Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Linux_VPN - Goecke
Document related concepts
Transcript
L19 Linux VPN Brian Dolan-Goecke Atlanta, Georgia IBM Corporation 2001 October 8-12, 2001 pSeries Technical Conference Brian Dolan-Goecke IBM Corporation 2001 pSeries Technical Conference Contact Email: [email protected] WebSite: www.Goecke-Dolan.com/Brian Phone: (612) 759-0967 IBM Corporation 2001 pSeries Technical Conference Linux VPN We will explain and build a basic Virtual Private Network (VPN) on Linux. We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across the Internet with Linux. A good understanding of TCP/IP and networking is preferred. IBM Corporation 2001 pSeries Technical Conference Session Objectives Issues to consider when building a VPN - How it works - What is needed - What technology to use Some Linux VPN options Build a basic VPN IBM Corporation 2001 pSeries Technical Conference VPN Definition Virtual Private Network A secure network connection across an insecure network. IBM Corporation 2001 pSeries Technical Conference VPN Definition Virtual Private Network (VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers. Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path. Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis. Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption. Cisco. (1999-11-15) IBM Corporation 2001 pSeries Technical Conference VPN Explanation IBM Corporation 2001 pSeries Technical Conference Connection Type Typical Internet Connection Traditional Remote Corporate Connection VPN Remote Cooperate Connection Detailed VPN Connection IBM Corporation 2001 pSeries Technical Conference Internet Connection Remote Host Internet Corp Host IBM Corporation 2001 pSeries Technical Conference Traditional Connection Internet DMZ Firewa ll Corp Netw ork Remote Host Corp ora te Resourc es IBM Corporation 2001 pSeries Technical Conference VPN Connection Internet DMZ Firewa ll Corp Netw ork Remote Host Corp ora te Resourc es IBM Corporation 2001 pSeries Technical Conference VPN Connection Detail Internet ISP DMZ ISP Firewa ll Corp Netw ork Remote Host Corp ora te Resourc es IBM Corporation 2001 pSeries Technical Conference How Does It Work ? 1) A host encrypts and encapsulates network packets in network packets. 2) Packets are transmitted to a remote host, via an insecure network. 3) The remote host will de-encapsulate and decrypt the network packets. 4) The original network packets are then forwarded to the local network. IBM Corporation 2001 pSeries Technical Conference How VPN Works 1011110101 0100100010 0010100010 1101001011 Da ta 10.1.1.12 10.2.1.22 Enc ryp t 206.8.134.2 36.12.11.222 IBM Corporation 2001 Out Ac ross Internet pSeries Technical Conference Why Have a VPN Secure access to corporate resources Fast access Less expensive infrastructure Easier access to corporate resources One connection for Internet and corporate IBM Corporation 2001 pSeries Technical Conference Why Not to have a VPN Higher cost of administration Can make your site more visible Need to be more security proactive Large possible security risk Requires more powerful systems IBM Corporation 2001 pSeries Technical Conference What is Needed ? Host Computers Network Connections VPN Software IBM Corporation 2001 pSeries Technical Conference Linux VPN Options IBM Corporation 2001 pSeries Technical Conference Available Linux VPNs Low Cost (Free) Solutions GRE CIPE IPIP PPTP SSH port forwarding IPSec IBM Corporation 2001 pSeries Technical Conference Available Linux VPNs Non-Free Solutions AltVista Tunnel CheckPoint FireWall-1 IPSec Many More... IBM Corporation 2001 pSeries Technical Conference VPN We Will Investigate GRE CIPE IPSec PPTP IBM Corporation 2001 pSeries Technical Conference Linux GRE Developed by: Cisco Available from: Part of standard Linux Kernel tarball Resources: RFC 2401 (and more...) IBM Corporation 2001 pSeries Technical Conference Linux GRE Advantages Free Comes with Linux Kernel tarball Works with cisco routers Tried and tested Can work through Masq/NAT Works with IPv6 IBM Corporation 2001 pSeries Technical Conference Linux GRE Disadvantages No encryption IBM Corporation 2001 pSeries Technical Conference Linux CIPE Developed by: Olaf Titzl Available at: http://sites.inka.de/~bigred/devel/cipe.html Resources: http://sites.inka.de/~bigred/devel/cipe.html IBM Corporation 2001 pSeries Technical Conference Linux CIPE Advantages Built for VPN Can use blowfish or PKE encryption Works through/with SOCKS, NAT, Dynamic IP Free IBM Corporation 2001 pSeries Technical Conference Linux CIPE Disadvantages Uses udp (for good reason) Seems slow now and then Only works for IPv4 IBM Corporation 2001 pSeries Technical Conference Linux IPSec Developed by: FreeS/WAN (Linux Version) Available at: http://www.freeswan.org/download.html Resources: http://www.freeswan.org IBM Corporation 2001 pSeries Technical Conference IPSec Advantages Should work across platform/vendors/devices Will work with IPv6 IBM Corporation 2001 pSeries Technical Conference IPSec Disadvantages Difficult to implement Has problems with NAT/Masq Problems with authentication IBM Corporation 2001 pSeries Technical Conference Linux PPTP Developed by: Matthew Ramsay, Kevin Thayer, David Luyer, Patrick LoPresti, Philip Van Baren, Peter Galbavy and more Available at: http://poptop.lineo.com/download_pptp.html Resources: http://poptop.lineo.com/ IBM Corporation 2001 pSeries Technical Conference Linux PPTP Advantages Compatible with Microsoft Can be server or client IBM Corporation 2001 pSeries Technical Conference Linux PPTP Disadvantages Compatible with Microsoft Has some security holes IBM Corporation 2001 pSeries Technical Conference Build Linux VPN! IBM Corporation 2001 pSeries Technical Conference VPNs to Create GRE CIPE IBM Corporation 2001 pSeries Technical Conference Need Software IP and Network Address IPChains config Routing IBM Corporation 2001 pSeries Technical Conference Tools We Will Use ifconfig route ipchains IBM Corporation 2001 pSeries Technical Conference VPN Basics Define devices Create devices Connect devices Adjust routing/ipchains IBM Corporation 2001 pSeries Technical Conference GRE Steps Determine IP addresses & network Load module Configure GRE tunnel Setup routing Modify IPChains IBM Corporation 2001 pSeries Technical Conference CIPE Steps Determine IP addresses & network Download software Compile software Configure software Load module Start ciped daemon Set up routing Modify IPChains IBM Corporation 2001 pSeries Technical Conference CIPE Notes Can handle up to 99 devices Auto-creates devices Use "device ciped0" option in config file IBM Corporation 2001 pSeries Technical Conference CIPE Config File #/etc/cipe/options # Surprise, this file allows comments (but only on a line by themselves) debug=yes # This is probably the minimal set of options that has to be set # Without a "device" line, the device is picked dynamically device ciped # the peer's IP address ptpaddr 10.2.13.1 # our CIPE device's IP address ipaddr 192.168.13.1 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. #me bigred.inka.de:6789 me 127.0.0.1:2048 # ...and the UDP address we connect to. Of course no wildcards here. #peer blackforest.inka.de:6543 peer 192.172.18.34:2048 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key 3333fd20adf9c0ccf9eff2393bbb3e41 IBM Corporation 2001 pSeries Technical Conference Other Issue DNS Broadcast or Not Authentication IBM Corporation 2001 pSeries Technical Conference Resources Linux Docs -- www.linuxdoc.org - Linux Route2 HowTo - Linux Masquerade HowTo - Linux VPN HowTo - Linux Network Administrators Guide (NAG) Virtual Private Network Consortium -- www.vpnc.org FreeS/WAN IPSec -- www.freeswan.org IBM Corporation 2001 pSeries Technical Conference Books IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks By Naganand Doraswamy & Dan Harkins Prentice Hall, 1999 www.phptr.com Virtual Private Networks, 2nd Edition By Charlie Scott, Paul Wolfe & Mike Erwin 2nd Edition December 1998 www.ora.com IBM Corporation 2001 pSeries Technical Conference Version Info Brian Dolan-Goecke [email protected] http://www.goecke-dolan.com/Brian/Presentations Linux VPN Presentation Version 1.4 10/10/2001 IBM Corporation 2001 pSeries Technical Conference
