|
| viZard |
Good evening
friends |
| viZard |
today we start
with security on Linux |
| viZard |
well, lets
start with an introduccion |
| viZard |
then, physical
security |
| viZard |
local security |
| viZard |
Security in
file systems |
| viZard |
Network security |
| viZard |
and a application
of private network security |
| viZard |
FreeSwan |
| viZard |
We know Linux
is a real multiuser system |
| viZard |
and that´s
why we have to protect one users from others |
| viZard |
and protect
ourselves |
| viZard |
Linux is an
exellent isolated workstation |
| viZard |
but the usual |
| viZard |
(vizard note:
misspell is not on purpose :) |
| viZard |
but the usual
is every linux machine is conected to a network |
| viZard |
and is serving
to this network |
| viZard |
The system
has the duty to garanteed such offered services |
| viZard |
Also, i´d
like remark the dynamic character of network systems |
| viZard |
on securuty |
| viZard |
oops, on security |
| viZard |
All the time
there are new exploits tools that compromise a network functionality |
| viZard |
This forces
to update frecuently and consult online news and bugtraq sites |
| viZard |
that help
to make small fixes |
| viZard |
also, they
inform about latest vulnerabilities |
| viZard |
Of course,
these publications inform about current activities on security |
| viZard |
in few moments
we will talk about general methos to prevent intrussions |
| viZard |
First we must
take care of, is physical security of a system |
| viZard |
we must have
in mind, those who have physical access to machines, and if they really
should have access to them |
| viZard |
The security
level of a system, depends of it characteristics |
| viZard |
a domestic
user don´t have to worry to much about physical protection, |
| viZard |
but to protect
the machine from kids ;) or something like that |
| viZard |
At office,
it is different |
| viZard |
Linux provides
standard physical security level for an OS |
| viZard |
1.- Secure
boot |
| viZard |
2.- Block
of terminals |
| viZard |
3.- capacities
of a real multiuser system |
| viZard |
When the system
boots up, we find a login prompt, is the system asking for id |
| viZard |
if we are
not a verified user, we wont work on the system |
| viZard |
Also, the
system logs all access atempts, failed or not |
| viZard |
so it wont
pass unseen |
| viZard |
Lilo is in
charge of load the OS in memory and give it information for its boot |
| viZard |
It also can
gove parameters to Linux to modify its behavior |
| viZard |
There´s
also GRUB |
| viZard |
Terminal blocks
can shut the access to your console if you get away from you machine, so
nobody can use you session login, see your work, |
| viZard |
two programs
do this: xlock & vlock |
| viZard |
xlock blocks
when we´re under X window |
| viZard |
vlock is a
simple program to close one or all virtual consoles on a linux machine |
| viZard |
this was an
introduccion, i´ll let you with Mauricio and i´ll continue
later |
| viZard |
Thank you
Jimmy |
| viZard |
Hi, my name
es Mauricio Melendez S., Elechtronic Eng. |
| viZard |
I work with
Jimm at a peruvian goverment´s institution, INICTEL |
| viZard |
in we are
part of the Linux Experimental Network |
| viZard |
today´s
talk is about VPN with FreeS/WAN |
| viZard |
this is the
content |
| viZard |
- VPN, global
definition |
| viZard |
- Need of
VPN using Free Software |
| viZard |
- Proposed
Network, installation and configuration |
| viZard |
i hope you
like it |
| viZard |
Most of you
know what a VPN is....which is a private network that permits of two remote
networks communiate with each other |
| viZard |
in a secure
way through a public and insecure network, like Internet |
| viZard |
These networks
take advantage of "tunneling" method and encryptation to setup a LAN through
Internet, conectin two remote nodes |
| viZard |
Cheaping ??
costs wich means do it using a dedicated line. |
| viZard |
The term "virtual"
means the action of user ask for service over a public network but they
are like local nodes of a LAN |
| viZard |
Tunneling
is a method wich encharge security gateways to promote tunnels for conections
between machines in their respective networks |
| viZard |
I hope clarified
the concept of VPN |
| viZard |
Next, topic
2 |
| viZard |
Actually,
in many countries like Peru |
| viZard |
many companies
and institutions have comunication systems to interconect their seeds,
using dedicated links. |
| viZard |
besides, these
companies look for a plataform where they can developpe their systems of
work in a secure and low price way. |
| viZard |
The demanded
cost of the implementation of communication systems, is very high, more
for small companies. |
| viZard |
that´s
why is urgent use Free Software |
| viZard |
The protocols
that permits this kind of conection and encryptation is IPSec |
| viZard |
Applicacions
for using IPSec we have: |
| viZard |
- - Netasq |
| viZard |
- OpenBSD´s
IPSec |
| viZard |
-- NortelNetworks |
| viZard |
But this talk
is focused on FreeS/WAN for Linux Plataform, wich is a very good app |
| viZard |
a very good
IPSec application |
| viZard |
Wich is currently
developped under IETF´s norms |
| viZard |
and following
some result on a recent seminar on Paris, |
| viZard |
when was make
some tests with different applications mentioned befored and others, concluding
that is not the most stable but one of the best |
| viZard |
This project
FreeSWAN born a long time ago because of demand on VPN solutions for Free
Software. |
| viZard |
That´s
why Free Software develpment is so important |
| viZard |
Each one of
us take part on promoting of use and development of Free Softwre |
| viZard |
in our countris |
| viZard |
back to our
talk |
| viZard |
inside INICTEL´s
tests |
| viZard |
we setup a
small network to make all test we wanted |
| viZard |
we must say
we used RH 7.2, wich we think is very stable compared with other distros. |
| viZard |
Well, the
"island" was formed of 2 PCs, one gateway (which is another PC) and one
hub |
| viZard |
this network
allowed to verify the IPSec performance with FreeS/WAN |
| viZard |
this is the
network map |
| viZard |
PC1==>GW<==>[HUB]<==PC2 |
| viZard |
FreeSWAN was
installed in PC1 and GW |
| viZard |
PC2 is a common
user, wich don´t know aout the other side conection, meaning FreeSWAN
was transparent to him |
| viZard |
We used FreeSWAN
1.96 |
| viZard |
so, we decompressed
it, and inserted in kernel |
| viZard |
one thing
I should say about inserting freeSWAN in kernel |
| viZard |
when we did
this, is generate a kernel config without any option, no ext3, no net,
nothing.... |
| viZard |
so, be cautious
when you do this |
| viZard |
countinuing..... |
| viZard |
we inserted
freeSWAN inside kernel of PC1 and GW |
| viZard |
then we recompile
the new kernel |
| viZard |
after rebooting
both PCs, we must verify ipsec is running in both machines |
| viZard |
we must verify
there are an interface named ipsec0 |
| viZard |
IPSec uses
3 protocols |
| viZard |
ESP, AH and
IKE |
| viZard |
ESP encrypts
and/or authentics data |
| viZard |
AH provides
packages authentication services |
| sarnold |
AH provides
_packet_ authentication services |
| viZard |
and IKE, negotiates
conection parameter, including keys or passwd between them |
| viZard |
:) |
| viZard |
When we install
freeSWAN some files are created |
| viZard |
one /etc/ipsec.conf |
| viZard |
and /etc/ipsec.secrets |
| viZard |
ipsec.conf
holds conection descriptions, like: |
| viZard |
conn PC1-PC2
<-- conection between PC2 and PC2 |
| viZard |
next, a series
of parameters relating interfaces, subnets to use |
| viZard |
and the kind
of execution: manual or automatic |
| viZard |
Automatic
is the best option |
| viZard |
ipsec.conf
used in our test is gonna be published |
| viZard |
Now, IPSec
installed PCs must generate public and private keys |
| viZard |
the /etc/ipsec.secrets
file, storage keys used for conection, |
| viZard |
these keys
are used at the momment of running ipsec with a daemon named "pluto" |
| viZard |
to generate
keys we use the command ipsec ranbits 256 > /etc/ipsec.secrets |
| viZard |
for a better
encryptation we can increase 256 to 1024 but it depends of the PC where
is being created |
| viZard |
this value
is the number of bits used to generate the key |
| viZard |
and these
keys are copied in ipsec.conf file |
| viZard |
both machines,
must have each other´s keys |
| viZard |
now we shall
test freeswan with the command |
| viZard |
ipsec --auto |
| viZard |
now we want
to know if there is really encryptation of data |
| viZard |
to do this,
we use a sniffer |
| viZard |
then we analize
both interfaces eth0 and ipsec0 |
| viZard |
logs can be
found on document we will publish later |
| viZard |
and then we
could succefully setup comunication in a small virtual network |
| viZard |
necesito que
alguien me ayude a traducir al español |
