Transcript 320 - ClassicCMP

Securing Remote PC Access
to UNIX/Linux Hosts
with VPN or SSH
Charles T. Moetului
WRQ, Inc.
(206) 217-7048
[email protected]
What is VPN?
A Virtual Private Network, or VPN, is a private
connection between two machines or
networks over a shared or public network.
Privacy and security over the public network is
maintained through the use of a tunneling
protocol.
The alternatives?
Leased Lines
Secure Dialup
Leased Lines
Corporate HQ
Remote office
Remote office
Remote office
Remote office
Secure Dialup
Modem pool
To LAN
Home office
Remote Office
Remote user
RAS Server
Remote user
Home office
To LAN
RAS Server
Why VPN?
Pros:
•Implementation Costs
•Utilizes the Internet’s infrastructure
•Administrative costs
Cons:
•Lack of interoperability
•Variable performance
VPN
Corporate HQ
Home office
Remote office
Remote office
Internet
Remote user
Remote office
Remote office
Tunneling
Tunneling is the process of encapsulating network
packets within other network packets before sending
them over a network
VPN Tunnel
To LAN
Internet
PC with VPN Client
VPN Server
PC to Server
VPN Tunnel
Internet
To Remote office
VPN Server
To Remote office
VPN Server
Gateway to Gateway
Tunneling protocols
PPTP
L2TP
IPsec
SSH
SSL/TLS
PPTP
Point to Point Tunneling Protocol was developed to
tunnel through a PPP connection
(RFC 2637)
PPTP Control Packet
PPTP Data Packet
Data Link Header
Data Link Header
IP Header
IP
GRE Header
TCP
Encrypted Payload
Data Link Trailer
Data Link Trailer
Encrypted
Encrypted
PPTP Control Message
PPP Header
L2TP
Layer 2 Tunneling Protocol combines the best
of L2F (Layer 2 Forwarding) with the best of
PPTP protocol and also tunnels through a
PPP connection
(RFC 2661)
L2TP Control Packet
Data Link Header
Data Link Header
IP Header
IP Header
IPSec ESP Header
IPSec ESP Header
UDP Header
UDP Header
IPSec ESP Auth Trailer
Data Link Trailer
L2TP Header
PPP Header
Payload
IPSec ESP Trailer
IPSec ESP Auth Trailer
Data Link Trailer
Encrypted
IPSec ESP Trailer
Encrypted
L2TP Control Message
L2TP Data Packet
IPsec
Internet Protocol Security is an Internet
Standard protocol used for securing data
across the Internet (RFC 2401)
In a VPN environment IPsec can be used as
a complete protocol solution or as the
encryption tool within another VPN protocol
such as L2TP
VPN via IPsec
VPN
Client
3. Encrypt
packets with
outbound SA
Decrypt packets
using inbound
SA and send to
application
1. Use IKE to negotiate
Phase 1 SA
2. Negotiate Phase 2 SA
(inbound & outbound SA)
VPN
Server
Decrypt packets
using inbound
SA and send to
application
Encrypt packets
using outbound
SA
SSH
Secure Shell provides a single secure
session between two computers over a
shared network.
The session requires server software on a
host and client software on a connecting
client
Secure Shell Basics
1. Establish
secure tunnel
Secure
2. Authenticate
Shell
server
Client
3. Authenticate
Secure
Shell
Server
client
4. Encrypted
session
OS
TCP Stack
5. Arbitrary
TCP port
forwarding
OS
TCP Stack
SSH
SSH Tunnel
Internet
PC with SSH Client
Host with SSH daemon
Comparing VPNs
• PPTP and L2TP
– Uses control packets to build and tear down VPN
tunnel
– Uses data packets to send the data through the
tunnel
• IPSec
– Negotiates Security Associations (SAs)
– Uses outbound SA to encrypt and send packets.
– Uses inbound SA to decrypt incoming packets.
Comparing VPN and SSH
• PPTP, L2TP and IPSec
– Connects PCs to a companies’ network
– Connects companies remote networks to each
other
• SSH
– Connects a PC directly to a Host running SSH
– Can configure other service ports to be forwarded
through the SSH tunnel
Implementing VPNs
• Enterprise Service Providers (ESP)
– provides Network Access Servers (NAS)
– provides VPN clients for individual PC’s
– maintains the network infrastructure
• Hardware only Providers
– provides VPN Servers with built in VPN software
– may or may not maintain network infrastructure
Implementing VPNs
• Hardware and software providers
– provides VPN Servers
– provides VPN client and VPN server software
– may or may not maintain network infrastructure
• Software only providers
– provides VPN software to run on existing
hardware
– does not maintain network infrastructure
Questions?