Phantasm66
Posts: 4,909 +8
I just found a great little article that fully and comprehensively explains this technology, and also goes a little into its Linux implementation, although this is by no means a Linux only technology and has been used in Windows for some time.
source: http://linux.box.sk/newsread.php?newsid=630
Linux Based Virtual Private Networks
A VPN provides a private data network over public telecommunication infrastructures, such as the Internet. It provides both secure authentication and encryption. It creates a data tunnel between devices so that all data transmitted between the devices is secure, regardless of what programs the devices are running. There are three basic types of VPN solutions: telecommuter, router-torouter,and host-to-host.A tunnel is created between VPN hosts to ensure that all traffic between them is secure. The tunnel is created with a tunneling protocol.These protocols are responsible for encapsulating a data packet before a host transmits it.
After the data is encapsulated, it is sent over the Internet until it arrives at its destination.When it arrives, the capsule is removed and the destination host processes the data.IPSec is an Internet Engineering Task Force (IETF) security protocol that is becoming a standard component of VPN tunneling protocols. As the name suggests, it was designed for IP, and it has gained wide industry support. IPSec provides secure authentication and encryption over a network by securing all packets at Layer 3—the network layer—of the Open System Interconnection (OSI) model. Layer 3 security is significant because Layer 3 is responsible for IP addressing and routing over the Internet. Security at this layer ensures that everything on the network is secure.
IPSec is often used in conjunction with the Internet Key Exchange (IKE) protocol. IKE is a key management protocol standard that enhances IPSec, such as providing a simpler IPSec configuration, flexibility, and more features. IKE is not required to run IPSec, but it enhances the standard. Free Secure Wide Area Network (FreeS/WAN) is a Linux VPN implementation that uses IPSec and IKE. IPSec and IKE are used to provide secure authentication and encryption of data between two hosts at Layer 3 (the network layer) of the OSI model. FreeS/WAN creates a secure VPN tunnel between the hosts. It is the goal of S/WAN developers for all S/WAN implementations to interoperate, no matter what device they are installed on.The FreeS/WAN project goal is to provide freely available source code to promote IPSec and allow it to run on many different machines. It also avoids export restrictions. Last, you learned how to compile FreeS/WAN into a Linux kernel and discovered how to configure and test a host-to-host VPN.You captured the traffic transmitted in the VPN tunnel and realized that it would be useless to a hacker because it is encrypted.When the VPN tunnel is configured, all traffic between the two hosts is encrypted, regardless of the applications running between the hosts.
Telecommuter VPN Solution
Telecommuters can use VPNs to log in to their company network from home or from the road.Any location with Internet access can be used.The telecommuter must ensure that the laptop, desktop, or handheld system contains VPN client software and the address of the company’s VPN server.The telecommuter then accesses the Internet through normal access methods, such as a dial-up, a Digital Subscriber Line (DSL), or a cable network connection. After access to the Internet is achieved, the telecommuter opens a VPN client to log on to the company VPN server—once logged on, the telecommuter has access to the company network. She receives the same user rights and privileges on the company network as if she were physically logged in at a company workstation. If the telecommuter has a fast Internet connection, she will be unable to tell the difference between physically working at the company location and working through the VPN.
After the VPN tunnel has been established, the telecommuter can run any application as if he were at a company workstation, provided he has the appropriate client. All of these applications will run over the tunnel, and the applications themselves are not required to be secure, because they are transmitted through the VPN tunnel.The VPN tunnel encrypts the data, so any captured data (regardless of the program that generated that data) will be useless. VPNs can also be used by corporate partners. For instance, the customer database could be available for a sales team at another company.The sales team could receive accounts on your network with access to the customer database only.
Router-to-Router VPN Solution
VPNs are a cost-effective way to create a wide area network (WAN) for connecting company satellite offices and corporate offices. In the past, a company leased expensive dedicated lines from phone companies to connect each location. VPNs allow companies to create a router-to-router VPN over the Internet instead. In order to implement a VPN, you must ensure that each gateway router to your network supports the VPN implementation you choose at each location. These routers are located on the edge of your network and are the end-to-end points for your VPN tunnel.They are responsible for encapsulating the traffic as it leaves the network and removing the capsule as it arrives between your satellite and corporate offices. All router vendors offer VPN functionality. For instance, Cisco offers the Cisco 1600 series of routers that offer a VPN option. VPNs can connect your corporate networks for a fraction of the cost of leasing dedicated lines.
Host-to-Host VPN Solution
VPNs can also securely connect two hosts over the Internet or any unsecured network. Each host is the tunnel endpoint.The only difference is that a separate network does not exist on the other side of the hosts, so no gateway is required with IP forwarding enabled. If you can create a tunnel between two hosts, you can expand your knowledge in an enterprise environment to accommodate both telecommuter and router-to-router VPN solutions.
Tunneling Protocols
As mentioned previously, a “tunnel” is created between VPN hosts to ensure that all traffic between them is secure.The tunnel is created with a tunneling protocol. These protocols are responsible for encapsulating a data packet before a host transmits it. After the data is encapsulated, it is sent over the Internet until it arrives at its destination.When it arrives, the capsule is removed, and the data is processed by the destination host.
IP tunneling protocols are particularly powerful because they can transmit foreign protocols over the Internet. For instance, a Novell NetWare host can send an Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) packet over the Internet by encapsulating it in an IP packet, then transmitting it using Transmission Control Protocol/IP (TCP/IP).When it arrives at its destination, the IP packet is stripped off, and the IPX/SPX packet is processed.
The next generation protocol, IPv6, has a test bed called the 6bone
(www.6bone.net). The 6bone is a virtual network that uses IPv6-over-IPv4 tunneling. The IPv6 networks, called islands, are connected over the Internet using IPv4 tunnels.The IPv6 packets are encapsulated by an IPv4 packet and sent over the Internet.When they arrive at the destination, the IPv4 packet is removed, and the IPv6 packet is processed on the IPv6 network.
Explaining the IP Security Architecture
IP has been a low-cost, efficient protocol for several decades. However, it has always suffered from security vulnerabilities that have required users and businesses to use other methods to ensure data confidentiality across the Internet.A new protocol, IP Security Architecture (IPSec), is designed to add authentication and encryption to IP when needed.
IPSec is an Internet Engineering Task Force (IETF) security protocol that is becoming a standard component of VPN tunneling protocols. As the name suggests, it was designed for IP, and IPSec has gained wide industry support. For instance, Cisco already supports IPSec in its routers and is one of the leading supporters for IPSec standardization. IPSec is currently a proposed standard (Request for Comments [RFC] 2401) within the IETF.The IPSec charter Web page is maintained by the IETF IPSec working group.The URL is www.ietf.org/html.charters/ipsec-charter.html. This site is ideal for monitoring the progress of IPSec and the numerous implementations for the IPSec standard.IPSec provides secure authentication and encryption over a network by securing all packets at Layer 3, the network layer, of the Open System Interconnection (OSI) reference model. Layer 3 security is significant because Layer 3 is responsible for IP addressing and routing over the Internet. Security at this layer ensures that everything on the network is secure. Layer 3 security is in contrast to methods that provide only encryption and authentication to higher-level protocols, such as SSH Programs such as SSH for remote login, Secure Hypertext Transfer Protocol (SHTTP) and Secure Socket Layer (SSL) for Web applications, and Pretty Good Privacy (PGP) for e-mail secure data between two applications using Layer 4 mechanisms.This method works extremely well but is limited because only the data between the program’s associated ports is encrypted. IPSec secures all data, regardless of the program running between the hosts.
Article by:
By Cenobyte from http://www.linux-box.org & http://www.linuxexposed.com
source: http://linux.box.sk/newsread.php?newsid=630
