Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)

What is VPN? A Virtual Private Network, or VPN, is a private connection between two machines or networks over a shared or public network. Privacy and security over the public network is maintained through the use of a tunneling protocol.

The alternatives? Leased Lines Secure Dialup

Corporate HQ Remote office Leased Lines Remote office

RAS Server To LAN Modem pool Home office Remote user Home office RAS Server Remote Office To LAN Secure Dialup

Why VPN? Pros: Utilizes the Internet’s infrastructure Implementation Costs Cons : Administrative costs Lack of interoperability Variable performance

Corporate HQ Remote office Home office Remote user VPN Internet

Tunneling Tunneling is the process of encapsulating network packets within other network packets before sending them over a network

PC to Server Gateway to Gateway PC with VPN Client VPN Server Internet VPN Server Internet To Remote office To LAN VPN Tunnel

Tunneling protocols PPTP L2TP IPsec SSL/TLS SSH

PPTP Point to Point Tunneling Protocol was developed to tunnel through a PPP connection (RFC 2637)

PPTP Control PacketPPTP Data Packet Data Link Header IP TCP PPTP Control Message Data Link Trailer Data Link Header IP Header GRE Header PPP Header Encrypted Payload Data Link Trailer Encrypted

L2TP Layer 2 Tunneling Protocol combines the best of L2F (Layer 2 Forwarding) with the best of PPTP protocol and also tunnels through a PPP connection (RFC 2661)

L2TP Data PacketL2TP Control Packet Data Link Header IP Header IPSec ESP Header UDP Header L2TP Control Message IPSec ESP Trailer IPSec ESP Auth Trailer Data Link Trailer Data Link Header IP Header IPSec ESP Header UDP Header L2TP Header PPP Header Payload IPSec ESP Trailer IPSec ESP Auth Trailer Data Link Trailer Encrypted

IPsec Internet Protocol Security is an Internet Standard protocol used for securing data across the Internet (RFC 2401) In a VPN environment IPsec can be used as a complete protocol solution or as the encryption tool within another VPN protocol such as L2TP

VPN via IPsec VPN Client Decrypt packets using inbound SA and send to application 3. Encrypt packets with outbound SA 1. Use IKE to negotiate 2. Negotiate Phase 2 SA (inbound & outbound SA) Phase 1 SA VPN Server Decrypt packets using inbound SA and send to application Encrypt packets using outbound SA

SSH Secure Shell provides a single secure session between two computers over a shared network. The session requires server software on a host and client software on a connecting client

Secure Shell Basics Secure Shell Client Secure Shell Server 1.Establish secure tunnel 2. Authenticate server 4. Encrypted session 3. Authenticate client OS TCP Stack OS TCP Stack 5. Arbitrary TCP port forwarding 5. Arbitrary TCP port forwarding

SSH PC with SSH Client Host with SSH daemon Internet SSH Tunnel

Comparing VPNs PPTP and L2TP –Uses control packets to build and tear down VPN tunnel –Uses data packets to send the data through the tunnel IPSec –Negotiates Security Associations (SAs) –Uses outbound SA to encrypt and send packets. –Uses inbound SA to decrypt incoming packets.

Comparing VPN and SSH PPTP, L2TP and IPSec –Connects PCs to a companies’ network –Connects companies remote networks to each other SSH –Connects a PC directly to a Host running SSH –Can configure other service ports to be forwarded through the SSH tunnel

Implementing VPNs Enterprise Service Providers (ESP) –provides Network Access Servers (NAS) –provides VPN clients for individual PC’s –maintains the network infrastructure Hardware only Providers –provides VPN Servers with built in VPN software –may or may not maintain network infrastructure

Implementing VPNs Hardware and software providers –provides VPN Servers –provides VPN client and VPN server software –may or may not maintain network infrastructure Software only providers –provides VPN software to run on existing hardware –does not maintain network infrastructure

Questions?