System Administration Guide: IP Services

How to Use IPsec to Protect a Web Server From Nonweb Traffic

A secure web server allows web clients to talk to the web service. On a secure web server, traffic that is not web traffic must pass security checks. The following procedure includes bypasses for web traffic. In addition, this web server can make unsecured DNS client requests. All other traffic requires ESP with AES and SHA-1 algorithms.

Before You Begin

You must be in the global zone to configure IPsec policy. For an exclusive-IP zone, you configure IPsec policy in the non-global zone. You have completed How to Secure Traffic Between Two Systems With IPsec so that the following conditions are in effect:

Communication between the two systems is protected by IPsec.
Keying material is being generated, either manually or by IKE.
You have verified that packets are being protected.

On the system console, assume the Primary Administrator role or become superuser.

The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for a secure remote login.

Determine which services need to bypass security policy checks.

For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP.

Create IPsec policy for the web server and enable it.
- Starting in the Solaris 10 4/09 release, follow the steps from Step 4 to Step 7.
- If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 8 to Step 11.
Step 12 is optional in all Solaris releases.

Add the web server policy to the IPsec policy file.

Add the following lines to the /etc/inet/ipsecinit.conf file:

# Web traffic that web server should bypass.
{lport  80 ulp tcp dir both} bypass {}
{lport 443 ulp tcp dir both} bypass {}

# Outbound DNS lookups should also be bypassed.
{rport 53 dir both} bypass {}

# Require all other traffic to use ESP with AES and SHA-1.
# Use a unique SA for outbound traffic from the port
{} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 4.

Verify the syntax of the IPsec policy file.

# ipsecconf -c -f /etc/inet/ipsecinit.conf

Refresh the IPsec policy.

# svcadm refresh svc:/network/ipsec/policy:default

Refresh the keys for IPsec.
- If you configured IKE in Step 5 of How to Secure Traffic Between Two Systems With IPsec, restart the ike service.
  # svcadm restart svc:/network/ipsec/ike
- If you manually configured keys in Step 5 of How to Secure Traffic Between Two Systems With IPsec, refresh the manual-key service.
  # svcadm refresh svc:/network/ipsec/manual-key:default
Your setup is complete. Optionally, you can perform Step 12.

Create a file in the /etc/inet directory for the web server policy.

Note –

The following steps configure a web server that is running a release prior to the Solaris 10 4/09 release.

Give the file a name that indicates its purpose, for example IPsecWebInitFile. Type the following lines in this file:

# Web traffic that web server should bypass.
{lport  80 ulp tcp dir both} bypass {}
{lport 443 ulp tcp dir both} bypass {}

# Outbound DNS lookups should also be bypassed.
{rport 53 dir both} bypass {}

# Require all other traffic to use ESP with AES and SHA-1.
# Use a unique SA for outbound traffic from the port
{} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 4.

Copy the contents of the file that you created in Step 8 into the /etc/inet/ipsecinit.conf file.

Protect the IPsecWebInitFile file with read-only permissions.
# chmod 400 IPsecWebInitFile

Secure the web server without rebooting.

Choose one of the following options:
- If you are using IKE for key management, stop and restart the in.iked daemon.
  # pkill in.iked # /usr/lib/inet/in.iked
- If you are manually managing keys, use the ipseckey and ipsecconf commands.
  
  Use the IPsecWebInitFile as the argument to the ipsecconf command. If you use the ipsecinit.conf file as the argument, the ipsecconf command generates errors when policies in the file are already implemented on the system.
  # ipseckey -c -f /etc/inet/secret/ipseckeys # ipsecconf -a /etc/inet/IPsecWebInitFile
Caution –
Read the warning when you execute the ipsecconf command. A socket that is already latched, that is, a socket that is already in use, provides an unsecured back door into the system. For more extensive discussion, see Security Considerations for ipsecinit.conf and ipsecconf. The same warning applies to restarting the in.iked daemon.

You can also reboot. Rebooting ensures that the IPsec policy is in effect on all TCP connections. At reboot, the TCP connections use the policy in the IPsec policy file.

(Optional) Enable a remote system to communicate with the web server for nonweb traffic.

Type the following policy in a remote system's ipsecinit.conf file:
# Communicate with web server about nonweb stuff # {laddr webserver} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}
A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match.