How medium sized mammals defend our network! Tim Clark (eclipse) - - PowerPoint PPT Presentation

how medium sized mammals defend our network
SMART_READER_LITE
LIVE PREVIEW

How medium sized mammals defend our network! Tim Clark (eclipse) - - PowerPoint PPT Presentation

Dec 02, 2023 180 likes •362 views

Introduction Tools Config Crazy stuff Finally How medium sized mammals defend our network! Tim Clark (eclipse) November 1, 2011 Tim Clark (eclipse) How medium sized mammals defend our network! Introduction Tools Config Crazy stuff

slide-1
SLIDE 1

Introduction Tools Config Crazy stuff Finally

How medium sized mammals defend our network!

Tim Clark (eclipse) November 1, 2011

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-2
SLIDE 2

Introduction Tools Config Crazy stuff Finally Tim Clark (eclipse) How medium sized mammals defend our network!

slide-3
SLIDE 3

Introduction Tools Config Crazy stuff Finally

IPSec

Secure tunnels over IP Uses racoon Needs setkey Usually auth with shared keys Can auth with public keys (X.509)

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-4
SLIDE 4

Introduction Tools Config Crazy stuff Finally

Racoon

The thing you need to do IP tunnels IKE Daemon IKE=Internet Key Exchange Negotiates keys to make a IPSec tunnel IPSec tunnels use ESP (seriously) ESP=Encapsulating Security Payload

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-5
SLIDE 5

Introduction Tools Config Crazy stuff Finally

Setkey

Causes the tunnel to be used Sets the security policy For example: when talking to SUCS only talk through the tunnel, and only listen to SUCS if its through the tunnel The tunnel doesn’t exist till its needed Setkey is the thing that tells racoon to make the tunnel

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-6
SLIDE 6

Introduction Tools Config Crazy stuff Finally

Racoon

path pre_shared_key "/etc/racoon/psk.txt"; remote 137.44.6.5 { proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } lifetime time 60 min; exchange_mode main; }

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-7
SLIDE 7

Introduction Tools Config Crazy stuff Finally

Racoon

sainfo address 137.44.10.0/24[any] any address 137.44.6.5[any] any { pfs_group modp1024; lifetime time 20 min; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-8
SLIDE 8

Introduction Tools Config Crazy stuff Finally

Setkey

spdadd 137.44.10.0/24 137.44.6.5 any -P out ipsec esp/tunnel/137.44.19.200-137.44.6.5/require; spdadd 137.44.6.5 137.44.10.0/24 any -P in ipsec esp/tunnel/137.44.6.5-137.44.19.200/require;

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-9
SLIDE 9

Introduction Tools Config Crazy stuff Finally

psk.txt

137.44.6.5 ThisIsNotActuallyTheKey

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-10
SLIDE 10

Introduction Tools Config Crazy stuff Finally

Server for complex remote

remote anonymous { proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } generate_policy unique; nat_traversal on; passive on; verify_identifier off; lifetime time 60 min; exchange_mode main,aggressive; }

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-11
SLIDE 11

Introduction Tools Config Crazy stuff Finally

Server for complex remote

sainfo address 137.44.10.0/25[any] any anonymous { pfs_group modp1024; lifetime time 20 min; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-12
SLIDE 12

Introduction Tools Config Crazy stuff Finally

psk.txt

client-test ThisIsNotActuallyTheKey

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-13
SLIDE 13

Introduction Tools Config Crazy stuff Finally

Server for complex remote

remote 137.44.19.200 { proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } nat_traversal on; my_identifier keyid tag "client-test"; verify_identifier off; lifetime time 60 min; exchange_mode aggressive; }

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-14
SLIDE 14

Introduction Tools Config Crazy stuff Finally

Old Setkey

spdadd 137.44.10.0/24 137.44.6.5 any -P out ipsec esp/tunnel/137.44.19.200-137.44.6.5/require; spdadd 137.44.6.5 137.44.10.0/24 any -P in ipsec esp/tunnel/137.44.6.5-137.44.19.200/require;

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-15
SLIDE 15

Introduction Tools Config Crazy stuff Finally

New Setkey

spdadd 137.44.10.0/24 137.44.6.5 any -P out ipsec esp/tunnel/137.44.19.200-137.44.6.5/unique; spdadd 137.44.6.5 137.44.10.0/24 any -P in ipsec esp/tunnel/137.44.6.5-137.44.19.200/unique;

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-16
SLIDE 16

Introduction Tools Config Crazy stuff Finally

The Internet

Slides Available at http://sucs.org/~eclipse

Tim Clark (eclipse) How medium sized mammals defend our network!

slide-17
SLIDE 17

Introduction Tools Config Crazy stuff Finally

Questions?

Any Questions?

Tim Clark (eclipse) How medium sized mammals defend our network!