Network Security Features of HP-UX HP-UX 11i v1 and 11i v2 An HP-UX White Paper from Hewlett-Packard February 2004 5990-7245 U.S.A. ©2004 Hewlett-Packard Development Company L.P.
Table of Contents Abstract........................................................................................................................................................... 1 Introduction .................................................................................................................................................... 2 Real-World Networking Security Example ..........................................................................................
Appendix A: Product Information............................................................................................................. 31 HP-UX 11i Security Products Availability Matrix.................................................................................... 31 For More Information ............................................................................................................................... 32 Cryptography ....................................................................
Network Security Features of HP-UX 11i Abstract This white paper discusses the network security features in HP-UX 11i version 1 and 11i version 2. It covers network security technologies and solutions, and explains authentication techniques, security in Domain Name Service (DNS) routing, sendmail, and encryption. It provides basic product information for HP-UX 11i networking security products.
Introduction Hewlett-Packard is a recognized leader in network security. The 11i v1 and 11i v2 releases of HP-UX contain a rich set of standards-based and directory-enabled network security features that enable companies to build their e-business without compromising corporate security.
Network Security Features of HP-UX 11i • Individual systems (hosts, clients) • Network connections (TCP connections) • Applications or services (web servers, file servers) HP-UX provides a rich set of products and features to provide network security for all of these layers. Many of these products and features are flexible and can be used to protect more than one layer of the network. All these products are available free of charge with the HP-UX 11i operating system.
• TCP Wrapper: TCP Wrapper addresses the inherent security issues with inetd.sec by providing built-in protection against host name and host address spoofing. It includes complete access control with monitoring and logging of incoming network connections. Applications • HP-UX Secure Shell (SSH): The HP implementation of the open source SSH application. SSH is used to secure network based command line utilities such as rlogin, remsh, rcp, and ftp.
Network Security Features of HP-UX 11i Cryptography Cryptography is the basis of secure networking and is used extensively for authentication, encryption and validation of network communications. The most secure cryptographic algorithms are computationally intensive, and require highly optimized implementations. HP-UX has industry leading cryptographic performance. Developers can also take advantage of this performance through a set of cryptographic toolkits.
HP-UX AAA Server The HP-UX AAA Server provides AAA (Authentication, Authorization, and Accounting) server software for the HP-UX platform. This product is commonly referred to as a RADIUS1 server. The HP-UX AAA Server's primary clients are network access devices (VPN gateways, Wireless LAN access points, LAN switches, Network Access Servers connecting dial-in users) that need to authenticate the end user before allowing the user's device/computer to attach to the network.
Network Security Features of HP-UX 11i 802.1X/EAP RADIUS/AAA IPSec/VPN LDAP PDA LDAP Server Firewall/VPN Gateway Printer Access Point Notebook Switch HP-UX AAA Server Remote Client Desktop Enterprise Internet Figure 1: Using the HP-UX AAA Server for Authentication and Accounting at Network Access Points The HP-UX AAA Server can be downloaded from Software Depot.
• Page 8 RADIUS RFC standards: Provides the RADIUS protocol and attributes defined in RFC2865, RADIUS accounting as defined in RFC2866, RADIUS extensions described in RFC1869, and Tunnel support as specified in RFC2867 and RFC2868.
Network Security Features of HP-UX 11i HP-UX Mobile AAA Server (Diameter) The HP-UX Mobile AAA Server is an Authentication, Authorization, and Accounting (AAA) server based on the Diameter Base Protocol and Diameter Mobile IPv4 Application. These protocols define a standard for information exchange that allows Diameter servers to deliver AAA services to Mobile IP agents. HP-UX Mobile AAA Server is available for download from Software Depot.
Internet Protocol Security Protocol Suite—HP-UX IPSec The Internet Engineering Task Force (IETF) IP Security Protocol (IPsec) working group has defined a set of specifications for cryptographically based authentication, integrity, and confidentiality services at the IP layer of the network stack. HP-UX IPSec is the HP implementation of IPsec. HP-UX IPSec implements rule-based policy management. As shown in Figure 2, IPsec technology can be deployed to provide secure tunnels through the public Internet.
Network Security Features of HP-UX 11i hardened system platform, dynamic filtering, and strong client authentication must be in place to safeguard these servers. The communication between the servers in the DMZ and the back-end servers in the internal network also needs to be secured. HP-UX IPSec can protect the communication between the DMZ and the back-end servers. HP-UX IPSec is available for download on Software Depot and on the HP-UX Application Release CD.
Host Based Firewalls with HP-UX IPFilter A corporate intranet must be protected against intrusion and Denial of Service (DoS) attacks. This can be achieved by using one or more network perimeter firewalls. There are many products available that fill this role. However, individual hosts may need additional protection against external or internal attacks. This protection is important for hosts that are directly accessible from the Internet.
Network Security Features of HP-UX 11i • Return messages in response to blocked packets: Sends back ICMP error/TCP reset for blocked packets. This helps keep attackers from realizing their packets have been explicitly blocked. • Keep state functionality: Enforces packet blocking based on session state for TCP, UDP, and ICMP. • IP fragment control: Keeps fragment state information for any fragmented IP packet, applying the same rule to all fragments, or drops all fragmented traffic if specified by rule.
Secure Sockets Layer (SSL) Libraries Secure Sockets Layer (SSL), or Transport Layer Security (TLS), the Internet Engineering Task Force standardized equivalent of SSL, secures connections between individual network connections, or sockets. RSA provides a developer’s kit containing a high performance SSL implementation for HP-UX. Alternately, you can use the precompiled OpenSSL commands and libraries available as a part of the HPUX Internet Express open source software package.
Network Security Features of HP-UX 11i TCP Denial of Service Defense Beginning with HP-UX 11i v1, TCP incorporates a defense against SYN Attacks where an attacker floods a target system with spurious TCP SYN packets and causes the target system to consume resources for these false incoming TCP connection requests.
TCP Wrapper TCP Wrapper addresses the inherent security issues with inetd.sec by providing built-in protection against host name and host address spoofing. It is broadly similar to inetd.sec in that is uses access control files to prevent or allow access to services under the control of inetd and offers additional functionality. TCP Wrapper is an Internet Services product available on Software Depot.
Network Security Features of HP-UX 11i HP-UX Secure Shell (SSH) HP-UX Secure Shell, based on open source SSH technology, is widely used to secure remote UNIX terminal sessions and is increasingly being regarded as an integral networking infrastructure component. HP-UX Secure Shell provides secure replacements for network utilities such as rlogin, rsh, and rcp, and provides secure ftp. HP-UX Secure Shell is a fully tested and supported version of the OpenSSH Secure Shell product.
• SSH-1 and SSH-2 support: HP-UX Secure Shell supports both IETF protocols. However, HP recommends the use of the more secure SSH-2 protocol to prevent the possibility of an insertion attack. • Diverse authentication support: HP-UX Secure Shell supports password based, public key based, Kerberos, and host based authentication schemes. Since HP-UX Secure Shell encrypts passwords, password based authentication can prevent password sniffing and dictionary attacks.
Network Security Features of HP-UX 11i HP Kerberos The Kerberos protocol provides enterprise-wide strong user authentication by validating user passwords without transmitting the password over the network in clear text. Kerberos technology is based on the client-server architecture. It ensures secure communication in a networked environment by leveraging individual trust relationships. It then brokers this trust across enterprise-wide distributed client-server networks.
The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the KDC key, and then sends the encrypted TGT back to the client. The client uses the TGT to obtain further service tickets, which provide proof of the client’s identity. Kerberos Server A central Kerberos server, called the Key Distribution Center (KDC), verifies the user’s password. HPUX also provides secure key exchange between application clients and servers.
Network Security Features of HP-UX 11i Secure Routing Standard routing protocols and routing configurations permit unverified sources to reconfigure routings. Connections can be hijacked and diverted to networks where they are not intended to go.
• BGP4+: Border Gateway Protocol extensions for IPv6 • IS-IS: Intermediate System to Intermediate System protocol • ramD supports IETF RFC2080—RIPng for IPv6. HP-UX Route Administration Manager is available on Software Depot.
Network Security Features of HP-UX 11i Security Features in Internet Service Products HP-UX Internet Service products deliver and support the networking services considered essential to HPUX customers interoperating on TCP/IP - based networks. Many of these services have evolved to address security issues. For example, Secure Internet Services, as discussed in the Kerberos section of this white paper, provides strong user authentication for ftp, rcp, rlogin, telnet, and remsh services.
Adaptive Security Using an LDAP Directory As enterprises grow and demands for computing resources increase, the cost of the administration of computing systems also increases. In a highly distributed environment, local security practices and administration methods are inconsistent, redundant, and difficult to audit.
Network Security Features of HP-UX 11i Integration with Windows The LDAP-UX integration is flexible in design and contains a Microsoft-compatible configuration profile. LDAP-UX products are certified against the Windows 2000 Active Director Server (ADS). In addition, they support Microsoft Services for UNIX schema version 2.0 and 3.0. You can use LDAP-UX in combination with PAM Kerberos to integrate HP-UX systems into Windows 2000 environments.
by the NIS/LDAP Gateway (also known as YPLDAP.) The ypldapd daemon converts the NIS RPCs into similar LDAP search operations and then converts the response back into an NIS RPC reply. The NIS/LDAP Gateway is easy to deploy in environments that use NIS today. In these environments, it can replace existing NIS servers, as shown in Figure 5 below. An LDAP server plays the role of an NIS master server, while YPLDAP servers replace the NIS slave servers.
Network Security Features of HP-UX 11i identification, and access control information. In addition, you can extend the Netscape Directory Server to support your entire enterprise with a global directory service that provides you with centralized management of all your enterprise resource information. HP provides the Netscape LDAP Directory Server as a software bundle on Software Depot.The Netscape LDAP Directory Server is available also available on the HP-UX Application Release CD.
Superior Encryption Performance Cryptography-based technologies, such as encryption and digital signatures, are the foundation of secure network communications. Since cryptographic algorithms are computationally intensive, they can be a bottleneck that negatively impacts overall system performance. Therefore, the performance of cryptographic algorithms has a direct impact on the cost-effectiveness of network security solutions.
Network Security Features of HP-UX 11i Faster BSAFE RSA Version 6.0.4 and above Performance in HP-UX 11i v1 and v2 The popular BSAFE toolkit of RSA Security, Inc. includes the HP optimized versions of the RSA, DES, 3DES, AES, and SHA-1 encryption algorithms for HP-UX platforms. Therefore, applications built with the BSAFE toolkit can perform encryption operations substantially faster on HP-UX platforms than on other platforms.
Conclusion HP-UX 11i v1 and v2 provide the latest security technologies for a secure enterprise network infrastructure on both PA-RISC and Itanium platforms that unite these organizations into an e-business over the Internet. HP-UX 11i v1 and v2 enable a corporation to respond to its dynamic business needs in a much more cost-effective, efficient, and flexible manner without compromising corporate security.
Network Security Features of HP-UX 11i Appendix A: Product Information The following matrix and list gives locations for obtaining products described in this white paper, and additional information about those products. HP-UX 11i Security Products Availability Matrix Product Included with HP-UX 11i (with no additional charge) Web Download (free product) HP-UX AAA Server (RADIUS) http://software.hp.com Mobile AAA Server (Diameter) http://software.hp.
For More Information Product release information, manuals, and white papers for the following products can be downloaded from http://docs.hp.com/hpux/internet/index.
Network Security Features of HP-UX 11i Standards For more information about IETF standards, visit the following Web site: http://www.ietf.org/ More specifically, for information on the IPSec family of protocols, visit the Web page of the IETF working group on the IP Security Protocol, at: http://www.ietf.org/html.charters/ipsec-charter.html For publications of The Open Group, visit the Web site: http://www.opengroup.org/ For BIND visit the Internet Software Consortium (ISC) Web site: http://www.isc.
Appendix B: Glossary 3DES Triple-Data Encryption Standard AAA Authentication, Authorization, and Accounting AES Advanced Encryption Standard DES Data Encryption Standard DH The Diffie-Hellman key agreement public-key cryptosystem DMZ De-Militarized Zone (between the Internet and the intranet) DSS Digital Signature Standard EDI Electronic Data Interchange HTTP Hyper-Text Transport Protocol IETF Internet Engineering Task Force KDC Key Distribution Center Man-inthe-middle attacks In a ma
Network Security Features of HP-UX 11i MD Message Digest (MD5 is a message digest, or cryptographic hash, algorithm) NIST National Institute of Standards and Technology RC Rivest Cipher (RC4 is a stream cipher) RFC Request For Comments RSA The Rivest-Shamir Adleman public-key encryption and signature cryptosystem SHA Secure Hash Algorithm (SHA1 is NIST’s cryptographic hash standard, revision 1) SSH Secure Shell SSL Secure Sockets Layer TLS Transport Layer Security Page 35
Appendix C: SPECWeb99_SSL System Specifications The following system specifications were used in Figure 6: HP 2-way HP-UX result (1930): System: HP Integrity rx2600 Processor: 1.5 GHz Intel Itanium 2 6M (2 total) Operating system: HP-UX 11i v2 Web server: Zeus 4.2r2 HP 4-way HP-UX result (3702): System: HP Integrity rx5670 Processor: 1.5 GHz Intel Itanium 2 6M (4 total) Operating system: HP-UX 11i v2 Web server: Zeus 4.2r2 HP 8-way HP-UX result (5388): System: HP Integrity rx7620 Processor: 1.
Network Security Features of HP-UX 11i Web server: Sun ONE Web Server 6.0 SP5 Other Hardware: 1 x Sun Crypto Accelerator 1000 Board Version 1.1 SUN 4-way result (1088) System: Sun Fire V480 Processor: 900MHz UltraSPARC III Cu (4 total) Operating System: Solaris 8 2/02 Web server: Zeus 4.1 For detailed descriptions of the systems and configurations used in the SPECWeb99_SSL cryptography performance tests, refer to http://www.spec.org/web99ssl/results/web99ssl.html.
For more information, contact any of our worldwide sales offices or HP Channel. For the location of the nearest sales office call: United States of America: +1 800 637 7740 Canada: Hewlett-Packard Ltd. 5150 Spectrum Way Mississauga, Ontario L4W 5G1 +1 905 206 4725 Japan: Hewlett-Packard Japan, Ltd. Japan Country H.Q.
Network Security Features of HP-UX 11i Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this white paper, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.
