Download presentation
Presentation is loading. Please wait.
Published byAubrey Pownall Modified over 9 years ago
1
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048 charlesm@wrq.com
2
What is VPN? A Virtual Private Network, or VPN, is a private connection between two machines or networks over a shared or public network. Privacy and security over the public network is maintained through the use of a tunneling protocol.
3
The alternatives? Leased Lines Secure Dialup
4
Corporate HQ Remote office Leased Lines Remote office
5
RAS Server To LAN Modem pool Home office Remote user Home office RAS Server Remote Office To LAN Secure Dialup
6
Why VPN? Pros: Utilizes the Internet’s infrastructure Implementation Costs Cons : Administrative costs Lack of interoperability Variable performance
7
Corporate HQ Remote office Home office Remote user VPN Internet
8
Tunneling Tunneling is the process of encapsulating network packets within other network packets before sending them over a network
9
PC to Server Gateway to Gateway PC with VPN Client VPN Server Internet VPN Server Internet To Remote office To LAN VPN Tunnel
10
Tunneling protocols PPTP L2TP IPsec SSL/TLS SSH
11
PPTP Point to Point Tunneling Protocol was developed to tunnel through a PPP connection (RFC 2637)
12
PPTP Control PacketPPTP Data Packet Data Link Header IP TCP PPTP Control Message Data Link Trailer Data Link Header IP Header GRE Header PPP Header Encrypted Payload Data Link Trailer Encrypted
13
L2TP Layer 2 Tunneling Protocol combines the best of L2F (Layer 2 Forwarding) with the best of PPTP protocol and also tunnels through a PPP connection (RFC 2661)
14
L2TP Data PacketL2TP Control Packet Data Link Header IP Header IPSec ESP Header UDP Header L2TP Control Message IPSec ESP Trailer IPSec ESP Auth Trailer Data Link Trailer Data Link Header IP Header IPSec ESP Header UDP Header L2TP Header PPP Header Payload IPSec ESP Trailer IPSec ESP Auth Trailer Data Link Trailer Encrypted
15
IPsec Internet Protocol Security is an Internet Standard protocol used for securing data across the Internet (RFC 2401) In a VPN environment IPsec can be used as a complete protocol solution or as the encryption tool within another VPN protocol such as L2TP
16
VPN via IPsec VPN Client Decrypt packets using inbound SA and send to application 3. Encrypt packets with outbound SA 1. Use IKE to negotiate 2. Negotiate Phase 2 SA (inbound & outbound SA) Phase 1 SA VPN Server Decrypt packets using inbound SA and send to application Encrypt packets using outbound SA
17
SSH Secure Shell provides a single secure session between two computers over a shared network. The session requires server software on a host and client software on a connecting client
18
Secure Shell Basics Secure Shell Client Secure Shell Server 1.Establish secure tunnel 2. Authenticate server 4. Encrypted session 3. Authenticate client OS TCP Stack OS TCP Stack 5. Arbitrary TCP port forwarding 5. Arbitrary TCP port forwarding
19
SSH PC with SSH Client Host with SSH daemon Internet SSH Tunnel
20
Comparing VPNs PPTP and L2TP –Uses control packets to build and tear down VPN tunnel –Uses data packets to send the data through the tunnel IPSec –Negotiates Security Associations (SAs) –Uses outbound SA to encrypt and send packets. –Uses inbound SA to decrypt incoming packets.
21
Comparing VPN and SSH PPTP, L2TP and IPSec –Connects PCs to a companies’ network –Connects companies remote networks to each other SSH –Connects a PC directly to a Host running SSH –Can configure other service ports to be forwarded through the SSH tunnel
22
Implementing VPNs Enterprise Service Providers (ESP) –provides Network Access Servers (NAS) –provides VPN clients for individual PC’s –maintains the network infrastructure Hardware only Providers –provides VPN Servers with built in VPN software –may or may not maintain network infrastructure
23
Implementing VPNs Hardware and software providers –provides VPN Servers –provides VPN client and VPN server software –may or may not maintain network infrastructure Software only providers –provides VPN software to run on existing hardware –does not maintain network infrastructure
24
Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.