How to Use IPsec to Protect a Web Server From Nonweb <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> Traffic (System Administration Guide: IP Services)

System Administration Guide: IP Services

How to Use IPsec to Protect a Web Server From Nonweb Traffic

A secure web server allows web clients to talk to the web service. On a secure web server, traffic that is not web traffic must pass security checks. The following procedure includes bypasses for web traffic. In addition, this web server can make unsecured DNS client requests. All other traffic requires ESP with AES and SHA-1 algorithms.

Before You Begin

You must be in the global zone to configure IPsec policy. You have completed How to Secure Traffic Between Two Systems With IPsec so that the following conditions are in effect:

Communication between the two systems is protected by IPsec.
Keying material is being generated, either manually or by IKE.
You have verified that packets are being protected.

On the system console, assume the Primary Administrator role or become superuser.

The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for a secure remote login.

Determine which services need to bypass security policy checks.

For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP.

Add the web server policy to the IPsec policy file.

Add the following lines to the /etc/inet/ipsecinit.conf file:

# Web traffic that web server should bypass.
{lport  80 ulp tcp dir both} bypass {}
{lport 443 ulp tcp dir both} bypass {}

# Outbound DNS lookups should also be bypassed.
{rport 53 dir both} bypass {}

# Require all other traffic to use ESP with AES and SHA-1.
# Use a unique SA for outbound traffic from the port
{} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 3.

Verify the syntax of the IPsec policy file.

# ipsecconf -c -f /etc/inet/ipsecinit.conf

Refresh the IPsec policy.

# svcadm refresh svc:/network/ipsec/policy:default

Refresh the keys for IPsec.
- If you configured IKE in Step 5 of How to Secure Traffic Between Two Systems With IPsec, restart the ike service.
  # svcadm restart svc:/network/ipsec/ike
- If you manually configured keys in Step 5 of How to Secure Traffic Between Two Systems With IPsec, refresh the manual-key service.
  # svcadm refresh svc:/network/ipsec/manual-key:default
Your setup is complete. Optionally, you can perform Step 7.

(Optional) Enable a remote system to communicate with the web server for nonweb traffic.

Type the following policy in a remote system's ipsecinit.conf file:
# Communicate with web server about nonweb stuff # {laddr webserver} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}
A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match.