UNIX System Administration Handbook - Evi Nemeth [180]
A more thorough discussion of firewall-related issues begins on page 675.
Virtual private networks
Many organizations that have offices in several parts of the world would like to have all those locations connected to one big private network. Unfortunately, the cost of leasing a transoceanic or even transcountry data line can be prohibitive. Such organizations can actually use the Internet as if it were a private data line by establishing a series of secure, encrypted “tunnels” among their various locations. A “private” network that includes such tunnels is known as a virtual private network or VPN.
Some VPNs use the IPSEC protocol, which has recently been standardized by the IETF. Others use proprietary solutions that don’t usually interoperate with each other. If you need VPN functionality, we suggest that you look at products like Cisco’s 3660 router or the Watchguard Firebox, both of which can do tunneling and encryption. The Watchguard device uses PPP to a serial port for management. A sysadmin can dial into the box to configure it or to access the VPN for testing.
IPSEC: secure IP
IPSEC is an IETF-approved, end-to-end authentication and encryption system. Its deployment has been hampered by the U.S. encryption laws, which prohibit the export of strong encryption software. Several non-U.S. software efforts have produced implementations.
None of the implementations address the issue of key distribution, which is an important prerequisite to the widespread deployment and use of IPSEC. Everyone hopes that DNS will somehow solve the problem. RFC2409 (which is on the standards track) defines an Internet Key Exchange (IKE) protocol, which is a sort of hybrid key exchange system.
In its current form, IPSEC encrypts the transport layer header, which includes the source and destination port numbers. Unfortunately, this scheme conflicts directly with the way that most firewalls work. A proposal to undo this feature is making its way through the IETF.
Table 13.12 shows the status of IPSEC implementations for our example systems.
Table 13.12 IPSEC implementation status for various operating systems
a It has been in SuSE Linux since 1999.
As might be expected, IPSEC reduces the performance of the networking stack.
To set up IPSEC between a pair of end hosts, you must create a Security Association Database (SAD) and a Security Policy Database (SPD). Use the setkey command together with the add and spdadd subcommands to create entries in these two databases. See www.kame.net for details.
13.10 ADDITION OF MACHINES TO A NETWORK
Only a few steps are involved in adding a new machine to an existing local area network, but some vendors hide the files you must modify and generally make the chore difficult. Others provide a setup script that prompts for the networking parameters that are needed, which is fine until you need to undo something or move a machine.
The basic steps are:
• Assign an IP address and hostname
• Set up the new host to configure its network interfaces at boot time
• Set up a default route and perhaps fancier routing
• Point to a DNS name server, to allow access to the rest of the Internet
We first cover the general outline of these steps, then return to each vendor’s special incantations in a series of vendor-specific sections.
Of course, you could add a debugging step to this sequence as well. After any change that might affect booting, you should always reboot to verify that the machine comes up correctly. Six months later when the power has failed and the machine refuses to boot, it’s hard to remember what change you made that might have caused the problem. (You might also refer to Chapter 20, Network Management and Debugging.)
One fact worth mentioning is that some systems are smart enough to distinguish whether they are connected to a network or not. The boot sequence may be quite different in the networked and nonnetworked cases; a machine that works fine on its own can inexplicably hang at boot time when a network cable is plugged