System Administration Guide: IP Services

How to Secure a Web Server

A secure Web server requires that any incoming traffic that is not a Web client request pass security checks. The following procedure includes bypasses for Web traffic that is served on the Web server and for DNS client requests from this Web server. All other traffic requires ESP with 3DES and SHA-1 algorithms and uses a shared SA for outbound traffic. Sharing SAs avoids using too many security associations.

  1. Become superuser on the system console.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Determine which services need to bypass security policy checks.

    For a Web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the Web server provides DNS name lookups, it might also need to include port 53 for both TCP and UDP.

  3. Create a read-only file, using the file name of your choice, for example IPsecWebInitFile, and type the following lines in this file:

    # Web traffic that Web server should bypass.
    	{sport 80 ulp tcp} bypass {dir out}
    	{dport 80 ulp tcp} bypass {dir in}
    	{sport 443 ulp tcp} bypass {dir out}
    	{dport 443 ulp tcp} bypass {dir in}
    	# Outbound DNS lookups should also be bypassed.
    	{dport 53} bypass {dir out}
    	{sport 53} bypass {dir in}
    	# Require all other traffic to use ESP with 3DES and SHA-1.
    	# Use a shared SA for outbound traffic, in order to avoid a
    	# large supply of security associations.
    	{} permit {encr_algs 3des encr_auth_algs sha}
    	{} apply {encr_algs 3des encr_auth_algs sha sa shared}

    This configuration enables only secure traffic to access the system, with the bypass exceptions that are described in the previous step.

  4. Read the file you created in the previous step into /etc/inet/ipsecinit.conf.

    # vi  /etc/inet/ipsecinit.conf 
     :r IPsecWebInitFile
  5. Reboot.

    The ipsecconf command does not affect already-established TCP connections, whose policies are latched. Rebooting ensures that IPsec policy is in effect on all TCP connections. At reboot, the TCP connections latch policy as it is specified in the IPsec policy file.

    # reboot

    The Web server now allows only Web-server traffic, as well as outbound DNS requests and replies. No other services work without enabling IPsec on a remote system. If keying material is handled automatically, the IKE daemon activates IPsec on a remote system with an IPv4 address. On a remote system with an IPv6 address, use the ipseckey(1M) command to enable IPsec on the remote system.