[ale] IPSEC Operations Issues

[Chris Ricker]

On 26 Sep 2002, Ryan Matteson wrote:

> as anyone experienced any problems when deploying IPSEC in
> their production environments? We are debating using IPSEC
> between a Solaris and HPUX system, as the necessary binaries
> are provided with both. Several firewalls reside between the
> hosts, but I am not aware of any NAT'ing going on. We would
> like to use AH and ESP to encrypt the headers and payload. We
> are also possibly debating using Checkpoint Firewall-1 to
> provide this functionality. I believe this would be a much
> more efficient means. Just curious what the gurus on the list
> think.

I've never messed with the stock IPSec stuff on HP-UX (I didn't know it had
any, but then, I don't see HP-UX much), but I have set up Solaris before.  
There are some limitations of Sun's IPSec implementation to be aware of.  
You'll have to be on Solaris 8 or 9.  On Solaris 8, the built-in IPSec
essentially doesn't do IKE at all.  On Solaris 9, the built-in IPSec does
IKE, but only for IPv4, not for IPv6....  Sun long pushed an alternative
protocol (SKIP)  instead of IKE; their implementation of IKE now that
they've broken down and added it seems a little half-hearted.  Also, for the 
standard USA broken legal reasons, you'll have to download some packages 
from Sun to get IPSec working.

Other than that, IPSec works just fine in production for me; I'm typing this
message over an encrypted IPSec tunnel, actually.  Keep in mind that it does
impose some (negligible, except for really busy servers) overhead on the
source and destination, CPU-wise.  Also keep in mind that any traffic coming
through IPSec cannot be analyzed between the source and destination (which
has security implications, particularly if you're using a NIDS or any layer
5+ filtering / analysis applications).

later,
chris


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.