Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Use IPsec to Protect Web Server Communication With Other Servers

On a system that runs a web server, you can use IPsec to protect all traffic except web client requests. The protected network traffic is typically between the web server and other backend servers.

In addition to allowing web clients to bypass IPsec, the IPsec policy in this procedure allows the server to make DNS client requests. All other traffic is protected by IPsec.

Before You Begin

    This procedure assumes that the steps in How to Secure Network Traffic Between Two Servers With IPsec that configure IPsec on your two servers have been completed so that the following conditions are in effect:

  • Each system is either a global zone or an exclusive-IP zone with a fixed address. For more information, see IPsec and Oracle Solaris Zones.

  • Communication with the web server is already protected by IPsec.

  • Keying material is being generated by IKE.

  • You have verified that packets are being protected.

    A user with specific rights can run these commands without being root.

  • To run configuration commands, you must become an administrator who is assigned the Network IPsec Management rights profile.

  • To edit IPsec-related system files and create keys, you use the pfedit command.

  • To edit the hosts file, you must be in the root role or have explicit permission to edit that file.

For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

If you administer remotely, see Example 19, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.4 for secure remote login instructions.

  1. Determine which services need to bypass IPsec policy checks.

    For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP.

  2. Add the web server policy to the IPsec policy file.

    Add the following lines to the ipsecinit.conf file:

    # pfedit /etc/inet/ipsecinit.conf
    ...
    # Web traffic that web server should bypass.
    {lport  80 ulp tcp dir both} bypass {}
    {lport 443 ulp tcp dir both} bypass {}
    
    # Outbound DNS lookups should also be bypassed.
    {rport 53 dir both} bypass {}
    
    # Require all other traffic to use ESP with AES and SHA-2.
    # Use a unique SA for outbound traffic from the port
    {} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

    This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 1.

  3. Verify the syntax of the IPsec policy file.
    # ipsecconf -c /etc/inet/ipsecinit.conf
  4. Refresh the IPsec policy.
    # svcadm refresh ipsec/policy
  5. Refresh the keys for IPsec.

    Restart the ike service.

    # svcadm restart ike:ikev2

    Note - If you are communicating with a system that can only run the IKEv1 protocol, specify the ike:default instance.

    If you manually configured the keys, follow the instructions in How to Manually Create IPsec Keys.

    Your setup is complete.

  6. (Optional) Enable a remote system to communicate with the web server for nonweb traffic.

    Add the following lines to a remote system's /etc/inet/ipsecinit.conf file:

    ## Communicate with web server about nonweb stuff
    ##
    {raddr webserver} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

    Verify the syntax and then refresh the IPsec policy to activate it.

    remote-system # ipsecconf -c /etc/inet/ipsecinit.conf
    remote-system # svcadm refresh ipsec/policy

    A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match.

  7. (Optional) Display the IPsec policy entries, including per-tunnel entries, in the order in which a match occurs.
    # ipsecconf -L -n