sun.com docs.sun.com My Sun Worldwide Sites

Previous Previous     Contents     Index     Next Next

ProcedureHow to Secure a Web Server With IPsec

A secure web server allows web clients to talk to the web service. On a secure web server, traffic that is not web traffic must pass security checks. The following procedure includes bypasses for web traffic. In addition, this web server can make nonsecured DNS client requests. All other traffic requires ESP with AES and SHA-1 algorithms.


Note - You configure IPsec policy in the global zone.


  1. On the system console, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, "Working With the Solaris Management Console (Tasks)," in System Administration Guide: Basic Administration.


    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.


  2. Determine which services need to bypass security policy checks.

    For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP.

  3. Create a file in the /etc/inet directory for the web server policy.

    Give the file a name that indicates its purpose, for example IPsecWebInitFile. Type the following lines in this file:

    # Web traffic that web server should bypass.
    {lport  80 ulp tcp dir both} bypass {}
    {lport 443 ulp tcp dir both} bypass {}
    
    # Outbound DNS lookups should also be bypassed.
    {rport 53 dir both} bypass {}
    
    # Require all other traffic to use ESP with AES and SHA-1.
    # Use a unique SA for outbound traffic from the port
    {} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

    This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 2.

  4. Copy the contents of the file that you created in Step 3 into the /etc/inet/ipsecinit.conf file.

  5. Protect the IPsecWebInitFile file with read-only permissions.

    # chmod 400 IPsecWebInitFile

  6. Secure the web server without rebooting.

    Choose one of the following options.

    • If you are using IKE for key management, stop and restart the in.iked daemon.

      # pkill in.iked
      # /usr/lib/inet/in.iked

    • If you are manually managing keys, use the ipseckey and ipsecconf commands.

      Use the IPsecWebInitFile as the argument to the ipsecconf command. If you use the ipsecinit.conf file as the argument, the ipsecconf command generates errors when policies in the file are already implemented on the system.

      # ipseckey -f /etc/inet/secret/ipseckeys 
      # ipsecconf -a /etc/inet/IPsecWebInitFile 


    Caution Caution - Read the warning when you execute the ipsecconf command. A socket that is already latched, that is, a socket that is already in use, provides an unsecured back door into the system. For more extensive discussion, see Security Considerations for ipsecinit.conf and ipsecconf. The same warning applies to restarting the in.iked daemon.


    You can also reboot. Rebooting ensures that the IPsec policy is in effect on all TCP connections. At reboot, the TCP connections use the policy in the IPsec policy file.

  7. (Optional) Enable a remote system to communicate with the web server for nonweb traffic.

    Type the following policy in a remote system's ipsecinit.conf file.

    # Communicate with web server about nonweb stuff
    #
    {laddr webserver} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

    A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match.

ProcedureHow to Display IPsec Policies

You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments. The command must be run from the global zone.

  1. Assume a role that includes the Network Security profile, or become superuser.

    To create a role that includes the Network Security profile and assign that role to a user, see How to Create a Role for Configuring Network Security.

  2. Display the global IPsec policy entries in the order that the entries were added.

    $ ipsecconf

    The command displays each entry with an index followed by a number.

  3. Display the IPsec policy entries in the order in which a match occurs.

    $ ipsecconf -l

  4. Display the IPsec policy entries, including per-tunnel entries, in the order in which a match occurs.

    $ ipsecconf -L

ProcedureHow to Generate Random Numbers on a Solaris System

If you are entering keys manually, the keying material should be random. The format for keying material for a Solaris system is hexadecimal. Other operating systems can require ASCII keying material. To generate keying material for a Solaris system that is communicating with an operating system that requires ASCII, see Example 23-1.

If your site has a random number generator, use that generator. Otherwise, you can use the od command with the /dev/random Solaris device as input. For more information, see the od(1) man page.

  1. Generate random numbers in hexadecimal format.

    % od -x|-X -A n file | head -n

    -x

    Displays the octal dump in hexadecimal format. Hexadecimal format is useful for keying material. The hexadecimal is printed in 4-character chunks.

    -X

    Displays the octal dump in hexadecimal format. The hexadecimal is printed in 8-character chunks.

    -A n

    Removes the input offset base from the display.

    file

    Serves as a source for random numbers.

    head -n

    Restricts the display to the first n lines of output.

  2. Combine the output to create a key of the appropriate length.

    Remove the spaces between the numbers on one line to create a 32-character key. A 32-character key is 128 bits. For a security parameter index (SPI), you should use an 8-character key. The key should use the 0x prefix.

Example 20-2   Generating Key Material for IPsec

The following example displays two lines of keys in groups of eight hexadecimal characters each.

% od -X -A n /dev/random | head -2
         d54d1536 4a3e0352 0faf93bd 24fd6cad
         8ecc2670 f3447465 20db0b0c c83f5a4b

By combining the four numbers on the first line, you can create a 32-character key. An 8-character number that is preceded by 0x provides a suitable SPI value, for example, 0xf3447465.

The following example displays two lines of keys in groups of four hexadecimal characters each.

% od -x -A n /dev/random | head -2
         34ce 56b2 8b1b 3677 9231 42e9 80b0 c673
         2f74 2817 8026 df68 12f4 905a db3d ef27

By combining the eight numbers on the first line, you can create a 32-character key.

Previous Previous     Contents     Index     Next Next
Company Info Contact Terms of Use Privacy Copyright 1994-2007 Sun Microsystems, Inc.