Network Security
This chapter provides an overview of the network security components provided with LynxOS, including:
Firewalls
LynxOS TCP/IP provides network protection from external intrusion with the incorporation of firewalls. Firewalls provide system administrators the ability to allow or deny the forwarding of packets through a network. Both inclusive and exclusive rule sets can be implemented, and protection from spoofing and bandwidth limitation can also be set. LynxOS supports the packet filter ipfw utility.
ipfw
IPFW is a kernel-based utility that is used to provide packet filtering and counting. Using a set of user-defined rules, IPFW controls whether or not network packets are forwarded or blocked. These user-defined rules, also called a firewall chain (or rule chain), can block or allow specific requests from specific hosts.
The user utility ipfw(8) is used as an interface to the IPFW kernel component.
ipfw can be set up to monitor both incoming and outgoing connections.
Enabling ipfw
IPFW is enabled with sysctl:
#
sysctl -w net.inet.ip.fw.enable=1
Note: When enabled, IPFW leaves all ports open by default.
|
Changing ipfw Rules
The ipfw user command is used to set the packet filter rules. Adding a rule with the ipfw command updates the current firewall chain. The simplest usage syntax is as follows:
#
ipfw <command> <action> <protocol> <address> <options>
The following table defines each of the arguments for ipfw.
Changing ipfw Rules
| Option |
Command & Description |
| <command> |
add -- Adds an entry to the firewall chain |
| delete -- Deletes an entry to the firewall chain |
| <action> |
reject -- Drop packet and send ICMP host unreachable to source |
| allow -- Allow packet to pass |
| deny -- Drop packet and do not notify source |
| count -- Update packet counter |
| <protocol> |
all -- Set rule for all protocols |
| icmp -- Set rule for ICMP packets only |
| tcp -- Set rule for TCP packets only |
| udp -- Set rule for UDP packets only |
| <address> |
Defines the IP address, mask, and (if required, port). Both From and To addresses can be specified, as well as the interface used (eth0, for example): from <address/mask>[<port>] to <address/mask>[<port>] \
[via <interface>]
Specific ports, or a range of ports can be set: <port>, <port>, <port> <port>-<port> |
| <options> |
via <if> -- Packet must be going through interface <if>. via <if*> -- Packet must be going through interface <ifX>,
where X is a unit number. via <any> -- Packet must be going through some interface. via <ip> -- Packet must be going through the interface with the IP address <ip>. |
| frag -- Matches if the packet is a fragment. |
| in -- Matches if packet is incoming. |
| out -- Matches if packet is outgoing. |
| ipoptions <spec> -- Matches if IP header contains options specified in <spec>. |
| established -- Matches if the packet is part of an established TCP connection. |
| setup -- Matches if the packet is attempting to setup a TCP connection (syn bit set, ack not set). |
| tcpflags <flags> -- Matches if the TCP header contains the flags specified
in <flags>. Supported flags include fin, syn, rst, psh, ack, urg. |
| icmptypes <types> -- Matches if the ICMP type is specified in <types>. |
For example, to set up a rule to deny all incoming packets from the address 192.168.1.1 to the address 192.168.2.2 over TCP/IP would be as follows:
#
ipfw add deny tcp from 192.168.1.1 to 192.168.2.2 in
To deny packets from the Ethernet port 1 to the telnet port (port 23) of 192.168.1.1, the command is:
#
ipfw add deny tcp from 192.168.1.1 to 192.168.2.2 23 \ via eth1
Listing ipfw Rules
The current set of ipfw rules is displayed with the list argument:
Removing ipfw Rules
The flush argument to ipfw removes all rules currently set for packet filtering.
Clearing ipfw Counters
ipfw counters setup with the count option can be cleared with the zero argument to ipfw:
<index> affects only the counter at the index number specified. If <index> is not used, all packet counters are cleared.
ip6fw
The ip6fw utility is an IPv6 implementation of IPFW. The syntax and usage is identical to IPFW, with the following exceptions to the <protocol> option:
ip6fw Specific Options
| Option |
Command & Description |
| <protocol> |
ipv6 or all -- Set rule for all protocols |
| ipv6-icmp -- Set rule for IPv6 ICMP packets only |
| tcp -- Set rule for TCP packets only |
| udp -- Set rule for UDP packets only |
| ipv6no/prefixlen An IPv6 number with a prefix length of the form fec0::1:2:3:4/112. |
IPsec
IPsec is a security protocol in the IP layer that provides a secure means of communications between two hosts. IPsec can create a tunnel between subnets (tunnel mode) or provide security between two hosts directly (transport mode.) Hosts resolve the encryption keys and certification allowing for encrypted packets to be exchanged. Security information can be exchanged manually, or automated with the racoon daemon. Both IPv4 and IPv6 are supported.
Note: The IPsec and IPv6 protocols for LynxOS are not included with the standard LynxOS package. These components are available for purchase separately. For information on these products, please contact your LynuxWorks sales representative.
|
IPsec policies are configured with the setkey(8) utility. See "Using setkey" for additional information.
AH and ESP Security Protocols
IPsec uses two security protocols:
- AH (Authentication Header)
AH contains hashes of data identification in the header, protecting the source and destination addresses of the packet. A shared secret between hosts ensure that packets are sent and received from the right system.
- ESP (Encapsulated Security Payload)
The ESP header allows for encryption or decryption of the packet by a shared secret between hosts.
Tunnel Mode and Transport Mode
IPsec includes two modes of communicating packets:
- Tunneling -- A connection between two systems on the same subnet. Typically, IPsec is used in tunnel mode to establish a VPN. In tunnel mode, IPsec encrypts the payload, and encapsulates it in a packet before sending it to the host.
- Transport -- A connection between two systems, where the payload for IPsec packets are encrypted. In transport mode, IPsec appends outgoing IP packets with a security protocol header. The IPsec header is determined by the original packet, and security information is included by the packet header.
Setting the Security Policy Database (SPD)
A (SPD) Security Policy Database is kept in the kernel that determines what encryption algorithms should be used, the security protocol to use (AH or ESP), and what packets to encrypt. The utility setkey(8) is used to modify the policies kept in the SPD.
Setting the Security Association Database (SAD)
The encryption keys used in secure transactions are kept in the kernel table called SAD (Security Association Database). The SAD contains the list of keys that are required for secure communications. The SAD can be manually updated with the setkey(8) utility. For hosts supporting IKE (Internet Key Exchange), the SAD can be automatically updated with the racoon daemon.
Using setkey
The setkey utility, invoked with the -c option, reads commands from standard input. Invoked with the -f option, setkey reads commands from a filename. The syntax used with setkey is as follows:
or
The ipfw syntax is as follows:
<command> <src_addr> <dest_addr> <protocol> <spi> \ [<extension>] <algorithm> [-P <policy>]
Note: If using IPsec behind a firewall, be sure to open any required ports required by ESP. For UDP, for example:
ipfw add pass esp from any to any
|
The following table describes the available commands and arguments:
setkey Command Options and Descriptions
| Option |
Commands and Descriptions |
| <command> |
add -- Adds an SAD entry |
| spdadd -- Adds an SPD entry |
| get -- Show a SAD entry |
| delete -- Removes an SAD entry |
| flush <protocol> -- Clears all SAD entries matching <protocol> |
| dump <protocol> -- Dumps all SAD entries matching <protocol> |
| <src_addr> |
IP address of source system |
| <dest_addr> |
IP address of destination system |
| <protocol> |
esp -- ESP based on RFC2405 |
| esp-old -- ESP based on RFC1827 |
| ah -- AH based on RFC2402 |
| ah-old -- AH based on RFC1826 |
| ipcomp -- IP COMP |
| <spi> |
Security Parameter Index (SPI) for the SAD and SPD. A decimal or hexadecimal number. |
| [<extension>] |
-m <mode> -- Specify a security protocol mode for use. <mode> is one of following: transport, tunnel or any. The default value is any. |
| -r <size> -- Specify size of bytes for replay prevention. <size> must be a 32-bit decimal number. If <size> is zero or not specified, replays are not checked. |
| -u <id> -- Specify the identifier of the policy. |
| -f <pad_option> -- Where <pad_option> is one of following: zero-pad, random-pad or seq-pad.
-f nocyclic-seq -- Don't allow cyclic sequence numbers.
|
| -lh <time> -- Specify hard lifetime
-ls <time> -- Specify soft lifetime. |
| <algorithm> |
-E <ealgo key> -- Specify encryption algorithm. |
| -A <aalgo key> -- Specify authentication algorithm. If -A is used for ESP, it will be treated as ESP payload authentication algorithm. |
| -C <calgo> -- Specify compression algorithm. |
|
|
-P <direction> discard -- Discards packet matching index. <direction> is in or out. |
| -P <direction> none -- Specifies IPsec not to operate on packet. <direction> is in or out. |
| -P <direction> ipsec <protocol>/<mode>/<src>-<dst>/
<level> -- Specifies a Policy for IPsec to operate on a packet.
<protocol> is ah, esp, or ipcomp.
<mode> is transport or tunnel
<src>-<dst> is the beginning and end point addresses used to specify the SAD
<level> is either default, use, or require. default means the kernel consults to the system-wide default against the protocol specified when the kernel processes the packet. use means that the kernel uses an SA if it's available, otherwise the kernel operates normally. require means SA is required whenever the kernel deals with the packet.
<direction> is in or out. |
The following commands and files provide an example of using setkey for updating the SAD and SPD kernel tables. The following instructions must be completed for both systems using IPsec.
- Flush the current SAD and SPD:
- Create a file that contains the policies for SAD. In the example file below, two hosts (192.168.0.1 and 192.168.0.2) are enabled to use the 3des-cbc encryption algorithm using ESP. The first two lines enable the source and destination addresses, the last line updates the SPD table
For Host A, use the following:
Sample Configuration File (hostA.sample.policies)
# local system: 192.168.0.1
# remote system: 192.168.0.2
add 192.168.0.1 192.168.0.2 esp 1234 -E 3des-cbc "123456781234567812345678";
add 192.168.0.2 192.168.0.1 esp 9999 -E 3des-cbc "123456781234567812345678";
spdadd 192.168.0.1 192.168.0.2 any -P out ipsec esp/transport//use;
|
For Host B, use the following (note the
spdadd change):
Sample Configuration File (hostB.sample.policies)
# local system: 192.168.0.1
# remote system: 192.168.0.2
add 192.168.0.1 192.168.0.2 esp 1234 -E 3des-cbc "123456781234567812345678";
add 192.168.0.2 192.168.0.1 esp 9999 -E 3des-cbc "123456781234567812345678";
spdadd 192.168.0.2 192.168.0.1 any -P out ipsec esp/transport//use;
|
- Point setkey to the SAD file for each host. For Host A:
#
setkey -f hostA.sample.policies
#
setkey -f hostB.sample.policies
setkey reads in the file and updates the SPD and SAD as necessary.
Additional configuration details are available in the setkey(8) man page. Also, refer to the racoon utility man page for information on automating the SAD update.
