From SecurityFocus (Zero to IPSec in 4 minutes):
Until recently, setting up an open-source IPSec solution has been woefully complex and involved wading through an alphabet soup of committee-designed protocols. Many people give up on IPSec after their first peek at the horrible and complex software documentation, opting instead to install some sort of commercial SSL VPN which seems much simpler. For those who have been through this exercise, a jumble of SAs, ESPs, AHs, SPIs, CAs, certs, FIFOs, IKEs and policy jargon inside RFCs is enough to give anyone a headache. However, there is good new on the IPSec front: it has all finally been covered up with a nice, simple way to set it up under OpenBSD.
In this short article we'll look at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD machines in about four minutes flat. The goal here certainly isn't to give an exhaustive overview of all the option available in IPSec or OpenBSD, but rather just how quickly and easily we can be up and running when others take days or weeks to do the same thing.
If you need to do something cheap, flexible, or interesting related to data communications, you can't go wrong with OpenBSD. I'll probably wait until my OpenBSD 3.9 CDs arrive, but one of my next big work projects is to build a "clean room" network for conducting security related research. I want to be able to work on the network remotely, so I'll be taking advantage of OpenBSD's IPSec implementation.
For those who prefer the port knocking way of doing things, here's a variation on the theme by way of the OpenBSD Journal (Alternative to Port-Knocking using OpenBSD PF + OSFP):
poplix@papuasia.org has written up an interesting proof-of-concept
for an alternative to port-knocking type solutions which basically
employs PF's support of OSFP-based rulesets along with a userland util.
for modifying IP header values etc.
From writeup:
"The idea is to use os fingerprints as a key. An user can invent a
specific sequence of header values that will identify his fake os,
add it to fingerprints database and use it in the firewall.
The result is an OBSD machine that is totally stealth to port scans
but the owner can log into it using his specific set of header values."
Full details are here:
http://tripp.dynalias.org/p0fspoof.txt
Port knocking falls into the clever rather than secure category as far as I'm concerned. As the first comment in the OpenBSD Journal thread suggests, "port knocking is just another plain text password." I'm not sure why someone would use this sort of strategy for access control when they could set up a proper VPN, but it does have some academic value.
One more bit of OpenBSD love before I send this one out. The OpenBSD Journal has an article on OliveBSD, an OpenBSD 3.8 based Live CD:
From the just-like-rabbits department: Following on the heels of the release last month of Anonym.OS, there is a new kid on the OpenBSD live CD block, OliveBSD. Put together by Gabriel Paderni, who made use of the article on ONLAMP by Kevin Lo.
While I'm more interested in the idea of an OpenBSD live CD than I am in the OliveBSD implementation, this is on my increasingly long list of things to check out in the near future. I've got an OpenBSD based filtering ethernet bridge implementation that I've used for a number of small projects over the course of the last couple of years that is getting a little long in the tooth. I'm planning on updating it to OpenBSD 3.9 in the near future and I would like to implement the project as a live CD this time around.
Recent Comments