The Best Damn Firewall Book Period

In this chapter, we discussed implementing Solaris as a secure IPv4 router and described a host as a system with any number of interfaces connected to the same or different networks. We described a router as a system with a minimum of two interfaces, connected to different segments of network and asserted that Solaris is a good choice as a router because of its stability, the ease of securing the operating system for production network use, and the ease of deployment.

Next, we discussed the way Solaris identifies itself as a router and mentioned that Solaris will route traffic by default if the system has two interfaces, at least two /etc/hostname.interface files, and a stock /etc/rc.d/S69inet is installed. We demonstrated that /etc/rcS.d/S30network.sh configures interfaces on the system and that /etc/rc2.d/S69inet makes the decision to route traffic based on the system having two or more interfaces, the existence of the /etc/gateways file, and the nonexistence of the /etc/notrouter file.

Later, we gave the seven steps for configuring a Solaris router and discussed a policy of minimalism and deploying a system with minimal installation, services, users, dynamic information, and cleartext communication. We then detailed the three steps of unconfiguring a Solaris router, returning it to multihomed host state.

Next, we covered implementing Solaris 8 as an IPv6 router. We examined the entry in the /etc/hostname6.interface file, described the ifdefault and prefix entries in the /etc/inet/ndpd.conf file, talked about making entries for IPv6 addresses to be configured on the system in the /etc/inet/ipnodes file, and described adding dns to the ipnodes entry line in /etc/nsswitch.conf to make the system resolve its IP addresses via DNS. We also described in.ndpd and its use both on routers to configure IPv6 hosts, the in.ripngd that manages routing information on IPv6 networks, and the IPv6 functionality additions with the inet6 flag to ifconfig. We ended our IPv6 router discussion with the seven steps to implementing an IPv6 router and described turning an IPv6 router into a multihomed IPv6 host, both by removing the ndpd.conf file and rebooting, and by removing the ndpd.conf file, sending the HUP signal to in.ndpd, checking our interfaces, and disabling IP forwarding in the IP6 kernel module.

We next rounded out our IPv6 discussion with details of designing an IPv6 host. We described auto-configuring an IPv6 host by simply using touch to create an /etc/hostname6.interface file. We also discussed making an entry in the /etc/inet/ipnodes file for a static address, and placing an addif command in the hostname6.interface file to configure the IPv6 address to the host. We ended our discussion about IPv6 hosts by mentioning the necessity of IPv6-compatible DNS if we desire configuring our system through resolution of its host name in the /etc/hostname6.interface file against a nameserver.

We followed up our discussion about routers with a brief talk about Solaris gateways. We defined a Solaris gateway as a system that connects two segments of the same network. We additionally talked about leaving the kernel module variables ip_forward_directed_broadcasts and ip_forward_src_routed untouched in a Solaris gateway implementation.

Following up to our discussion of gateways, we covered the topic of using Solaris as a firewall. We described general firewall theory as keeping the bad guys out while letting the good guys still have the access they need. We described the benefits of using distributed firewalls and multiple layers of access control, such as better network performance. We highlighted the fact that security infrastructure is not a one-time fix and requires planning and continuous monitoring for the best performance and security.

We segued into an ideal design situation of firewalls. The stateless firewall does not track connection state, and the stateful firewall maintains records of current connections. We listed our general firewall design best practices as multiple layers of access control, firewalls that block all unnecessary traffic, and are implemented with stateful rules.

Later, we covered SunScreen Lite and IP Filter. We talked about the benefits of SunScreen Lite, such as SKIP. We also described the drawbacks of SunScreen Lite, such as the lack of high availability, the limitation of 10 private addresses, its lack of functionality on IPv6 networks, and the limitation of two Network Address Translation (NAT) rules. We described the benefits of IP Filter, such as its support of both IPv4 and IPv6. We also described the drawbacks of IP Filter, such as its lack of support for high availability, and no support for cryptography.

Категории