234 Chapter 8 • Configuring Solaris as a Secure Router and Firewall The side against an accessible local C compiler fears a local user compiling exploits or other programs and using the system for unauthorized activities. Such violations could lead to a local user gaining elevated privileges or unauthorized network access.The other side of the argument believes that having a C compiler on the local system is a necessary utility.Without a C compiler, they believe, it’s impossible to build programs from source. I’m happy to announce that I’m a proud member of both camps. I’m against local users having unlimited free reign of a system through some goody built with a C compiler, but I’m not against having the C compiler.This risk can be eliminated through proper permissions and access control such as RBAC or simple access control lists. Minimal Services A router needs very little in terms of services. Since the system has one purpose, there isn’t a necessity for things such as NFS, NIS, RPC, and sendmail. By elimi- nating these services, you enhance overall system performance. Additionally, eliminating these services closes entry points for possible intruders. By limiting the channels that allow an intruder potential access to the system, we’ve mitigated the risk of opening a system to future compromise by a new vulnerability. Shutting down all services or using the system solely as a router isn’t always possible.This is, however, the recommended practice. Many of these services are started via the Internet daemon (inetd). Com- menting out the services is a good practice. Commenting out the services and not starting inetd at all is the best methodology.The inetd is started in the /etc/rc2.d/S69inet script. Another good practice is checking the rc directories in /etc for programs that might be started. For example, the rc3.d directory starts a number of services that, in addition to being unnecessary, also have a history of security risks. Services such as the NFS server and the DMI compatibility programs are started at run-level 3. Some time ago I wrote a document,“Back to the Basics: Solaris and init.” This document describes the services started on a stock install of Solaris and where they’re started.Through the ps and netstat programs, it’s possible to narrow down the majority of undesired services and disable them. If the use of these pro- grams fails to yield the port number on which a particular service is running, the lsof utility can be a saving grace. www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 234 Configuring Solaris as a Secure Router and Firewall • Chapter 8 235 Minimal Users A Solaris system is a multiuser system. However, a router should not be a mul- tiuser system. Giving general users access to a system through which the traffic of the entire network flows is not only dangerous, it’s reckless. Shell access to the router should be limited to administrative staff and strictly regulated.A router shouldn’t bring unnecessary attention to itself by handling e-mail or other such services. It’s a unnecessary to state that the system is critical. Minimal Dynamic Information One feature that can turn into a problem on any network is dynamic informa- tion. Such information includes routing protocols, name services, and the like. These services are designed to make network management easier, but the design of such services often isn’t the most secure. A router should be limited in the amount of dynamic information on which it relies. Solaris routers typically start the in.routed and in.rdisc daemons when launching and gain routing information through UDP and ICMP.With any ser- vice that relies on dynamic data updates, it’s possible to generate fictitious data and send it to the host, which could result in a denial of service or other attack. Therefore, it is a best practice to eliminate all services on the router that rely on dynamic data, including in.rdisc and in.routed. Minimal Cleartext Communication On one final note on minimalism: It is a best practice to communicate with this system using the minimal amount of cleartext possible.Although we can build the most armored host on Earth and surround it with armed guards, if we’re communicating with the system via a channel that can be intercepted by a potential intruder, our efforts are in vain. The best policy is to use one of the available implementations of the Secure Shell (SSH) protocol. If you want to add other means of communication and administration to the system, such as a Web-based configuration interface or per- haps a Web-based intrusion detection log analyzer, do so via a cryptographically secure channel.Any services that provide remote interactive communication are vulnerable to sniffing or connection hijacking.The only way to ensure commu- nication integrity is via cryptography. www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 235 236 Chapter 8 • Configuring Solaris as a Secure Router and Firewall Unconfiguring Solaris Routing We previously discussed the process of configuring Solaris as a router.We talked about some of the caveats involved with configuration and implementation.We also discussed the steps necessary to make Solaris function as a router from a default install as well as a previously implemented install. In this section, we take a look at taking a Solaris router and returning it to host stage.As always, it’s a best practice to do an initial install on a system before changing the system’s purpose and mission. However, this isn’t always an option. We discussed in a step-by-step scenario the process of changing an existing system to a router. In this section, we discuss in a step-by-step list of procedures the process of changing a system from a router to a multihomed host. A Three-Point Checklist Let’s look at the steps necessary to ensure that the system isn’t routing traffic.As we did previously, we create a step-by-step list of procedures to configure and check the system.We follow the list with a brief discussion of the steps: 1. Check for the /etc/notrouter file. If it does not exist, create it. 2. Check the value of ip_forwarding in the IP kernel module after the system has been rebooted. 3. Test the system by attempting to reach one interface of the system through the other. Each step in this checklist is covered in further detail in the sections that follow. Step 1: Check for the /etc/notrouter File Check for the /etc/notrouter file. If it does not exist, create it.As previously mentioned, the system checks a number of things when booting and before making the determination that it will be a router.When /etc/rc2.d/S69inet exe- cutes, it tests for the existence of the /etc/notrouter file. If this file is not found, it acts as a router. However, if this file is found, it acts as a host.You can create this file by simply using the touch command. Step 2: Check the Value of ip_forwarding Check the value of ip_forwarding in the IP kernel module after the system has been rebooted.After the /etc/notrouter file has been created and the system has www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 236 Configuring Solaris as a Secure Router and Firewall • Chapter 8 237 been rebooted, check the ip_forwarding variable.As /etc/rc2.d/S69inet executes and discovers the notrouter file, the code that sets the ip_forwarding variable to 1 should not execute. Step 3:Test the System Test the system by attempting to reach one interface of the system through the other.The purpose of this test is to confirm that one interface on the system is not reachable via the other interface. In a typical multihomed host configuration, the system has at least two interfaces connected to different segments of network and incapable of communicating with one another without first sending traffic to a router.You can perform this test using one of any number of network debug- ging tools. One way to run the test is to use the source-routing functionality of the traceroute program. In this example, we see that traceroute is executed on Solaris machine, and the traffic is directed at another Solaris machine with two interfaces.The –g flag specifies the IP to use as a gateway, which is the Solaris system with two inter- faces.The end point is the other interface of the system. A successful configura- tion of a multihomed host results in the failure of this test. Routing IP Version 6 Beginning with versions distributed from February 2000 and later, Solaris 8 is IP version 6 capable. It is not possible to configure Solaris 8 as a solely IPv6 system from the installation menu. It is possible, however, to configure an interface to communicate with any IPv6 host on the network and still retain IPv4 communi- cations.This process is known as running a dual stack.A Solaris system can be con- figured to run strictly IPv6 by removing the hostname.interface file, although this configuration could cause problems when communicating with IPv4 hosts that do not currently support IPv6.This makes it possible for Solaris to function in any IPv6 environment as a host, gateway, or router. In this section, we discuss setting up a Solaris IPv6 router.We talk about the file configurations necessary to make IPv6 functional.We also discuss the pro- grams necessary to IPv6. However, we do not discuss the protocol, since there are better documents that do so. It is recommended that a user interested in setting up IPv6 for the first time reference the appropriate RFCs. www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 237 238 Chapter 8 • Configuring Solaris as a Secure Router and Firewall Configuration Files Putting everything in place to make IPv6 functional on a Solaris 8 system is rela- tively easy. One prerequisite is having the system to route traffic configured for regular IPv4 traffic. Once we have completed the steps for configuring an IPv4 router, we can proceed with the setup of an IPv6. In this section, we talk about the files necessary to get an IPv6 router working.These files include the host- name6.interface file, the ndpd.conf file, and the ipnodes file. The hostname6.interface File This file is similar to the previously discussed hostname.interface for IPv4.The syntax of items contained in the hostname6.interface file is different from that of the IPv4 version, however. Previously, the only thing needed in this file was either an IP address or a hostname with an entry in the /etc/hosts directory. Now additional parameters must be entered in the hostname6.interface file.These parameters are parsed by the S30network.sh script in /etc/rcS.d when the system boots and are then passed to ifconfig. In the following example, we see a hostname6.interface entry for our IPv6 router: addif sturgeon.mydomain.com/64 up The first parameter we see is addif.The addif parameter is an extension of the Solaris ifconfig command, which tells ifconfig to add the address to the next available interface. Since we are seeing this file in the /etc/hostname6.hme0 file, ifconfig searches the interface table for the next available virtual interface on the hme0 device.The address resolving to sturgeon.mydomain.com will be con- figured to this interface.At the end of the line, we see the up command, which makes the interface network accessible.As we can see in Figure 8.3, this address was configured to the hme0:1 device. As we can see, the address is now configured with the ROUTER flag and is ready to handle traffic from other hosts. However, additional configuration steps have been taken prior the interface being brought up. Shortly we’ll talk about these steps, in addition to the configuration steps necessary for ifconfig to resolve the address for sturgeon. One subtle point we have not mentioned is that we’re configuring this inter- face with a static address.There is a good reason to do so.With IPv6, it’s possible to autoconfigure hosts when they boot.These systems poll the network during boot- strap to get information necessary to communicate with the rest of the network. If www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 238 Configuring Solaris as a Secure Router and Firewall • Chapter 8 239 we do this with a router, we’re forced to remember that the link-local address in.ndpd assigns to the interface at bootstrap.This address is usually easily remem- bered because it’s typically composed of our network information and the Media Access Control (MAC) address of the interface.Whether or not we configure Solaris 8 with a static IPv6 address, the link-local address is configured by design. In most cases, it is much easier to remember an address we’ve specifically assigned to the system. If there is ever a problem on the network, we’ll know the address we have given to the router.This knowledge makes the router a little more accessible, a little easier to remember, and a little easier to name with a hostname.This process does not take into account DNS, which will be men- tioned later. The ndpd.conf File The ndpd.conf file is the configuration file for the in.ndpd program, or the Internet Network Discovery Protocol Daemon.This configuration file is sup- posed to reside in the /etc/inet directory and is read by the daemon when it is launched by the S69inet script when the system enters run-level 2, typically www.syngress.com Figure 8.3 A Configured IPv6 Address Attached to the hme0:1 Interface after a Reboot 158_HPsun_08 10/8/01 9:56 AM Page 239 240 Chapter 8 • Configuring Solaris as a Secure Router and Firewall during the bootstrap process. It is worth mentioning that the ndpd.conf file does not exist by default.To understand why this configuration file is significant, we should talk about the in.ndpd program and the purpose it serves. The in.ndpd program, when implemented on a router, must be configured to act as a router for the IPv6 network.This configuration involves making some entries in ndpd.conf to make the daemon the known router for the network. When other systems bootstrap and send a request for routing information via Neighbor Discovery Protocol, in.ndpd responds as the router for the network. Minimal configuration of ndpd.conf that provides IPv6 functionality on a Solaris system consists of the following two entries: ifdefault AdvSendAdvertisements true prefix 0A:0A:0A:0A:0A:0A:0A:0/64 hme0 To understand these entries, let’s examine them in a little more detail. On the first line, we see the ifdefault command.The ifdefault and if commands are used to set interface configuration parameters.The ifdefault command must pre- cede any if commands because ifdefault is used to specify any default operations of the interface. The next variable we see is the AdvSendAdvertisements parameter.This parameter designates whether or not the system will function as an IPv6 router. By default, this option is set to false on systems, which causes in.ndpd to run in host mode.When AdvSendAdvertisements is set to true, in.ndpd initiates itself as a router on the interface on which it is being configured to operate, sending peri- odic router advertisements via multicast and responding to router solicitations. On the next line, we see the prefix entry.The prefix command controls the configuration variables for each prefix, or network.There is also a prefixdefault variable, which is similar to the prefix variable, except that the prefixdefault vari- able specifies configuration parameters for all prefixes.The prefixdefault variables must precede any prefix variables in ndpd.conf. Next on the prefix line we see the network address.This is the 128-bit address, divided into eight blocks of 16 bits.At the end of the address we have the netmask. It is worth mentioning that this is a classless interdomain routing address block, also known as CIDR.We should also mention that this address is strictly for educational purposes and should not be used.At the end of the string, we have the name of the physical network interface. Additional configuration options are supported in this ndpd.conf file.The preceding configurations will get the daemon functioning as the IPv6 router for www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 240 Configuring Solaris as a Secure Router and Firewall • Chapter 8 241 the 0A:0A:0A:0A:0A:0A:0A:0 network. For more information on other sup- ported options, see the ndpd.conf(4) man page. The ipnodes File With IPv4, Solaris uses the /etc/inet/hosts file to resolve known hosts.This pro- cess is controlled by the nsswitch.conf file in the /etc directory.When a process from the local system attempts to connect by hostname to another system via IPv4, the nsswitch.conf forces the process to check the /etc/inet/hosts for name resolution.With IPv6, Solaris now uses the /etc/inet/ipnodes file to resolve known hosts.This is controlled by the ipnodes entry in nsswitch.conf.The ipn- odes configuration file structure is similar to that of the hosts file. In Figure 8.4, we see two entries in the ipnodes file of sturgeon. On the first line, we see the entry for our router, sturgeon.mydomain.com. Much like the hosts file, this entry assigns the pictured address to the hostname and gives it a canonical name of sturgeon. Following this entry, we see an entry for one of the nodes on the network, barracuda.mydomain.com.This address allows us to reach the system barracuda without the necessity for DNS. www.syngress.com Figure 8.4 IPv6 Addresses Specified via the ipnodes File 158_HPsun_08 10/8/01 9:56 AM Page 241 242 Chapter 8 • Configuring Solaris as a Secure Router and Firewall The nsswitch.conf File As we mentioned previously, the nsswitch.conf files in /etc references local files by default.These files are /etc/inet/hosts for IPv4 and /etc/inet/ipnodes for IPv6. If our systems are on a network with a name server that supports IPv6, we might want to change the entries in nsswitch.conf to use DNS. Enabling DNS can do one of two things on our network. If it is properly configured, it can make our network easier to maintain and smoother running. If we’ve configured it incorrectly, it can create all kinds of headaches, mysterious problems, and, perhaps, security issues. In order for DNS to work with an IPv6 network, we need a DNS server that is IPv6 compatible. Currently, the only name service daemon available with IPv6 support is the Berkley Internet Name Daemon (BIND).The series 9 BIND is currently the only version with IPv6 support. If we are going to use DNS with the IPv6 network, we should migrate to BIND9.The current implementation included with Solaris 8 is version 8.1.2. IPv6 Programs In this section, we talk about the programs necessary for IPv6 to function.We look at programs that have been designed specifically for IPv6 and their role in ensuring that the network operates smoothly.We also look at programs that have been adapted for the coming of IPv6 in the Solaris operating system and speak briefly about their new features. The in.ndpd Program The in.ndpd program is the Neighbor Discovery Protocol Daemon.This pro- gram is responsible for the majority of the operations on an IPv6 network in terms of configuration, routing information, and IP addressing.We mentioned the configuration file previously; now we talk specifically about the daemon. The in.ndpd program is started in the S69inet file when the system enters run-level 2.The script executes a test to determine whether or not the /etc/ inet/ndpd.conf script exists. Figure 8.5 contains the code from the S69inet script that determines the system is a router if the ndpd.conf file is found. If this test returns true, the variables ip6_forwarding, ip6_send_redirects, and ip6_ignore_redirect are set to 1.The daemon is launched in router mode, and the in.ripngd program is started. If the test for the configuration file fails, the previ- ously mentioned variables are set to 0, and the in.ndpd program is launched in host mode. www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 242 Configuring Solaris as a Secure Router and Firewall • Chapter 8 243 By examining the code, we can see that we can easily determine whether or not the system is running as an IPv6 router or an IPv6 host. If the system is run- ning as an IPv6 router, the message “Machine is an IPv6 router” is printed to standard output (stdout) when the system bootstraps. If the system is functioning as an IPv6 host, the message “Starting IPv6 neighbor discovery” is printed to stdout.We can therefore determine whether the system thinks it is an IPv6 router by watching the system bootstrap or reviewing the contents of dmesg. After the in.ndpd program has been configured to act as an IPv6 router, when a system is set up to autoconfigure via IPv6 bootstraps and polls the net- work, in.ndpd on the router will respond.The host sends a router solicitation via ICMPv6, the ICMP implementation in IPv6, to the network via the multicast address space.The router then responds with an ICMPv6 packet to the multicast address space, advertising itself as a router.The host receives this packet and con- figures itself to interact with the advertised router. The in.ripngd Program The in.ripngd program is the Routing Information Protocol, New Generation Daemon.This is the Routing Information Protocol (RIP) implementation for www.syngress.com Figure 8.5 Code from the S69inet Script That Determines the System Is a Router if the ndpd.conf File Is Found 158_HPsun_08 10/8/01 9:56 AM Page 243 [...]... systems www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 251 Configuring Solaris as a Secure Router and Firewall • Chapter 8 There are many free commercial implementations of firewalls that run on Solaris Gauntlet and Firewall-1 are two examples Additionally, free firewall packages such as Sun s SunScreen Lite and IP Filter by Darren Reed are available.We focus our discussion on SunScreen Lite and IP Filter... them as part of the decision-making process in further securing our network SunScreen Lite SunScreen Lite is a free version of the SunScreen Secure Net firewall package SunScreen Lite is designed to operate in routing mode.This means that the filter only filters traffic that the Solaris router is routing.This is perfect for our needs SunScreen Lite can be used in VPNs and supports Simple Key Management for... and time-based access control If the constrains of this product do not prohibit its use on your network, SunScreen Lite might be your best option SunScreen is available from the Sun Download Center Documentation regarding the installation and administration of SunScreen is also freely available from Sun IP Filter The IP Filter package is one of the older firewall implementations available on the Internet,... CodeRed Worm Defacement Sent [**] 08/11- 17: 10:26.2 279 74 192.168.1.10:4002 -> 192.168.2.30:80 TCP TTL:115 TOS:0x0 ID:18034 IpLen:20 DgmLen:1155 DF ***AP*** Seq: 0x86CCF2D8 Ack: 0xA990F720 Win: 0x4 470 TcpLen: 20 As we can see on the first line, this was an attack by one of the Code Red worm derivatives On the second line, we see the attack occurred on August 11 at 17: 10.The attack was launched from host... available virtual interface on the physical network interface www.syngress.com 249 158_HPsun_08 250 10/8/01 9:56 AM Page 250 Chapter 8 • Configuring Solaris as a Secure Router and Firewall Configuring Solaris as a Secure Gateway In this section we have talked about using Solaris as a router between different networks Solaris is capable of functioning as a gateway as well In implementation, there is little... predetermined IP address to reach the www.syngress.com 253 158_HPsun_08 254 10/8/01 9:56 AM Page 254 Chapter 8 • Configuring Solaris as a Secure Router and Firewall port of a system inside the private network SunScreen Lite supports only 10 private address and two NAT rules Additionally, SunScreen Lite has no IPv6 support The commercial SunScreen package supports all these features Additionally, it provides... network will not let broadcast into or out of the subnet Configuring Solaris as a Firewall We’ve talked about using Solaris as both a router and a gateway Implementations of such systems using Solaris are reliable, stable, and secure However, using Solaris in such an environment has many drawbacks in terms of security Unlike hardware solutions, Solaris offers nothing in terms of network access control in a... of this feature are minimal www.syngress.com 2 47 158_HPsun_08 248 10/8/01 9:56 AM Page 248 Chapter 8 • Configuring Solaris as a Secure Router and Firewall A Solaris 8 system depends on the /etc/hostname6.interface file for IPv6 When the system boots, if it finds this file, it attempts to configure itself to the information contained in the file.To create a Solaris 8 host that is configured via the network,... line, we see that the ACK and PSH flags were set, the Sequence Number was 0x86CCF2D8, the Acknowledgement Number was 0xA990F720, the Window Size was 0x4 470 , and finally, the TCP header length was 20 www.syngress.com 2 57 158_HPsun_08 258 10/8/01 9:56 AM Page 258 Chapter 8 • Configuring Solaris as a Secure Router and Firewall All these variables, including the content of the packet, are taken into account... Configuring Solaris as a Firewall Firewalls differ in terms of configuration commands, administrative interfaces, and various features All firewalls are designed to do basically the same thing: filter traffic.The two types of firewalls available are stateless and stateful SunScreen Lite is a free version of the SunScreen Secure Net Firewall package SunScreen Lite is designed to operate in routing mode SunScreen . run-level 3. Some time ago I wrote a document,“Back to the Basics: Solaris and init.” This document describes the services started on a stock install of Solaris and where they’re started.Through. cryptography. www.syngress.com 158_HPsun_08 10/8/01 9:56 AM Page 235 236 Chapter 8 • Configuring Solaris as a Secure Router and Firewall Unconfiguring Solaris Routing We previously discussed the process of configuring Solaris. minimal. www.syngress.com Figure 8.6 System in a Multihomed State 158_HPsun_08 10/8/01 9:56 AM Page 2 47 248 Chapter 8 • Configuring Solaris as a Secure Router and Firewall A Solaris 8 system depends on the /etc/hostname6.interface