Полезная информация

Virtual private networks

Encrypting network services

Virtual private network solutions

Encrypting network services

Virtually all network traffic is unencrypted and easily read by an attacker. If someone cracks a machine on your internet and installs a password sniffer (basically your common packet sniffer with a filter) your entire network can be compromised in a matter of hours. One ISP that shall remain nameless placed co-hosted customer machines on the same LAN, using a normal ethernet hub, meaning all machines could see each others traffic (users retrieving email via pop, telnet sessions, etc). This is one of the major reasons why encrypting data traffic is a good idea.

Various mechanisms exist and/or are being developed to encrypt network data traffic, at various levels of the network stack. Some schemes only encrypt the data sent (such as GnuPG encrypted email), some encrypt the session (SSL), and some encrypt the data payload of the packets (IPSec and other VPN's). Ultimately the best solution will be IPSec (my opinion), as it requires no modifications to the applications, and provides for a very high level of security between computers. Currently there are no widely-used data encryption solutions, in part because Microsoft does not support many, which is a serious hindrance to any mass solution. To be fair Microsoft does have beta IPSec support, but it is not ready yet, and it will be restricted to the North American market because of US law. The best scheme currently available is SSL, Secure Sockets Layer, originally proposed by Netscape. SSL encrypts the data at the session level, thus if your application supports SSL and the server supports SSL you are in luck. Most www browsers, some email/news readers, and a few ftp and telnet clients support SSL currently. For Linux servers most services can be SSL'ified. SSL does however require clients with SSL capabilities, something you won't be able to get most people to support. This means that SSL'ified services are typically restricted to within an organization. The SSL libraries are available at http://www.openssl.org/. For "drilling" through a firewall or perhaps to get by a NAT box (such as Linux with IP Masquerading) please see the firewall section.

 

Virtual private network solutions

There are a variety of VPN solutions for Linux. I would stronly advise using IPSec if possible since it is the emerging standard for VPN's on the Internet, and will be incorporated with IPv6. On the other hand if you are behind a firewall and want to tunnel out the SSH based solution and so on will do the trick, whereas IPSec will typically fail (since the packet headers are being rewritten).

IPSec

IPSec is covered in it’s own section. I think it is the future of VPN technology (it’s the most commonly supported standard as of today, and an integral part of IPv6).

PPTP (Point to Point Tunneling Protocol)

PPTP is a proprietary protocol created by Microsoft for VPN solutions. To date it has been shown to contain numerous serious flaws. However if you need to integrate Linux into a PPTP environment all is not lost, http://www.moretonbay.com/vpn/pptp.html contains a Linux implementation of PPTP. 

CIPE (Crypto IP Encapsulation)

CIPE is a free IP level encryption scheme, meant for use between routers. It is appropriate for 'bridging' networks securely together over insecure networks (like the Internet). The official cite for CIPE is at: http://sites.inka.de/~W1011/devel/cipe.html. I would however recommend FreeS/WAN as a better long term solution.

ECLiPt Secure Tunnel (currently in beta)

Another GNU licensed solution for Linux VPN's. Currently in beta (and not recommended for mass use) but I thought I should mention it anyways since it seems to be a serious effort. The official page is at: http://eclipt.uni-klu.ac.at/projects/est/. Again I would have to recommend FreeS/WAN as a better long term solution.

Stunnel

Stunnel is an SSL based solution for securing network services. It has a server portion that runs on the UNIX server, and a client portion that runs on UNIX or Windows.
http://mike.daewoo.com.pl/computer/stunnel/

Virtual Private Server

Virtual Private Server (VPS) uses Perl and SSH to create VPN's. You can get it from: http://www.strongcrypto.com/.

Virtual Tunnel

Virtual Tunnel (VTUN) supports a variety of methods of establishing a link, and several algorithms. You can get it from: http://vtun.netpedia.net/.

Zebedee

Zebedee provides encryption of TCP traffic between hosts and is available for UNIX and windows. You can get it from: http://www.winton.org.uk/zebedee/.

Virtual Private Server

Virtual Private Server is a VPN solution that uses PPP and SSH (basically it provides a nicer interface to it). You can get it from: http://www.strongcrypto.com/.

 

 

Back

Security Portal

Written by Kurt Seifried