Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
Configuring HP-UX IPSec
Maximizing Security
Chapter 4 91
Maximizing Security
A system may have both “public” interface IP addresses and “private
interface IP addresses. A public interface IP address is an IP address
configured on a Network Interface Card (NIC) connected to a public
network. A private interface IP address is an IP address configured on a
NIC connected to a private internal network. If you have a system with
both a public interface IP address and a private interface IP address, do
not assume that all packets processed by the private interface originated
from the private network. Do not configure any “open” IPsec policies that
allow most or all packets sent to the private interface IP address to pass
in clear text.
If you configure an open IPsec policy for a private interface IP address on
a system that also has public interfaces, intruders may be able to access
services or ports bound to the private interface IP address from other
NICs on the system, even if the other interface IP addresses are secured
by IPsec policies. Intruders may access services or ports bound to the
private interface IP address, even if the intruders are not directly
connected to the private interface.
Bypass List
Configuring an entry in the bypass list has the same effect as configuring
an open IPsec policy, so the same conditions exist. Intruders may be able
to access services or ports bound to the address in the bypass list from
other interfaces on the system, even if the other interfaces are secured by
IPsec policies. Intruders may access services or ports bound to the
address in the bypass list even if the intruders are not directly connected
to the interface in the bypass list.
HP recommends that you do not configure open IPsec policies, or entries
in the bypass list for private interfaces on systems that also have public
interfaces, or on systems on which you are using HP-UX IPSec as a filter
or firewall to protect your network.
Strong End System Model
To maximize security when using open policies or the bypass list, HP
recommends that you enable the RFC 1122 Strong End-System Model.
You can do this by entering the following command: