www.syngress.com accesses the Internet through normal access methods, such as a dial-up, a Digital Subscriber Line (DSL), or a cable network connection. After access to the Internet is achieved, the telecommuter opens a VPN client to log on to the com- pany VPN server—once logged on, the telecommuter has access to the company network. She receives the same user rights and privileges on the company net- work as if she were physically logged in at a company workstation. If the telecommuter has a fast Internet connection, she will be unable to tell the differ- ence between physically working at the company location and working through the VPN.The VPN concept is shown in Figure 8.1. After the VPN tunnel has been established, the telecommuter can run any application as if he were at a company workstation, provided he has the appro- priate client. All of these applications will run over the tunnel, and the applica- tions themselves are not required to be secure, because they are transmitted through the VPN tunnel.The VPN tunnel encrypts the data, so any captured data (regardless of the program that generated that data) will be useless.The tunnel concept is displayed in Figure 8.2. Creating Virtual Private Networks • Chapter 8 393 Figure 8.1 Telecommuting Using a VPN Company Ethernet Customer Database Workstation Laptop Computer (VPN Client) Company VPN Server File Server Internet Figure 8.2 Secure Transmission of Data across the Internet Using a VPN Tunnel Laptop Computer (VPN Client) Company VPN Server Internet Secure VPN Tunnel 138_linux_08 6/20/01 9:46 AM Page 393 394 Chapter 8 • Creating Virtual Private Networks VPNs can also be used by corporate partners. For instance, the customer database displayed in Figure 8.1 could be available for a sales team at another company.The sales team could receive accounts on your network with access to the customer database only. Router-to-Router VPN Solution VPNs are a cost-effective way to create a wide area network (WAN) for con- necting company satellite offices and corporate offices. In the past, a company leased expensive dedicated lines from phone companies to connect each location. VPNs allow companies to create a router-to-router VPN over the Internet instead. In order to implement a VPN, you must ensure that each gateway router to your network supports the VPN implementation you choose at each location. These routers are located on the edge of your network and are the end-to-end points for your VPN tunnel.They are responsible for encapsulating the traffic as it leaves the network and removing the capsule as it arrives between your satellite and corporate offices. All router vendors offer VPN functionality. For instance, Cisco offers the Cisco 1600 series of routers that offer a VPN option. VPNs can connect your corporate networks for a fraction of the cost of leasing dedicated lines. A corporate WAN using VPN-enabled routers is displayed in Figure 8.3. www.syngress.com Figure 8.3 Creating a Corporate Router-to-Router VPN New York Ethernet File Server Workstation Tokyo Ethernet File Server Internet Workstation Customer Database VPN-Enabled Router (Tunnel Endpoint) Secure VPN Tunnel VPN-Enabled Router (Tunnel Endpoint) Accounting Database 138_linux_08 6/20/01 9:46 AM Page 394 Creating Virtual Private Networks • Chapter 8 395 Host-to-Host VPN Solution VPNs can also securely connect two hosts over the Internet or any unsecured network. Each host is the tunnel endpoint.The only difference is that a separate network does not exist on the other side of the hosts, so no gateway is required with IP forwarding enabled. If you can create a tunnel between two hosts, you can expand your knowledge in an enterprise environment to accommodate both telecommuter and router-to-router VPN solutions.The host-to-host VPN solu- tion is shown in Figure 8.4. Tunneling Protocols As mentioned previously, a “tunnel” is created between VPN hosts to ensure that all traffic between them is secure.The tunnel is created with a tunneling pro- tocol.These protocols are responsible for encapsulating a data packet before a host transmits it. After the data is encapsulated, it is sent over the Internet until it arrives at its destination.When it arrives, the capsule is removed, and the data is processed by the destination host. IP tunneling protocols are particularly powerful because they can transmit foreign protocols over the Internet. For instance, a Novell NetWare host can send an Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) packet over the Internet by encapsulating it in an IP packet, then transmitting it using Transmission Control Protocol/IP (TCP/IP).When it arrives at its destina- tion, the IP packet is stripped off, and the IPX/SPX packet is processed. The next generation protocol, IPv6, has a test bed called the 6bone (www.6bone.net).The 6bone is a virtual network that uses IPv6-over-IPv4 tun- neling.The IPv6 networks, called islands, are connected over the Internet using IPv4 tunnels.The IPv6 packets are encapsulated by an IPv4 packet and sent over the Internet.When they arrive at the destination, the IPv4 packet is removed, and www.syngress.com Figure 8.4 Creating a Host-to-Host VPN Internet/ Unsecured Network VPN Host Secure VPN Tunnel VPN Host 138_linux_08 6/20/01 9:46 AM Page 395 396 Chapter 8 • Creating Virtual Private Networks the IPv6 packet is processed on the IPv6 network.The leading VPN tunneling protocols are listed in Table 8.1. Table 8.1 The Leading VPN Tunneling Protocols Tunneling Protocol Description Point-to-Point Tunneling Tunneling protocol developed by Microsoft that Protocol (PPTP) is built into the Windows operating system. It is an extension of the Point-to-Point Protocol (PPP) and uses PPP mechanisms for authentication, encryption, and compression. PPTP uses Microsoft Point-to-Point Encryption (MPPE) for encrypting the PPP frames. Layer 2 Forwarding (L2F) Tunneling protocol developed by Cisco that is similar to PPTP. Layer 2 Tunneling Protocol Tunneling protocol that combines PPTP and L2F. (L2TP) L2TP uses the best mechanisms of each. L2TP is already built into Microsoft Windows 2000 Server and Cisco Internet Operating System (IOS) software for networking and end-to-end hard- ware products. Like PPTP, L2TP requires that ISPs support it so that it can be used for router-to- router VPNs. This protocol is used in Cisco’s “Access VPN” service. L2TP uses IPSec for encryption. L2TP will eventually become the industry standard for VPNs. Explaining the IP Security Architecture IP has been a low-cost, efficient protocol for several decades. However, it has always suffered from security vulnerabilities that have required users and busi- nesses to use other methods to ensure data confidentiality across the Internet. A new protocol, IP Security Architecture (IPSec), is designed to add authentication and encryption to IP when needed. IPSec is an Internet Engineering Task Force (IETF) security protocol that is becoming a standard component of VPN tunneling protocols. As the name sug- gests, it was designed for IP, and IPSec has gained wide industry support. For instance, Cisco already supports IPSec in its routers and is one of the leading sup- porters for IPSec standardization. IPSec is currently a proposed standard (Request www.syngress.com 138_linux_08 6/20/01 9:46 AM Page 396 Creating Virtual Private Networks • Chapter 8 397 for Comments [RFC] 2401) within the IETF.The IPSec charter Web page, shown in Figure 8.5, is maintained by the IETF IPSec working group.The URL is www.ietf.org/html.charters/ipsec-charter.html.This site is ideal for monitoring the progress of IPSec and the numerous implementations for the IPSec standard. IPSec provides secure authentication and encryption over a network by securing all packets at Layer 3, the network layer, of the Open System Interconnection (OSI) reference model. Layer 3 security is significant because Layer 3 is responsible for IP addressing and routing over the Internet. Security at this layer ensures that everything on the network is secure. NOTE Another benefit of IPSec is that it already supports the next generation Internet Protocol, IP version 6 (IPv6). IPSec will be a requirement for IPv6 implementation. Layer 3 security is in contrast to methods that provide only encryption and authentication to higher-level protocols, such as SSH (you learned about SSH in the last chapter). www.syngress.com Figure 8.5 IETF IPSec Charter 138_linux_08 6/20/01 9:46 AM Page 397 398 Chapter 8 • Creating Virtual Private Networks Programs such as SSH for remote login, Secure Hypertext Transfer Protocol (SHTTP) and Secure Socket Layer (SSL) for Web applications, and Pretty Good Privacy (PGP) for e-mail secure data between two applications using Layer 4 mechanisms.This method works extremely well but is limited because only the data between the program’s associated ports is encrypted. IPSec secures all data, regardless of the program running between the hosts.To demonstrate the limita- tions of security protocols such as SSH, SHTTP, and SSL, recall the implementa- tion of SSH in the last chapter. First, you captured packets that were unencrypted, shown in Figure 8.6. Next, you captured packets between two SSH hosts that used encryption.The application layer data was encrypted, but the Layer 4 (the transport layer) port numbers could be viewed, so you could easily determine the service running.You discovered that the SSH remote host listens and transmits on TCP port 22.The SSH client used TCP port 1023. Figure 8.7 shows the captured SSH traffic. SHTTP and SSL traffic displays in a similar manner when captured, except dif- ferent port numbers are displayed. IPSec is different from SSH and other application-based encryption protocols because an IPsec tunnel encrypts data at the Layer 3 (the network layer) so that no transport layer (Layer 4) data is displayed, which reduces security vulnerabilities. Figure 8.8 displays a packet capture of IPSec packets transmitted through a tunnel. Note that the amount of useful information is significantly reduced. For instance, www.syngress.com Figure 8.6 Unencrypted Packets 138_linux_08 6/20/01 9:46 AM Page 398 Creating Virtual Private Networks • Chapter 8 399 all transport layer data in the figure is encrypted by an Encapsulating Security Payload (ESP) header, which renders the packet and its contents useless if captured by a hacker. ESP encrypts the packet at the network layer, so even the port infor- mation is encrypted. So as you can see, this is an improvement over application- based encryption protocols, such as SSH, which display the transport-layer data. www.syngress.com Figure 8.7 Packet Capture of SSH Session Displaying TCP Port Data Figure 8.8 Packet Capture of IPSec Session 138_linux_08 6/20/01 9:46 AM Page 399 400 Chapter 8 • Creating Virtual Private Networks The packets captured in Figure 8.8 are from a VPN tunnel using IPsec.This tunnel was set up between two hosts (a host-to-host solution), and the tunnel endpoints encrypted all traffic between the two hosts, regardless of the applications running between them. IPsec is used by many VPN implementations.You will learn about these implementations and how they use IPsec in the next section. Using IPSec with a VPN Tunneling Protocol IPSec is used as an authentication and encryption standard for VPNs. As you learned in Table 8.1, several tunneling protocols exist, such as PPTP and L2TP. You learned that both PPTP and L2TP are extensions of PPP. One of IPSec’s functions within L2TP is to encapsulate the PPP data and encrypt the data at the network layer (Layer 3) of the OSI model. Figures 8.9 through 8.11 display a graphic that displays how IPSec encapsulation works with one type of L2TP implementation. First of all, a PPP frame is created.This frame contains the IP packet created from the TCP/IP stack on your system with a PPP header attached. It contains data from your system that would normally be sent across the wire.The PPP frame is displayed in Figure 8.9. Next, the L2TP and User Datagram Protocol (UDP) headers are added to the PPP frame, as shown in Figure 8.10. Last, the IPSec encapsulation is implemented. IPSec adds an IPSec ESP header and trailer. It also adds an IPSec Authentication trailer for message authen- tication and integrity.The L2TP packet is encrypted by IPSec, which uses the encryption keys that were generated form the authentication process. www.syngress.com Figure 8.9 Starting Out with a PPP Frame PPP Header PPP Payload (IP Packet) Figure 8.10 Adding an L2TP and UDP Header to a PPP Frame PPP Header PPP Payload (IP Packet) L2TP Header UDP Header 138_linux_08 6/20/01 9:46 AM Page 400 Creating Virtual Private Networks • Chapter 8 401 During this process, the standard IP header is added to the packet.The IP source address is the VPN client (which is sending this packet).The IP destination address is the VPN server that will receive this packet.The IPSec packet is dis- played in Figure 8.11. When the packet arrives at the VPN server, the VPN server will strip the IP, IPSec, UDP, L2TP, and PPP headers from the packet to discover the original data sent from the VPN client. Internet Key Exchange Protocol IPSec is often used in conjunction with the Internet Key Exchange (IKE) pro- tocol. IKE is a key management protocol standard that enhances IPSec, such as providing a simpler IPSec configuration, flexibility, and more features. IKE is not required to run IPSec, but it enhances the standard. IKE is a hybrid protocol. It implements three security protocols: ■ Internet Security Association and Key Management Protocol (ISAKMP) ■ Oakley key exchange ■ Skeme key exchange IKE uses the ISAKMP framework to run the Oakley and Skeme key exchange mechanisms.The combination of these three security protocols pro- vides authentication using digital signature and public key encryption. IKE allows dynamic authentication of hosts, provides anti-replay services, and can change encryption keys during an IPSec session. It allows IPSec to operate without requiring an administrator to manually configure all of the IPSec secu- rity parameters between two hosts, and it negotiates IPSec security associations (SAs) automatically. IKE also allows Certification Authority (CA) support and permits lifetime specifications from IPSec security associations. www.syngress.com Figure 8.11 Adding IPSec Mechanisms to an L2TP Packet PPP Header PPP Payload (IP Packet) L2TP Header UDP Header IPSec ESP Header IP Header IPSec ESP Trailer IPSec Auth Trailer IPSec Encrypted 138_linux_08 6/20/01 9:46 AM Page 401 402 Chapter 8 • Creating Virtual Private Networks To learn more about IKE, read the RFC 2409 proposed standard on the Internet at www.ietf.org/rfc/rfc2409.txt. Creating a VPN by Using FreeS/WAN Free Secure WAN (FreeS/WAN) is a Linux VPN implementation that uses IPSec and IKE. IPSec and IKE were discussed in the previous sections and are used to provide secure authentication and encryption of data between two hosts at Layer 3 (network layer) of the OSI model. FreeS/WAN creates a secure VPN tunnel between the hosts.The FreeS/WAN project goal is to provide freely available source code to promote IPSec and allow it to run on many different machines. It also avoids export restrictions and attempts to interoperate with all VPNs that use IPSec.The FreeS/WAN project is based at www.freeswan.org/intro.html (shown in Figure 8.12). Because FreeS/WAN uses IPSec, it can be implemented on any system that performs IP networking.This includes routers, PCs, laptops, firewalls, and applica- tion servers such as Web, mail, and database servers. FreeS/WAN uses three IPSec protocols, shown in Table 8.2. www.syngress.com Figure 8.12 Home of the FreeS/WAN Project 138_linux_08 6/20/01 9:46 AM Page 402 [...]... Interoperability Interoperability is a major concern with S/WAN and VPNs in general Currently, almost all firewalls and security software available today offers IPSec support It is the goal of S/WAN developers for all S/WAN implementations to interoperate, no matter what device they are installed on This goal is shared by many manufacturers and is spearheaded by the VPN Consortium (VPNC) The VPNC is an international...138 _linux_ 08 6/20/01 9:46 AM Page 403 Creating Virtual Private Networks • Chapter 8 Table 8.2 IPSec Protocols Used in FreeS/WAN Protocol Description Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Performs authentication at the packet level Performs encryption as well as authentication Performs key exchanges and connection parameter negotiation Damage &... upgraded to the linux2 .4.3 kernel (this kernel is also included on the CD [linux- 2.4.3.tar.gz]) A custom installation of Linux with “everything” was installed The program is downloaded as a TAR file that contains the source code and documentation, as well as any patches .To download and install FreeS/WAN complete the following steps: 1 Log in as root www.syngress.com 138 _linux_ 08 6/20/01 9:46 AM Page... “everything” installed, you can skip this warning—all of the required Red Hat Package Manager (RPM) packages are already installed (you may need to update them later in this section) To check if an RPM is installed, enter rpm -qa | grep rpm_name To install an RPM, enter rpm -i rpm_name_version Access the RPMs from the Red Hat installation CD /RedHat/RPMS directory, as shown in the following Kernel source code... apache-devel-1.3.12-25 www.syngress.com 421 138 _linux_ 08 422 6/20/01 9:46 AM Page 422 Chapter 8 • Creating Virtual Private Networks 7 Host2: If you do not receive a response, then you need to download and install Apache 8 Host2: After you confirm that Apache is installed and running, you have completed Apache configuration.This is because host1 will access the default Web site that Apache configures automatically... do not receive a reply, then you need to download and install Ethereal (www.rpmfind.net).You can also install it from your PowerTools CD that is distributed with Red Hat Linux 12 Host1: After you have verified that Ethereal is installed, you are ready to capture packets 13 Host1 :To add filters to Ethereal without using host names, open a command interface and enter the following: ethereal -n 14 Host1:... system into the new linux- 2.4.3 kernel image 11 During the reboot, check the messages during boot.You can also check them using dmesg Look for the following: s Make sure that you are booting into the new kernel s Make sure that a message appears for KLIPS initialization s Make sure that a start report appears for Pluto s Make sure that “ipsec_setup – Starting FreeS/WAN IPsec 1.9” appears 12 Log in as root... FreeS/WAN is based are included in the RFCs.tar.gz file.The files you can download are as follows (these files are also located on the CD accompanying this book): s RFCs.tar.gz s freeswan-1.9.tar.gz s freeswan-1.9.tar.gz.sig s freeswan-sigkey.asc Figure 8.14 Downloading the FreeS/WAN TAR File(s) NOTE You can also access the freeswan-1.9.tar.gz tarball from the supplemental CD included with this book and... 405 Creating Virtual Private Networks • Chapter 8 2 Access the FreeS/WAN download site at www.freeswan.org/ download.html.You can also obtain the necessary files from the CD accompanying this book 3 Scroll down to the Latest Release section, as shown in Figure 8.13 Figure 8.13 Accessing the Latest Release of FreeS/WAN SECURITY ALERT! Do not download the installation files from the “Today’s Snapshot”... Virtual Private Networks Table 8.3 FreeS/WAN Implementation of IPSec Protocols FreeS/WAN Implementation Kernel IPSec (KLIPS) Pluto Variety of scripts Description Performs AH and ESP functions It also handles packets within the Linux kernel Performs IKE Pluto is an IKE daemon Offers a FreeS/WAN interface for the administrator NOTE In order to add IPSec to the system, FreeS/WAN installs IPSec into the Linux . Red Hat Package Manager (RPM) packages are already installed (you may need to update them later in this section). To check if an RPM is installed, enter rpm -qa | grep rpm_name .To install an RPM,. installation of Linux with “everything” was installed. The program is downloaded as a TAR file that contains the source code and documentation, as well as any patches .To download and install FreeS/WAN complete. corporate partners. For instance, the customer database displayed in Figure 8.1 could be available for a sales team at another company.The sales team could receive accounts on your network with access