Contact:http://www.packetnexus.com
http://www.sans.org/infosecFAQ/encryption/remote_admin.htm Using IPSec for Remote Administration on Linux Firewalls Danny Chang August 2, 2000 Introduction The corporate security administration function includes among many other daily tasks, the remote administration of firewalls or proxy servers from a central location. The task of remotely logging on and administrating Linux firewalls presented a problem for my organization. We have used other firewall set-ups like CheckPoint VPN-1 and Cisco routers configured to use VPN either as a plugin or software application that came with the firewall or router package, but we did not have any secured channel established to administer our Linux firewalls from the security administration console. As we all know without a VPN or secured channel, all traffic is not encrypted including, administrator passwords. Background We experimented with different approaches to provide a cost-effective method of remote logon activities including SSH scripting and S/WAN IPSec implementation but due to the private network we are using for our core business, we have chosen a simple solution provided by NIST Cerberus IPSec and the PlutoPlus IKE software for encapsulation or tunneling between our Linux firewalls and the security console. Also, we are currently using IPv4 and not IPv6. [By the end of August 2000, the Cerberus software will be made available to the public.] We have chosen Cerberus because of its built-in user interface and web-based tester (WIT) for interoperability testing capability. More importantly, NIST Advanced Networking Technologies Division has provided substantial research in IPSec, and has incorporated IPv6 standardization in the Cerberus software. We have come to realize that VPN is the answer or solution to our specific problem. VPN can be used with the following types of network communications and configurations: Peer-to-Peer Client-Server Protected Workgroup Protected Enterprise Protected Inter-Enterprise VPN and Remote Access IPSec and Linux firewalling Linux firewalling chains consisting of three chains, the input, output and forward, and other user defined chains that provide different functionality. A chain is a checklist of rules. Each rule determines how the packets are handled either masquerade, redirect, accept, deny, reject or return. These rules are based on the security policies established by the security administrator. Linux uses the Ipchains built into recent Linux kernels' distributions for firewalling. Many commercial firewalls today support VPN functionality in their firewall products. As a result, vendors came out with their own ways of implementing IP encryption. I will highlight how IPSec is implemented in general as it is applied to "Our Solution". The starting point for implementing IPSec in firewalls is how to apply the rules to the AH (Authentication) or the ESP (Encapsulating) header. These packets are screened or filtered for AH or ESP based on IP addresses. After the initial installation, the SADB database has to be loaded. At this point there are "one-sided" Security Associations established, then the same procedure has to be followed on all machines (hosts/gateways). Implementing Cerberus for Linux The NIST Cerberus IPSec Reference Implementation for Linux was developed based on the current ESP and AH specifications and other RFCs and IPv6 Standards. The main components of the reference module are the Security Association Da