From owner-freebsd-security  Tue Jan 25  9:10:17 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lily.ezo.net (lily.ezo.net [206.102.130.13])
	by hub.freebsd.org (Postfix) with ESMTP id DFC401503D
	for <freebsd-security@freebsd.org>; Tue, 25 Jan 2000 09:10:02 -0800 (PST)
	(envelope-from jflowers@ezo.net)
Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1])
	by lily.ezo.net (8.8.7/8.8.7) with SMTP id MAA24125;
	Tue, 25 Jan 2000 12:10:00 -0500 (EST)
Date: Tue, 25 Jan 2000 12:10:00 -0500 (EST)
From: Jim Flowers <jflowers@ezo.net>
To: freebsd-security@freebsd.org
Subject: Skip, Natd, Ipfw, and VPN Nomads (long)
Message-ID: <Pine.BSI.3.91.1000123203002.10162A-100000@lily.ezo.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Skip and natd can be combined in a single FreeBSD box using ipfw rules to 
control packet flow to natd in useful ways.  Internal users can browse 
the Internet or access resources on multiple remote VPN segments.  
External clients can access internal servers through natd port redirects.

Adding nomad capability complicates the setup and two FreeBSD boxes are 
required.  A nomad is a client from anywhere on the Internet with an 
ephimeral IP# that is not known in advance.  When packets from the nomad 
are first processed by skip the client is validated from its KeyID. 
The corresponding IP# is entered in the access control list.

Unfortunately, it is not possible to use ipfw rules to differentiate between 
response packets outbound to the nomad and internal client query packets 
outbound to Internet servers.

This is singularly important when the nomad is a Windows based host that 
is to join an internal NT domain. The logon server response packets must 
bypass natd or the logon attempt will fail with a "failed to find 
logon server" error report.  Packets from internal clients browsing the 
Internet, on the other hand, must go through natd to obtain a routable 
return address.

The skip procedure provides for such a differentiation as it maintains a 
table of all nomad IP numbers and will process those that match, passing on 
those that do not.  The skip procedure, however, follows natd in the 
outbound direction so it is not sufficient for this duty.  Thus the need for 
two boxes, the inner box configured with skip - the outer box configured 
with natd.  Fortunately, skip packets will pass through the natd process
without alteration in both directions in the outer box.

For our wireless Internet connections, that is not a burden as the wi0 
interface driver is not compatable with the skip procedure and a 
second box is necessary on that account alone.

One added refinement.  Once a Windows nomad is logged on to an NT domain, 
it can use network neighborhood to browse hosts on the local network 
segment.  In order for the same capability to exist for remote network 
segments, the decoded inbound packets must be 'educated' before 
forwarding to the target host so that responses return to the skiphost
that was used to validate the nomad.

One way to do this is to use inbound natd so that the decoded 
packets have the source address changed to that of the skiphost before 
forwarding to the target host.  In fact, I prefer this method when the 
skiphost is located on a perimeter network acting as a VPN bypass around 
the inside firewall interface (for secure packets only).

For systems relying on natd for security, I use the more traditional natd 
approach (outbound interface) on the skiphost with specific ipfw 
rules to divert only those packets destined for a remote VPN network 
segment that both arrive and leave on the same interface.  

A diagram will help to make the above concepts clearer.

========================Internet
      |
    [wi0]				|
    ipfw - divert(any) -> natd(wi0)	|  Gw/Nat
    route				|
    ipfw				|
    [ed1]				|
      |
===============intermediate network
      |
    [ed1]					|
    ipfw - divert(remote only) ->natd(ed1)	| VAC/Nomads
    skip					|
    route					|
    ipfw					|
    [ed2]					|
      |
      |
=================private network
      |
      |
    [PDC]


route indicates kernel routing table
PDC indicates primary domain controller for NT network.
Gw/Nat - gateway/nat
VAC/Nomads - VPN access controller / Nomad Server
ACL - access control list

natd/skip notes

1. for Gw/Nat, skip packets will pass through natd unchanged in both 
   directions.
2. for VAC/Nomads, inbound skip packets will pass through natd 
   unchanged to be unpacked by skip and forwarded as determined by route.
3. Packets received on the ed1 interface, directed to remote networks will
   be processed by skip in accordance with the destination ACL.
4. Packets generated by internal clients browsing the Internet will be 
   passed up by skip (no acl match) to Gw/Nat for processing by natd (divert 
   match any/any)

Skip, natd and ipfw all operate reliably, consistently and repeatably 
once the relationships are understood and exploited properly.

 Jim Flowers <jflowers@ezo.net>
#4 ISP on C|NET, #1 in Ohio







To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message