RON Remote Monitoring Nodes

Placement

RON nodes need to send inbound and outbound TCP, UDP, and ICMP packets. For this reason, and to reduce any administrative hassle of granting access to internal networks, we suggest that RON nodes be placed outside of your firewall, or in a demilitarized zone (DMZ). We won't be sniffing packets on the network; for RON nodes (not nodes to which we've been given access), we will work to ensure that the machine is as secure as we can make it by turning off all services but sshd and our software.

If you're unsure if a particular machine will be suitable for use by RON, please don't hesitate to ask us.

Configuring for RON access

If you're granting the RON project access to an existing FreeBSD machine on your network, here are the steps you'll need to take:
  1. Create an account named ron. Give the account a disabled password (* in the master.passwd file). For instance, our RON entry locally looks like: 
    ron:*:27501:27501::0:0:Resilient Overlay Networks account:/export/home/ron:/bin/tcsh
    Be sure to create a home directory for the RON account, and set up its permissions properly: chmod 711 /ron/home/dir
  2. Assign the account a temporary password, and contact us via email (ron-sites@nms.lcs.mit.edu) or telephone (+1.617.452.2821) to tell us the temporary password, OR
  3. Place the RON ssh key in /ron/home/dir/.ssh/authorized_keys and then chmod 644 /ron/home/dir/.ssh/authorized_keys

    The easiest way to do this is to cd to the RON .ssh directory and then issue this series of commands: 

    fetch http://nms.lcs.mit.edu/projects/ron/sites/ron.key.pub
mv ron.key.pub authorized_keys
chmod 644 authorized_keys
  4. Place the RON account in group wheel (0) by editing /etc/group.
  5. Contact us by telephone ( +1.617.452.2821 ) to tell us the root password on your machine, or give the RON account access to root via 'sudo'. Note if you grant RON access to sudo, you will need to give the account a real password, and contact us to let us know what it is.
  6. Recompile your kernel (if necessary) with three kernel options: 
                options IPDIVERT
            options IPFIREWALL
            options IPFIREWALL_DEFAULT_TO_ACCEPT
    If you already have a firewall configured on this machine, you may not need to change these rules, and you will not want to enable the "default to accept" option. Feel free to contact us with specific configuration questions. If your kernel does not have the bpf device installed, you'll need to configure at least one of them. Current FreeBSD kernels ship with bpf enabled, but on older machines, you may need to add: 
              pseudo-device bpf 4
    to your kernel configuration. In older kernels, the bpf device was called bpfilter - check in /usr/src/sys/i386/conf/LINT to see which directive is appropriate for your system.

Why does RON need root access?

RON provides transparent encapsulation of ordinary IP traffic by using the divert sockets found in the FreeBSD firewalling code, in a manner similar to how a VPN or the FreeBSD NAT daemon works. In order to obtain the traffic it encapsulates, RON must run as root to bind a divert socket, and to open a raw IP socket on which to re-inject its packets into the ordinary datastream.

Several utilities RON uses, such as fping and tcping must also run as root, because they also use raw sockets or BPF devices.

We have taken as many steps as possible to ensure that all programs that run as root shed their privileges as soon as possible after opening their raw network sockets.

Dave Andersen
Last modified: Tue Apr 3 18:02:36 EDT 2001