[Openswan Users] Security Auditors wish for OpenSwan, get weak IKE/ESP policies out of list

[Paul Wouters]

On Thu, 23 Aug 2007, tleslie wrote:

> Subject: Security Auditors wish for OpenSwan,
>     get weak IKE/ESP policies out of list
>
> I am having a security audit done,
> and I use openswan,
> the auditor looked at the barf of openswan
> and saw weak policies there.

What did he call weak?
Openswan in its default configuration uses any combination of:

AES, 3DES
SHA1, MD5
MODP-1024 - MODP-4096
PFS enabled

None of thesse are weak.

Did he mean kernel policies? If so, are you using NETKEY or KLIPS?
Did he mean the 0.0.0.0/0 policies?

If you want to be sure, I recommend KLIPS over NETKEY. KLIPS does not
have any policies we do not control, has extensive control and stability,
and most importantly a verifiable debug trail when enabling debugging.

> can i force a policy,
> does ike=.... and esp=.... force it, or just a strong recommendation.

Yes you can, but that would insinuate that one of the default IKE/ESP policies
we set is weak, which is not true.

> security auditors can be picky ..... :(

They should be. Ask what the "weak policies" were.

> auditor basically says, if its in there, even if 99.99999999999999999%
> never get used (i.e. single des) dont even allow it to be in there.

Single DES is not enabled in the default compile. You need to explicitely set
a few flags to enable those. For NETKEY, if you want 3des, you also get the 1des
module (it's the same code) so you can't disable the kernel cryptoapi 1des cipher,
but still, openswan on default compile will never negotiate 1des for anything.

> Paul, awesome TLLTS podcast by the way! thanks! hope you were still able
> to get beer at the end !!! :)

I did :)

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155