Presentation on theme: "Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048"— Presentation transcript:
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
What is VPN? A Virtual Private Network, or VPN, is a private connection between two machines or networks over a shared or public network. Privacy and security over the public network is maintained through the use of a tunneling protocol.
PPTP Point to Point Tunneling Protocol was developed to tunnel through a PPP connection (RFC 2637)
PPTP Control PacketPPTP Data Packet Data Link Header IP TCP PPTP Control Message Data Link Trailer Data Link Header IP Header GRE Header PPP Header Encrypted Payload Data Link Trailer Encrypted
L2TP Layer 2 Tunneling Protocol combines the best of L2F (Layer 2 Forwarding) with the best of PPTP protocol and also tunnels through a PPP connection (RFC 2661)
L2TP Data PacketL2TP Control Packet Data Link Header IP Header IPSec ESP Header UDP Header L2TP Control Message IPSec ESP Trailer IPSec ESP Auth Trailer Data Link Trailer Data Link Header IP Header IPSec ESP Header UDP Header L2TP Header PPP Header Payload IPSec ESP Trailer IPSec ESP Auth Trailer Data Link Trailer Encrypted
IPsec Internet Protocol Security is an Internet Standard protocol used for securing data across the Internet (RFC 2401) In a VPN environment IPsec can be used as a complete protocol solution or as the encryption tool within another VPN protocol such as L2TP
VPN via IPsec VPN Client Decrypt packets using inbound SA and send to application 3. Encrypt packets with outbound SA 1. Use IKE to negotiate 2. Negotiate Phase 2 SA (inbound & outbound SA) Phase 1 SA VPN Server Decrypt packets using inbound SA and send to application Encrypt packets using outbound SA
SSH Secure Shell provides a single secure session between two computers over a shared network. The session requires server software on a host and client software on a connecting client
Secure Shell Basics Secure Shell Client Secure Shell Server 1.Establish secure tunnel 2. Authenticate server 4. Encrypted session 3. Authenticate client OS TCP Stack OS TCP Stack 5. Arbitrary TCP port forwarding 5. Arbitrary TCP port forwarding
SSH PC with SSH Client Host with SSH daemon Internet SSH Tunnel
Comparing VPNs PPTP and L2TP –Uses control packets to build and tear down VPN tunnel –Uses data packets to send the data through the tunnel IPSec –Negotiates Security Associations (SAs) –Uses outbound SA to encrypt and send packets. –Uses inbound SA to decrypt incoming packets.
Comparing VPN and SSH PPTP, L2TP and IPSec –Connects PCs to a companies’ network –Connects companies remote networks to each other SSH –Connects a PC directly to a Host running SSH –Can configure other service ports to be forwarded through the SSH tunnel
Implementing VPNs Enterprise Service Providers (ESP) –provides Network Access Servers (NAS) –provides VPN clients for individual PC’s –maintains the network infrastructure Hardware only Providers –provides VPN Servers with built in VPN software –may or may not maintain network infrastructure
Implementing VPNs Hardware and software providers –provides VPN Servers –provides VPN client and VPN server software –may or may not maintain network infrastructure Software only providers –provides VPN software to run on existing hardware –does not maintain network infrastructure