test

System Administration Guide, Volume 3

How to Secure a Web Server Using IPsec Policy

This procedure includes bypasses for Web traffic served on the Web server and DNS client requests from this Web server. All other traffic requires ESP with 3DES and SHA-1 algorithms and uses a shared SA for outbound traffic, so as not to require too many security associations.

  1. Become superuser on the system console.

    Note -

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Determine which services need to bypass security policy checking.

    For a Web server, this includes TCP ports 80 (HTTP) and 443 (Secure HTTP). If the Web server does DNS name lookups, it might also need to include port 53 for both TCP and UDP.

  3. Create a read-only file, using the file name of your choice, say MyIPsecInitFile, and type the following lines in this file:


    # Web traffic that Web server should bypass.
	{sport 80 ulp tcp} bypass {dir out}
	{dport 80 ulp tcp} bypass {dir in}
	{sport 443 ulp tcp} bypass {dir out}
	{dport 443 ulp tcp} bypass {dir in}

	# Outbound DNS lookups should also be bypassed.
	{dport 53} bypass {dir out}
	{sport 53} bypass {dir in}

	# Require all other traffic to use ESP with 3DES and SHA-1.
	# Use a shared SA for outbound traffic, so as not to require a
	# large supply of security associations.
	{} permit {encr_algs 3des encr_auth_algs sha}
	{} apply {encr_algs 3des encr_auth_algs sha sa shared}

    This enables only secure traffic to access the system, with the bypass exceptions listed in the previous step.

  4. Do either one of the following two substeps:

    1. Copy the file you created in the previous step into /etc/inet/ipsecinit.conf and reboot using the following commands:


      # cp filename /etc/inet/ipsecinit.conf
# reboot

    2. Invoke the file you created using the following command:


      ipsecconf -a filename
      Note -

      These steps are possible because the file has no name service requirements. Also, when invoking ipsecconf, existing TCP connections do not fall under the IPsec policy. A warning is issued by the ipsecconf command to this effect.

The Web server now allows only Web-server traffic, as well as outbound DNS requests and replies. No other services will work without adding security associations using ipseckey(1M) and enabling IPsec on the remote system.