Transcript Slide 1

Meeting Today’s Security Needs With IPsec VPN and IPFilter
1
Defense Against The Dark Arts
2
Presentation Overview
 IPFilter (firewall/NAT)
 IPsec (VPN)
3
What is IPFilter?
 Very popular open-source package, written by Darren Reed
 Runs on many UNIX/Linux versions, including all SCO platforms
 Version 4.1.3 ships with OSr600 and UW714mp2
 Version 3.4.24 ships with OSr507

Provides:
 Packet filtering (firewall)
 Network address translation (NAT)

Usage notes
 Filtering and NAT take place inside kernel ("ipf" driver). There is no
daemon.
 To configure, create configuration files, then run command-line utilities
("ipf", "ipnat", etc) to load them into the kernel
 System is normally configured and boot time, but can be reconfigured on
the fly
4
Configuring a firewall
 What is a "firewall"?
 A means of preventing packets from traversing a
network if they violate the network's security policy
 Creating a filter configuration file
 Run mkdev ipfilter on OSr5, OSr6
 Or, edit file /etc/ipf.conf
 Run ipf -v -Fa -f /etc/ipf.conf
5
Sample firewall configurations
 To block spoofing:
pass in on net0 all
block in quick on net0 from 192.168.0.0/16 to any
block in quick on net0 from 10.0.0.0/8 to any
block in log quick on net0 from <mynetwork> to any
6
Sample firewall configurations
 To block spoofing:
pass in on net0 all
block in quick on net0 from 192.168.0.0/16 to any
block in quick on net0 from 10.0.0.0/8 to any
block in log quick on net0 from <mynetwork> to any
 To block smurf attacks:
block in quick on net0 from any to 20.20.20.0/32 to any
block in quick on net0 from any to 20.20.20.255/32 to any
7
Sample firewall configurations
 To block spoofing:
pass in on net0 all
block in quick on net0 from 192.168.0.0/16 to any
block in quick on net0 from 10.0.0.0/8 to any
block in log quick on net0 from <mynetwork> to any
 To block smurf attacks:
block in quick on net0 from any to 20.20.20.0/32 to any
block in quick on net0 from any to 20.20.20.255/32 to any
 To allow a single port:
pass in quick on net0 proto tcp from any to <myaddr>/32 port 80
block in all
8
Sample firewall configurations
 "keep state" and established connections:
block in quick on net0 all
pass out quick on net0 proto tcp from <myaddr>/32
to any keep state
pass out quick on net0 proto udp from <myaddr>/32
to any keep state
pass out quick on net0 proto icmp from <myaddr>/32
to any keep state
9
Sample firewall configurations
 "keep state" and established connections:
block in quick on net0 all
pass out quick on net0 proto tcp from <myaddr>/32
to any keep state
pass out quick on net0 proto udp from <myaddr>/32
to any keep state
pass out quick on net0 proto icmp from <myaddr>/32
to any keep state
 To log certain packets:
block in log quick on net0 from 20.20.20.0/24 to any
10
Monitoring the system
 ipfstat
 shows filter status, keeps statistics on network traffic on
all interfaces, in and out
 ipmon
 shows logged packets in real time (can even include
contents)
11
Configuring NAT
 What is NAT?
 Modification of source and/or destination addresses of
packets
 Enables:
 Connecting a network of "unregistered" IP addresses to
the internet
 Mapping a large address space to a smaller one
 LAN-wide change of IP addresses
 Temporary re-routing of a LAN
 Redirection of incoming connections
12
Enabling NAT
 Run mkdev ipfilter on OSr5, OSr6
 Or, edit /etc/ipnat.conf
 Run ipnat -v -f /etc/ipnat.conf
13
Sample NAT configurations
 To map non-routable network to internet:
map net0 192.168.100.0/24 -> <myaddr>/32
 To do the same but with a dynamic address
map net0 192.168.100.0/24 -> 0/32
(run ipf -y each time dynamic address is changed)
 To redirect inbound traffic to a particular "natted" machine:
rdr net0 <myaddr>/32 port 80 -> 192.168.100.15 port 80 tcp
14
What is IPsec?
 Comprehensive data security architecture for IP
and upper-level protocols
 Designed for (and obligatory on) IPv6. Optional
on IPv4.
 Supported on OSR6, UW714
 SCO IPsec based on KAME, an open source
implementation for *BSD
15
Why IPsec?
 Code economy and flexibility: Applications need
not be aware of security architecture
 Lower costs: Can establish secure links (e.g.
between home and brance offices) using public
networks rather than private, dedicated circuits
16
What is IPsec?
 IPsec provides:






17
Confidentiality (encryption)
Integrity (tampering detection)
Access control
Replay protection
Source address authentication
Virtual private network (VPN)
IPsec Modes
 Transport (host to host)
 Only the original packet's payload is protected
 Traffic analysis can see IP protocol types and port
numbers
 Tunnel (network to network)
 All traffic protected
 IP packets fully encrypted and encapsulated within new
IP packets
 Traffic analysis can only see encrypted data
18
IPsec Protocols
 Four protocols:




19
AH: Authentication Header
ESP: Encapsulating Security Payload
IPcomp: Compression
IKE: Internet Key Exchange
AH: Authentication Header
 Provides data source authentication, replay protection, and integrity
 Does *not* provide encryption
 A new header, inserted between IP header and packet data, containing
a cryptographically-secure checksum on the whole packet
Before:
--------------------------| IP | TCP | DATA ...
--------------------------After:
---------------------------------| IP | AH | TCP | DATA ...
---------------------------------20
ESP: Encapsulating Security Payload
 Provides payload encryption
 Can be used together with AH, but isn't ordinarily
 Provides most of the services of AH (doesn't
account for IP header)
21
ESP: Encapsulating Security Payload

A new header, similar to AH
Before:
--------------------------| IP | TCP | DATA ...
--------------------------After (transport mode):
----------------------------------------------------------| IP | ESP Hdr | TCP | DATA | ESP Trailer | ESP Auth |
----------------------------------------------------------|<-------- encrypted --------->|
|<----------- authenticated ------------>|
Or (tunnel mode):
----------------------------------------------------------------| New |
| Orig |
|
|
|
|
| IP | ESP Hdr | IP
| TCP | DATA | ESP Trailer | ESP Auth |
| Hdr |
| Hdr |
|
|
|
|
----------------------------------------------------------------|<----------- encrypted ------------>|
|<-------------- authenticated --------------->|
22
IPcomp: IP Compression
 Compresses data prior to encryption
 Needed because encryption makes data hard to
compress
23
IPsec encryption algorithms
 Data integrity: MD5, SHA1, SHA2
 Confidentiality: AES, DES, 3DES, blowfish,
cast128, RC4
 Modular design; can acquire new algorithms as
they are developed
24
IKE: Internet Key Exchange
 Implemented by user daemon racoon
 Runs as a UDP service, port 500
 Uses Diffie-Hellman key exchange to establish
shared secrets on two systems
 Updates shared secrets as needed according to
Security Policy (e.g., every N hours, or every M
bytes)
25
Security Associations (SA's) and the
Security Association Database
 An SA represents a single active unidirectional
"connection" between two endpoints
 Contains parameters controlling security and
encryption - algorithm, key, etc
 Stored in the SAD, which is controlled by
ipseckey
26
Security Policies (SP's) and the
Security Policy Database
 An SP defines the actions to take on packets that
meet a given set of criteria (e.g., source or
destination address/port, protocol, etc).
 Like SA's, SP's are unidirectional: There must be
separate IN and OUT SP's for each full-duplex
connection
 Stored in the SPD, which is controlled by
ipseckey
27
Configuring IPsec
 Activating IPsec




edit /etc/conf/pack.d/inet/space.c
set “ipsec_enable” to 1
/etc/conf/bin/idbuild -M inet
reboot the system
 IPsec support utilities
 ipseckey (aka setkey) to configure SAD, SPD
 racoon for IKE
28
Manually setting keys (transport mode)
 Create ipseckey files (e.g., /etc/inet/ipsec.cf) on two hosts:
# associate ESP with the two systems; add SAD entries
add 10.10.1.100 10.10.2.100 esp 0x10001
-m transport
-E 3des-cbc "scoforum2005scoforum2005" ;
add 10.10.2.100 10.10.1.100 esp 0x10002
-m transport
-E 3des-cbc "scoforum2005scoforum2005" ;
# OPTIONAL: associate AH with the two systems
add 10.10.1.100 10.10.2.100 ah 0x10003
-m transport
-A hmac-md5 "scoforumscoforum" ;
add 10.10.2.100 10.10.1.100 ah 0x10003
-m transport
-A hmac-md5 "scoforumscoforum" ;
29
Manually setting keys (transport mode)

ipseckey files (continued):
# set the security policy for the two systems -- add SPD entries
# on the peer host, these lines must have "out" and "in" reversed
spdadd 10.10.1.100 10.10.2.100 any -P out ipsec
esp/transport/10.10.1.100-10.10.2.100/require
ah/transport/10.10.1.100-10.10.2.100/require ;
spdadd 10.10.2.100 10.10.1.100 any -P in ipsec
esp/transport/10.10.2.100-10.10.1.100/require
ah/transport/10.10.2.100-10.10.1.100/require ;



30
Clear ipsec configuration if necessary:
# ipseckey -FP; ipseckey -F
Load ipsec configuration:
# ipseckey -f /etc/inet/ipsec.cf
Test configuration:
# tcpdump host <peer>
# netstat -nsp ipsec
Manually setting keys (tunnel mode)
 Same as transport mode, but with "transport"
changed to "tunnel" in ipsec.cf
 Shows different behavior in tcpdump
31
Automated key management
 Create psk.txt files on both hosts, such as:
10.10.1.100 scoforum2005scoforum2005
 Create ipsec.conf files:
spdadd 10.10.2.100/32 10.10.1.100/32 all -P out ipsec
esp/tunnel/10.10.2.100-10.10.1.100/require ;
spdadd 10.10.1.100/32 10.10.2.100/32 all -P in ipsec
esp/tunnel/10.10.1.100-10.10.2.100/require ;
32
Automated key management
 Create racoon.conf files:
path pre_shared_key "/etc/inet/psk.txt" ;
log debug;
remote anonymous {
exchange_mode aggressive ;
my_identifier address 10.10.2.100 ;
lifetime time 1 hour ; # sec,min,hour
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
# the following makes racoon (as a
# responder) obey the initiator's
# lifetime and PFS group proposal.
# this makes testing easier.
proposal_check obey;
}
33
sainfo anonymous {
pfs_group 2;
lifetime time 10 hour ;
encryption_algorithm 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Road Warrior mode
 Create ipsec.conf file on server:
spdadd <myaddr> 0.0.0.0 any -P out ipsec
esp/tunnel/<myaddr>-0.0.0.0/require;
spdadd 0.0.0.0 <myaddr> any -P in ipsec
esp/tunnel/0.0.0.0-<myaddr>/require;
 Create psk.txt on server:
<domain name>
34
scoforum2005scoforum2005
Road Warrior mode
 Create racoon.conf files:
path pre_shared_key "/etc/inet/psk.txt" ;
timer {
phase1 60 seconds ;
phase2 60 seconds ;
}
remote anonymous {
exchange_mode main, aggressive, base ;
doi ipsec_doi ;
situation identity_only ;
lifetime time 1 hour ;
generate_policy on;
passive on;
my_identifier address <myaddr> ;
peers_identifier fqdn "<domain name>" ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal_check obey ;
}
35
sainfo anonymous {
pfs_group modp1024;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
Creating an IP tunnel for connecting two networks
through a VPN
 Generic tunnel interfaces (ipencap) not supported;
planned for Fusion
 However, Morning Star PPP can create a tunnel
between two OSr6 systems, or with a bit more
hassle, between OSr6 and any UNIX system with
PPP and an open telnet port
36
IPsec and IPFilter together
 To allow VPN through a firewall, add IPFilter rules:
pass out on net0 from any to any keep state
pass in quick on net0 proto esp from any to any
pass in quick on net0 proto udp from any port = 500
to
any port = 500
block in on net0 all
37
IPsec limitations




38
Arcane
Long development cycle (e.g. IKE)
Interoperability problems
Difficult to traverse NAT
SSL VPN
 Limited access control
 Poorer performance than IPsec
39
Future
 New IKEv2 protocol (racoon2)
 NAT traversal support (RFC3948, RFC3715)
 Generic IP-over-IP tunneling interfaces (ipencap)
40
Online resources - IPFilter
 SCO IP Filter documentation:
http://osr600doc.sco.com/en/NET_tcp/ipfintro.html
 IP Filter website (with source):
http://coombs.anu.edu.au/~avalon/
 IP Filter FAQ:
http://www.phildev.net/ipf
 IP Filter HOWTO:
http://www.obfuscation.org/ipf/
41
Online resources - IPsec

SCO IPsec documentation:
http://osr600doc.sco.com/en/NET_ipsec/ipsec_top.html

KAME site (with source):
http://www.kame.org

IPsec related RFCs, 2401 - 2412:
http://www.ietf.org/rfc2401.txt - Security Architecture for IP
http://www.ietf.org/rfc2402.txt - Authentication Header
http://www.ietf.org/rfc2406.txt - Encapsulating Security Payload
http://www.ietf.org/rfc2407.txt - IPsec DoI for ISAKMP
http://www.ietf.org/rfc2408.txt - ISAKMP
http://www.ietf.org/rfc2409.txt - Internet Key Exchange
http://www.ietf.org/rfc2410.txt - NULL encryption algorithm
http://www.ietf.org/rfc2411.txt - IP Security Document Roadmap
http://www.ietf.org/rfc2412.txt - OAKLEY Key Determination Protocol
42