Title: Meeting Today
1Meeting Todays Security Needs With IPsec VPN and
IPFilter
2Defense Against The Dark Arts
3Presentation Overview
- IPFilter (firewall/NAT)
- IPsec (VPN)
4What is IPFilter?
- Very popular open-source package, written by
Darren Reed - Runs on many UNIX/Linux versions, including all
SCO platforms - Version 4.1.3 ships with OSr600 and UW714mp2
- Version 3.4.24 ships with OSr507
- Provides
- Packet filtering (firewall)
- Network address translation (NAT)
- Usage notes
- Filtering and NAT take place inside kernel ("ipf"
driver). There is no daemon. - To configure, create configuration files, then
run command-line utilities ("ipf", "ipnat", etc)
to load them into the kernel - System is normally configured and boot time, but
can be reconfigured on the fly
5Configuring a firewall
- What is a "firewall"?
- A means of preventing packets from traversing a
network if they violate the network's security
policy - Creating a filter configuration file
- Run mkdev ipfilter on OSr5, OSr6
- Or, edit file /etc/ipf.conf
- Run ipf -v -Fa -f /etc/ipf.conf
6Sample firewall configurations
- To block spoofing
- pass in on net0 all
- block in quick on net0 from 192.168.0.0/16 to
any - block in quick on net0 from 10.0.0.0/8 to any
- block in log quick on net0 from ltmynetworkgt
to any
7Sample firewall configurations
- To block spoofing
- pass in on net0 all
- block in quick on net0 from 192.168.0.0/16 to
any - block in quick on net0 from 10.0.0.0/8 to any
- block in log quick on net0 from ltmynetworkgt
to any - To block smurf attacks
- block in quick on net0 from any to
20.20.20.0/32 to any - block in quick on net0 from any to
20.20.20.255/32 to any
8Sample firewall configurations
- To block spoofing
- pass in on net0 all
- block in quick on net0 from 192.168.0.0/16 to
any - block in quick on net0 from 10.0.0.0/8 to any
- block in log quick on net0 from ltmynetworkgt
to any - To block smurf attacks
- block in quick on net0 from any to
20.20.20.0/32 to any - block in quick on net0 from any to
20.20.20.255/32 to any - To allow a single port
- pass in quick on net0 proto tcp from any to
ltmyaddrgt/32 port 80 - block in all
9Sample firewall configurations
- "keep state" and established connections
- block in quick on net0 all
- pass out quick on net0 proto tcp from
ltmyaddrgt/32 to
any keep state - pass out quick on net0 proto udp from
ltmyaddrgt/32 to
any keep state - pass out quick on net0 proto icmp from
ltmyaddrgt/32
to any keep state
10Sample firewall configurations
- "keep state" and established connections
- block in quick on net0 all
- pass out quick on net0 proto tcp from
ltmyaddrgt/32 to
any keep state - pass out quick on net0 proto udp from
ltmyaddrgt/32 to
any keep state - pass out quick on net0 proto icmp from
ltmyaddrgt/32
to any keep state - To log certain packets
- block in log quick on net0 from
20.20.20.0/24 to any
11Monitoring the system
- ipfstat
- shows filter status, keeps statistics on network
traffic on all interfaces, in and out - ipmon
- shows logged packets in real time (can even
include contents)
12Configuring NAT
- What is NAT?
- Modification of source and/or destination
addresses of packets - Enables
- Connecting a network of "unregistered" IP
addresses to the internet - Mapping a large address space to a smaller one
- LAN-wide change of IP addresses
- Temporary re-routing of a LAN
- Redirection of incoming connections
13Enabling NAT
- Run mkdev ipfilter on OSr5, OSr6
- Or, edit /etc/ipnat.conf
- Run ipnat -v -f /etc/ipnat.conf
14Sample NAT configurations
- To map non-routable network to internet
- map net0 192.168.100.0/24 -gt ltmyaddrgt/32
- To do the same but with a dynamic address
- map net0 192.168.100.0/24 -gt 0/32
- (run ipf -y each time dynamic address is
changed) - To redirect inbound traffic to a particular
"natted" machine - rdr net0 ltmyaddrgt/32 port 80 -gt
192.168.100.15 port 80 tcp
15What is IPsec?
- Comprehensive data security architecture for IP
and upper-level protocols - Designed for (and obligatory on) IPv6. Optional
on IPv4. - Supported on OSR6, UW714
- SCO IPsec based on KAME, an open source
implementation for BSD
16Why IPsec?
- Code economy and flexibility Applications need
not be aware of security architecture - Lower costs Can establish secure links (e.g.
between home and brance offices) using public
networks rather than private, dedicated circuits
17What is IPsec?
- IPsec provides
- Confidentiality (encryption)
- Integrity (tampering detection)
- Access control
- Replay protection
- Source address authentication
- Virtual private network (VPN)
18IPsec Modes
- Transport (host to host)
- Only the original packet's payload is protected
- Traffic analysis can see IP protocol types and
port numbers - Tunnel (network to network)
- All traffic protected
- IP packets fully encrypted and encapsulated
within new IP packets - Traffic analysis can only see encrypted data
19IPsec Protocols
- Four protocols
- AH Authentication Header
- ESP Encapsulating Security Payload
- IPcomp Compression
- IKE Internet Key Exchange
20AH Authentication Header
- Provides data source authentication, replay
protection, and integrity - Does not provide encryption
- A new header, inserted between IP header and
packet data, containing a cryptographically-secure
checksum on the whole packetBefore - ---------------------------
- IP TCP DATA ...
- ---------------------------After
- ----------------------------------
- IP AH TCP DATA ...
- ----------------------------------
21ESP Encapsulating Security Payload
- Provides payload encryption
- Can be used together with AH, but isn't
ordinarily - Provides most of the services of AH (doesn't
account for IP header)
22ESP Encapsulating Security Payload
- A new header, similar to AHBefore
- ---------------------------
- IP TCP DATA ...
- ---------------------------After
(transport mode) - -------------------------------------------
---------------- - IP ESP Hdr TCP DATA ESP
Trailer ESP Auth - -------------------------------------------
---------------- - lt-------- encrypted
---------gt - lt----------- authenticated
------------gtOr (tunnel mode) - -------------------------------------------
---------------------- - New Orig
- IP ESP Hdr IP TCP DATA
ESP Trailer ESP Auth - Hdr Hdr
- -------------------------------------------
---------------------- - lt----------- encrypted
------------gt - lt-------------- authenticated
---------------gt
23IPcomp IP Compression
- Compresses data prior to encryption
- Needed because encryption makes data hard to
compress
24IPsec encryption algorithms
- Data integrity MD5, SHA1, SHA2
- Confidentiality AES, DES, 3DES, blowfish,
cast128, RC4 - Modular design can acquire new algorithms as
they are developed
25IKE Internet Key Exchange
- Implemented by user daemon racoon
- Runs as a UDP service, port 500
- Uses Diffie-Hellman key exchange to establish
shared secrets on two systems - Updates shared secrets as needed according to
Security Policy (e.g., every N hours, or every M
bytes)
26Security Associations (SA's) and theSecurity
Association Database
- An SA represents a single active unidirectional
"connection" between two endpoints - Contains parameters controlling security and
encryption - algorithm, key, etc - Stored in the SAD, which is controlled by ipseckey
27Security Policies (SP's) and theSecurity Policy
Database
- An SP defines the actions to take on packets that
meet a given set of criteria (e.g., source or
destination address/port, protocol, etc). - Like SA's, SP's are unidirectional There must
be separate IN and OUT SP's for each full-duplex
connection - Stored in the SPD, which is controlled by ipseckey
28Configuring IPsec
- Activating IPsec
- edit /etc/conf/pack.d/inet/space.c
- set ipsec_enable to 1
- /etc/conf/bin/idbuild -M inet
- reboot the system
- IPsec support utilities
- ipseckey (aka setkey) to configure SAD, SPD
- racoon for IKE
29Manually setting keys (transport mode)
- Create ipseckey files (e.g., /etc/inet/ipsec.cf)
on two hosts - associate ESP with the two systems add
SAD entries - add 10.10.1.100 10.10.2.100 esp 0x10001
- -m transport
- -E 3des-cbc "scoforum2005scoforum2005"
- add 10.10.2.100 10.10.1.100 esp 0x10002
- -m transport
- -E 3des-cbc "scoforum2005scoforum2005"
-
- OPTIONAL associate AH with the two
systems - add 10.10.1.100 10.10.2.100 ah 0x10003
- -m transport
- -A hmac-md5 "scoforumscoforum"
- add 10.10.2.100 10.10.1.100 ah 0x10003
- -m transport
- -A hmac-md5 "scoforumscoforum"
30Manually setting keys (transport mode)
- ipseckey files (continued)
- set the security policy for the two systems
-- add SPD entries - on the peer host, these lines must have
"out" and "in" reversed - spdadd 10.10.1.100 10.10.2.100 any -P out
ipsec - esp/transport/10.10.1.100-10.10.2.100/requ
ire - ah/transport/10.10.1.100-10.10.2.100/requi
re - spdadd 10.10.2.100 10.10.1.100 any -P in
ipsec - esp/transport/10.10.2.100-10.10.1.100/requ
ire - ah/transport/10.10.2.100-10.10.1.100/requi
re - Clear ipsec configuration if necessary
- ipseckey -FP ipseckey -F
- Load ipsec configuration
- ipseckey -f /etc/inet/ipsec.cf
- Test configuration
- tcpdump host ltpeergt
- netstat -nsp ipsec
31Manually setting keys (tunnel mode)
- Same as transport mode, but with "transport"
changed to "tunnel" in ipsec.cf - Shows different behavior in tcpdump
32Automated key management
- Create psk.txt files on both hosts, such as
10.10.1.100 scoforum2005scoforum2005 - Create ipsec.conf files spdadd 10.10.2.100/32
10.10.1.100/32 all -P out ipsec - esp/tunnel/10.10.2.100-10.10.1.100/req
uire - spdadd 10.10.1.100/32 10.10.2.100/32 all -P
in ipsec - esp/tunnel/10.10.1.100-10.10.2.100/req
uire
33Automated key management
- Create racoon.conf files
- path pre_shared_key "/etc/inet/psk.txt"
- log debug
-
- remote anonymous
- exchange_mode aggressive
- my_identifier address 10.10.2.100
- lifetime time 1 hour sec,min,hour
-
- phase 1 proposal (for ISAKMP SA)
- proposal
- encryption_algorithm 3des
- hash_algorithm sha1
- authentication_method pre_shared_key
- dh_group 2
-
-
- the following makes racoon (as a
responder) obey the initiator's - lifetime and PFS group proposal.
-
- sainfo anonymous
- pfs_group 2
- lifetime time 10 hour
- encryption_algorithm 3des, blowfish
- authentication_algorithm hmac_sha1, hmac_md5
- compression_algorithm deflate
-
34Road Warrior mode
- Create ipsec.conf file on server
- spdadd ltmyaddrgt 0.0.0.0 any -P out ipsec
- esp/tunnel/ltmyaddrgt-0.0.0.0/require
- spdadd 0.0.0.0 ltmyaddrgt any -P in ipsec
- esp/tunnel/0.0.0.0-ltmyaddrgt/require
- Create psk.txt on server
- ltdomain namegt scoforum2005scoforum2005
35Road Warrior mode
- Create racoon.conf files
- path pre_shared_key "/etc/inet/psk.txt"
- timer
- phase1 60 seconds
- phase2 60 seconds
-
- remote anonymous
- exchange_mode main, aggressive, base
- doi ipsec_doi
- situation identity_only
- lifetime time 1 hour
- generate_policy on
- passive on
- my_identifier address ltmyaddrgt
- peers_identifier fqdn "ltdomain namegt"
- proposal
- encryption_algorithm 3des
- hash_algorithm sha1
-
- sainfo anonymous
- pfs_group modp1024
- lifetime time 1 hour
- encryption_algorithm 3des, blowfish
- authentication_algorithm hmac_sha1, hmac_md5
- compression_algorithm deflate
-
36Creating an IP tunnel for connecting two networks
through a VPN
- Generic tunnel interfaces (ipencap) not
supported planned for Fusion - However, Morning Star PPP can create a tunnel
between two OSr6 systems, or with a bit more
hassle, between OSr6 and any UNIX system with PPP
and an open telnet port
37IPsec and IPFilter together
- To allow VPN through a firewall, add IPFilter
rules - pass out on net0 from any to any keep state
pass in quick on net0 proto esp from any to any
pass in quick on net0 proto udp from any port
500 - to any port
500 block in on net0 all
38IPsec limitations
- Arcane
- Long development cycle (e.g. IKE)
- Interoperability problems
- Difficult to traverse NAT
39SSL VPN
- Limited access control
- Poorer performance than IPsec
40Future
- New IKEv2 protocol (racoon2)
- NAT traversal support (RFC3948, RFC3715)
- Generic IP-over-IP tunneling interfaces (ipencap)
41Online resources - IPFilter
- SCO IP Filter documentation
http//osr600doc.sco.com/en/NET_tcp/ipfintro.html
- IP Filter website (with source)http//coombs.anu
.edu.au/avalon/ - IP Filter FAQhttp//www.phildev.net/ipf
- IP Filter HOWTOhttp//www.obfuscation.org/ipf/
42Online resources - IPsec
- SCO IPsec documentationhttp//osr600doc.sco.com/
en/NET_ipsec/ipsec_top.html - KAME site (with source)http//www.kame.org
- IPsec related RFCs, 2401 - 2412http//www.ietf.o
rg/rfc2401.txt - Security Architecture for IP - http//www.ietf.org/rfc2402.txt -
Authentication Header - http//www.ietf.org/rfc2406.txt -
Encapsulating Security Payload - http//www.ietf.org/rfc2407.txt - IPsec DoI
for ISAKMP - http//www.ietf.org/rfc2408.txt - ISAKMP
- http//www.ietf.org/rfc2409.txt - Internet
Key Exchange - http//www.ietf.org/rfc2410.txt - NULL
encryption algorithm - http//www.ietf.org/rfc2411.txt - IP
Security Document Roadmap - http//www.ietf.org/rfc2412.txt - OAKLEY Key
Determination Protocol