling NAT
  • Run mkdev ipfilter on OSr5, OSr6
  • Or, edit /etc/ipnat.conf
  • Run ipnat -v -f /etc/ipnat.conf

14
Sample NAT configurations
  • To map non-routable network to internet
  • map net0 192.168.100.0/24 -gt ltmyaddrgt/32
  • To do the same but with a dynamic address
  • map net0 192.168.100.0/24 -gt 0/32
  • (run ipf -y each time dynamic address is
    changed)
  • To redirect inbound traffic to a particular
    "natted" machine
  • rdr net0 ltmyaddrgt/32 port 80 -gt
    192.168.100.15 port 80 tcp

15
What is IPsec?
  • Comprehensive data security architecture for IP
    and upper-level protocols
  • Designed for (and obligatory on) IPv6. Optional
    on IPv4.
  • Supported on OSR6, UW714
  • SCO IPsec based on KAME, an open source
    implementation for BSD

16
Why IPsec?
  • Code economy and flexibility Applications need
    not be aware of security architecture
  • Lower costs Can establish secure links (e.g.
    between home and brance offices) using public
    networks rather than private, dedicated circuits

17
What is IPsec?
  • IPsec provides
  • Confidentiality (encryption)
  • Integrity (tampering detection)
  • Access control
  • Replay protection
  • Source address authentication
  • Virtual private network (VPN)

18
IPsec Modes
  • Transport (host to host)
  • Only the original packet's payload is protected
  • Traffic analysis can see IP protocol types and
    port numbers
  • Tunnel (network to network)
  • All traffic protected
  • IP packets fully encrypted and encapsulated
    within new IP packets
  • Traffic analysis can only see encrypted data

19
IPsec Protocols
  • Four protocols
  • AH Authentication Header
  • ESP Encapsulating Security Payload
  • IPcomp Compression
  • IKE Internet Key Exchange

20
AH Authentication Header
  • Provides data source authentication, replay
    protection, and integrity
  • Does not provide encryption
  • A new header, inserted between IP header and
    packet data, containing a cryptographically-secure
    checksum on the whole packetBefore
  • ---------------------------
  • IP TCP DATA ...
  • ---------------------------After
  • ----------------------------------
  • IP AH TCP DATA ...
  • ----------------------------------

21
ESP Encapsulating Security Payload
  • Provides payload encryption
  • Can be used together with AH, but isn't
    ordinarily
  • Provides most of the services of AH (doesn't
    account for IP header)

22
ESP Encapsulating Security Payload
  • A new header, similar to AHBefore
  • ---------------------------
  • IP TCP DATA ...
  • ---------------------------After
    (transport mode)
  • -------------------------------------------
    ----------------
  • IP ESP Hdr TCP DATA ESP
    Trailer ESP Auth
  • -------------------------------------------
    ----------------
  • lt-------- encrypted
    ---------gt
  • lt----------- authenticated
    ------------gtOr (tunnel mode)
  • -------------------------------------------
    ----------------------
  • New Orig
  • IP ESP Hdr IP TCP DATA
    ESP Trailer ESP Auth
  • Hdr Hdr
  • -------------------------------------------
    ----------------------
  • lt----------- encrypted
    ------------gt
  • lt-------------- authenticated
    ---------------gt

23
IPcomp IP Compression
  • Compresses data prior to encryption
  • Needed because encryption makes data hard to
    compress

24
IPsec encryption algorithms
  • Data integrity MD5, SHA1, SHA2
  • Confidentiality AES, DES, 3DES, blowfish,
    cast128, RC4
  • Modular design can acquire new algorithms as
    they are developed

25
IKE Internet Key Exchange
  • Implemented by user daemon racoon
  • Runs as a UDP service, port 500
  • Uses Diffie-Hellman key exchange to establish
    shared secrets on two systems
  • Updates shared secrets as needed according to
    Security Policy (e.g., every N hours, or every M
    bytes)

26
Security Associations (SA's) and theSecurity
Association Database
  • An SA represents a single active unidirectional
    "connection" between two endpoints
  • Contains parameters controlling security and
    encryption - algorithm, key, etc
  • Stored in the SAD, which is controlled by ipseckey

27
Security Policies (SP's) and theSecurity Policy
Database
  • An SP defines the actions to take on packets that
    meet a given set of criteria (e.g., source or
    destination address/port, protocol, etc).
  • Like SA's, SP's are unidirectional There must
    be separate IN and OUT SP's for each full-duplex
    connection
  • Stored in the SPD, which is controlled by ipseckey

28
Configuring IPsec
  • Activating IPsec
  • edit /etc/conf/pack.d/inet/space.c
  • set ipsec_enable to 1
  • /etc/conf/bin/idbuild -M inet
  • reboot the system
  • IPsec support utilities
  • ipseckey (aka setkey) to configure SAD, SPD
  • racoon for IKE

29
Manually setting keys (transport mode)
  • Create ipseckey files (e.g., /etc/inet/ipsec.cf)
    on two hosts
  • associate ESP with the two systems add
    SAD entries
  • add 10.10.1.100 10.10.2.100 esp 0x10001
  • -m transport
  • -E 3des-cbc "scoforum2005scoforum2005"
  • add 10.10.2.100 10.10.1.100 esp 0x10002
  • -m transport
  • -E 3des-cbc "scoforum2005scoforum2005"
  • OPTIONAL associate AH with the two
    systems
  • add 10.10.1.100 10.10.2.100 ah 0x10003
  • -m transport
  • -A hmac-md5 "scoforumscoforum"
  • add 10.10.2.100 10.10.1.100 ah 0x10003
  • -m transport
  • -A hmac-md5 "scoforumscoforum"

30
Manually setting keys (transport mode)
  • ipseckey files (continued)
  • set the security policy for the two systems
    -- add SPD entries
  • on the peer host, these lines must have
    "out" and "in" reversed
  • spdadd 10.10.1.100 10.10.2.100 any -P out
    ipsec
  • esp/transport/10.10.1.100-10.10.2.100/requ
    ire
  • ah/transport/10.10.1.100-10.10.2.100/requi
    re
  • spdadd 10.10.2.100 10.10.1.100 any -P in
    ipsec
  • esp/transport/10.10.2.100-10.10.1.100/requ
    ire
  • ah/transport/10.10.2.100-10.10.1.100/requi
    re
  • Clear ipsec configuration if necessary
  • ipseckey -FP ipseckey -F
  • Load ipsec configuration
  • ipseckey -f /etc/inet/ipsec.cf
  • Test configuration
  • tcpdump host ltpeergt
  • netstat -nsp ipsec

31
Manually setting keys (tunnel mode)
  • Same as transport mode, but with "transport"
    changed to "tunnel" in ipsec.cf
  • Shows different behavior in tcpdump

32
Automated key management
  • Create psk.txt files on both hosts, such as
    10.10.1.100 scoforum2005scoforum2005
  • Create ipsec.conf files spdadd 10.10.2.100/32
    10.10.1.100/32 all -P out ipsec
  • esp/tunnel/10.10.2.100-10.10.1.100/req
    uire
  • spdadd 10.10.1.100/32 10.10.2.100/32 all -P
    in ipsec
  • esp/tunnel/10.10.1.100-10.10.2.100/req
    uire

33
Automated key management
  • Create racoon.conf files
  • path pre_shared_key "/etc/inet/psk.txt"
  • log debug
  • remote anonymous
  • exchange_mode aggressive
  • my_identifier address 10.10.2.100
  • lifetime time 1 hour sec,min,hour
  • phase 1 proposal (for ISAKMP SA)
  • proposal
  • encryption_algorithm 3des
  • hash_algorithm sha1
  • authentication_method pre_shared_key
  • dh_group 2
  • the following makes racoon (as a
    responder) obey the initiator's
  • lifetime and PFS group proposal.
  • sainfo anonymous
  • pfs_group 2
  • lifetime time 10 hour
  • encryption_algorithm 3des, blowfish
  • authentication_algorithm hmac_sha1, hmac_md5
  • compression_algorithm deflate

34
Road Warrior mode
  • Create ipsec.conf file on server
  • spdadd ltmyaddrgt 0.0.0.0 any -P out ipsec
  • esp/tunnel/ltmyaddrgt-0.0.0.0/require
  • spdadd 0.0.0.0 ltmyaddrgt any -P in ipsec
  • esp/tunnel/0.0.0.0-ltmyaddrgt/require
  • Create psk.txt on server
  • ltdomain namegt scoforum2005scoforum2005

35
Road Warrior mode
  • Create racoon.conf files
  • path pre_shared_key "/etc/inet/psk.txt"
  • timer
  • phase1 60 seconds
  • phase2 60 seconds
  • remote anonymous
  • exchange_mode main, aggressive, base
  • doi ipsec_doi
  • situation identity_only
  • lifetime time 1 hour
  • generate_policy on
  • passive on
  • my_identifier address ltmyaddrgt
  • peers_identifier fqdn "ltdomain namegt"
  • proposal
  • encryption_algorithm 3des
  • hash_algorithm sha1
  • sainfo anonymous
  • pfs_group modp1024
  • lifetime time 1 hour
  • encryption_algorithm 3des, blowfish
  • authentication_algorithm hmac_sha1, hmac_md5
  • compression_algorithm deflate

36
Creating an IP tunnel for connecting two networks
through a VPN
  • Generic tunnel interfaces (ipencap) not
    supported planned for Fusion
  • However, Morning Star PPP can create a tunnel
    between two OSr6 systems, or with a bit more
    hassle, between OSr6 and any UNIX system with PPP
    and an open telnet port

37
IPsec and IPFilter together
  • To allow VPN through a firewall, add IPFilter
    rules
  • pass out on net0 from any to any keep state
    pass in quick on net0 proto esp from any to any
    pass in quick on net0 proto udp from any port
    500
  • to any port
    500 block in on net0 all

38
IPsec limitations
  • Arcane
  • Long development cycle (e.g. IKE)
  • Interoperability problems
  • Difficult to traverse NAT

39
SSL VPN
  • Limited access control
  • Poorer performance than IPsec

40
Future
  • New IKEv2 protocol (racoon2)
  • NAT traversal support (RFC3948, RFC3715)
  • Generic IP-over-IP tunneling interfaces (ipencap)

41
Online resources - IPFilter
  • SCO IP Filter documentation
    http//osr600doc.sco.com/en/NET_tcp/ipfintro.html
  • IP Filter website (with source)http//coombs.anu
    .edu.au/avalon/
  • IP Filter FAQhttp//www.phildev.net/ipf
  • IP Filter HOWTOhttp//www.obfuscation.org/ipf/

42
Online resources - IPsec
  • SCO IPsec documentationhttp//osr600doc.sco.com/
    en/NET_ipsec/ipsec_top.html
  • KAME site (with source)http//www.kame.org
  • IPsec related RFCs, 2401 - 2412http//www.ietf.o
    rg/rfc2401.txt - Security Architecture for IP
  • http//www.ietf.org/rfc2402.txt -
    Authentication Header
  • http//www.ietf.org/rfc2406.txt -
    Encapsulating Security Payload
  • http//www.ietf.org/rfc2407.txt - IPsec DoI
    for ISAKMP
  • http//www.ietf.org/rfc2408.txt - ISAKMP
  • http//www.ietf.org/rfc2409.txt - Internet
    Key Exchange
  • http//www.ietf.org/rfc2410.txt - NULL
    encryption algorithm
  • http//www.ietf.org/rfc2411.txt - IP
    Security Document Roadmap
  • http//www.ietf.org/rfc2412.txt - OAKLEY Key
    Determination Protocol
Write a Comment
User Comments (0)
About PowerShow.com