Network hardening using sysctl #856
Conversation
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
| https://linux-audit.com/linux-security-guide-for-hardening-ipv6/ | ||
| ''; | ||
| type = lib.types.bool; | ||
| default = true; |
There was a problem hiding this comment.
Should this be default to true? We have now almost 50% ipv6 deployment world-wide: https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption
So one cannot say that ipv6 is not used. Especially in VPN it has the advantage that hosts never have to be renumbered again as they are too many collisions between private ipv4 addresses spaces i.e. when merging company networks.
There was a problem hiding this comment.
OK, I set default to false. In Ghaf by default IPv6 is disabled.
https://github.com/tiiuae/ghaf/blob/main/modules/microvm/virtualization/microvm/common/vm-networking.nix#L24C23-L24C24
There was a problem hiding this comment.
If we enable IPv6 we should include hardening settings as well. I agree we should support IPv6, but enabling it indiscriminately in all VMs and interfaces may not be the best strategy with our current setup, and afaik enabling it for specific interfaces is still possible with these settings
There was a problem hiding this comment.
I have included some IPv6 configs in the updated PR which falls in some of current categories. There are more recommendations for IPv6 hardening, I will include them later after discussion.
| default = true; | ||
| }; | ||
|
|
||
| enable-rp-filter = lib.mkOption { |
There was a problem hiding this comment.
Doesn't linux has enabled this by default anyway? If someone ever disable this, they are most likely doing so intentionally i.e. they want to do BGP routing. Having this option just makes things more complex.
There was a problem hiding this comment.
It is not enabled by default in Linux. Since it is recommended to enable rp_filter in many Linux security audits, so I thought to include it. Now it defaults to false.
There was a problem hiding this comment.
Seems this flag is not used? Also, NixOS seems to set it to 2 (loose mode), whereas this option sets it to 1 (strict mode). Not entirely sure about the implications within Ghaf, especially internal network, can you elaborate if strict mode makes sense as a default or not?
There was a problem hiding this comment.
I studied around this. As far as what I understood, loose mode(default) is fine for VMs which are communicating through internal network. Strict mode should be beneficial in net-vm specially if some one tries to spoof an VM address. In strict mode these packets will be dropped while in loose mode these may be accepted as there is always a valid route for these.
| default = true; | ||
| }; | ||
|
|
||
| disable-ping-request = lib.mkOption { |
There was a problem hiding this comment.
This breaks ipv6. It's also a problem for debugging cases where the MTU is too high.
There was a problem hiding this comment.
This also defaults to false now.
gngram
force-pushed
the
pr__sysctl__network
branch
from
7f10c3c to
aba64ea
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
gngram
force-pushed
the
pr__sysctl__network
branch
from
aba64ea to
5ee28d4
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
gngram
force-pushed
the
pr__sysctl__network
branch
from
5ee28d4 to
a70f0fe
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
gngram
force-pushed
the
pr__sysctl__network
branch
from
a70f0fe to
13dac01
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
| { | ||
| ## Options to enable IP security | ||
| options.ghaf.security.sysctl.network = { | ||
| disable-all = lib.mkOption { |
There was a problem hiding this comment.
Why not the typical enable flag that defaults to true?
gngram
force-pushed
the
pr__sysctl__network
branch
from
13dac01 to
8cd2099
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
| ... | ||
| }: | ||
| let | ||
| cfg = config.ghaf.security.sysctl.network; |
There was a problem hiding this comment.
Can add
inherit (lib) mkOption mkForce mkDefault mkIf types;
For better readability.
gngram
force-pushed
the
pr__sysctl__network
branch
from
8cd2099 to
a09ae92
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
Signed-off-by: Ganga Ram <[email protected]>
gngram
force-pushed
the
pr__sysctl__network
branch
from
a09ae92 to
7f1ff93
Compare
gngram
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
Description of changes
sysctl configuration for network hardening.
Uses configuration recommended in different security audits.
Configuration and it's recommendation is available in this document:
Recommended sysctl settings
Sysctl network setting audit report available:
https://github.com/gangaram-tii/ghaf-debug-tools/blob/main/report/hardened_network_audit_report.md
Network Performance impact:
https://github.com/gangaram-tii/ghaf-debug-tools/blob/main/report/perf-iperf3.png
Note:
ghaf+label is with sysctl hardened network settings.Checklist for things done
x86_64aarch64riscv64make-checksand it passesnixos-rebuild ... switchInstructions for Testing