 Implementing
IPSec in the SolarisTM 8 Environment
Kevin Wenchel
The Solaris 8 operating environment provides many new security
features including native support for the IP Security Protocol (IPSec).
IPSec, which was developed throughout the 1990s, defines cryptographic
services at the IP layer that support data origin authentication,
data integrity, and data confidentiality. The use of IPSec is transparent
to users and network applications, making it an attractive way to
improve the security of existing network services. In this article,
I will provide a brief introduction to the architecture of the IPSec
protocol, describe the tools used for managing IPSec on Solaris
8, and demonstrate a practical implementation of using IPSec to
improve the security of the Network File System (NFS) protocol.
You do not have to look very hard to see that the Internet Protocol
(IP) is inherently insecure. Noticeably absent from IP are any mechanisms
to provide data origin authentication, data integrity, or data confidentiality.
Simply put, when a host receives an IP datagram there is no guarantee
that 1) the IP datagram originated from the source claimed in the
IP header source address field; 2) the data content of an IP datagram
has not been modified in transit; and 3) unauthorized persons have
not inspected the data content of the IP datagram in transit. For
these reasons, IP and its upper-level protocols are particularly
susceptible to spoofing and session hijacking attacks. To understand
how IPSec addresses these problems, it is important to understand
three core IPSec components: the data protection mechanisms, the
Security Association Database, and the Security Policy Database.
|
