[security-discuss readers: if you're not familiar with nwam, please see
http://www.opensolaris.org/os/project/nwam/p1spec]
IP Filter and IPsec policy rules are part of NWAM locations; this allows you
to configure different security policy, depending on where you're connected.
There is a bit of a chicken-and-egg problem here, though. In order to decide
what location to apply, the system typically must connect to a network and
determine attributes of that network. If you're connecting to a network
where you want strict security rules in place, how do you enforce that policy
*before* the location is selected and activated?
Another concern related to security policy and locations is how changing
location is accomplished. If you're changing from one location to another,
and both have strict security rules, how do you avoid opening up the system
momentarily when you change the security policy?
Our approach to the first problem lies with the No-Net Location. When first
coming up (i.e. upon enable of the nwam service), before a location has been
selected, the No-Net location will be activated. This location will install
strict security policy, only allowing through the traffic necessary for
configuration (e.g. dhcp, router discovery, dns, ldap).
There are several ways to implement this policy:
1) create ipsec rules that only allow packets related to the needed
services through
2) create ipfilter rules that do the same
3) create ipsec rules that block everything, and modify the apps that need
to pass traffic (e.g. dhcpagent) to set up bypass rules for themselves
Option 3 is the cleanest in terms of the policy that needs to be created;
the down side, though, is that several different daemons/apps will need to
be modified to set up bypass policy.
Pros/cons of ipsec vs. ipfilter?
For ipsec, installing the strict policy will load kernel modules (which
affects codepaths in the network stack); ipsec team members say it's a
relatively small RFE to request unload of modules if not needed (i.e. if
the newly-installed location has no IPsec policy rules).
The second question is about how to "atomically" change security policy;
we'll need some support from the IP Filter and IPsec subsystems to accomplish
this.
IPsec:
What nwam would like to do: change properties of ipsec services
(ipsec/ike, ipsec/policy, ipsec/manual-key) to point at config files
for new location, then refresh services. We would like for this to do
a policy swap (from the strict no-net to whatever is used in the new
location), rather than a remove of one/add of the other. The implemen-
tation of two RFEs would make this possible: modify ipsecconf to take
advantage of the kernel's ability to swap policy; and modify the smf
services to do this swap on refresh.
Question: In what order should the services be refreshed?
IP Filter:
As with IPsec, nwam would like to simply update the service (in this
case, network/ipfilter) properties, and then refresh the service.
Question: What does ipfilter do on refresh? Does it have a way of
swapping (rather than removing/adding) policy?
I'd appreciate comments/questions/answers!!
Thanks,
renee
