Securing Remote PC Access to UNIX/Linux Hosts

with VPN or SSH

Charles T. Moetului

WRQ, Inc.

(206) 217-7048

charlesm@wrq.com

What is VPN?

A Virtual Private Network, or VPN, is a private connection between two machines or

networks over a shared or public network.

Privacy and security over the public network is maintained through the use of a tunneling

protocol.

The alternatives?

Leased Lines

Secure Dialup

Corporate HQ

Remote office Remote office

Leased Lines

Remote officeRemote office

RAS Server

To LAN

Modem pool

Home office

Remote user

Remote user

Home office

RAS Server

Remote Office

To LAN

Secure Dialup

Why VPN?Pros:

•Utilizes the Internet’s infrastructure

•Implementation Costs

Cons:

•Administrative costs

•Lack of interoperability

•Variable performance

Corporate HQ

Remote office

Remote office Remote office

Remote office

Home office

Remote user

VPN

Internet

Tunneling

Tunneling is the process of encapsulating network packets within other network packets before sending

them over a network

PC to Server

Gateway to Gateway

PC with VPN Client

VPN Server

Internet

VPN ServerVPN Server

Internet To Remote officeTo Remote office

To LAN

VPN Tunnel

VPN Tunnel

Tunneling protocols

PPTP

L2TP

IPsec

SSL/TLS

SSH

PPTP

Point to Point Tunneling Protocol was developed to tunnel through a PPP connection

(RFC 2637)

PPTP Control Packet PPTP Data Packet

Data Link Header

IP

TCP

PPTP Control Message

Data Link Trailer

Data Link Header

IP Header

GRE Header

PPP Header

Encrypted Payload

Data Link Trailer

En

crypte

d

En

crypte

d

L2TP

Layer 2 Tunneling Protocol combines the best of L2F (Layer 2 Forwarding) with the best of PPTP protocol and also tunnels through a

PPP connection

(RFC 2661)

L2TP Data PacketL2TP Control Packet

Data Link Header

IP Header

IPSec ESP Header

UDP Header

L2TP Control Message

IPSec ESP Trailer

IPSec ESP Auth Trailer

Data Link Trailer

Data Link Header

IP Header

IPSec ESP Header

UDP Header

L2TP Header

PPP Header

Payload

IPSec ESP Trailer

IPSec ESP Auth Trailer

Data Link TrailerE

ncryp

ted

En

crypte

d

IPsec

Internet Protocol Security is an Internet Standard protocol used for securing data

across the Internet (RFC 2401)

In a VPN environment IPsec can be used as a complete protocol solution or as the

encryption tool within another VPN protocol such as L2TP

VPN via IPsec

VPN

Client

Decrypt packetsusing inboundSA and send to

application

3. Encryptpackets withoutbound SA

1. Use IKE to negotiate

2. Negotiate Phase 2 SA(inbound & outbound SA)

Phase 1 SA VPN

Server

Decrypt packetsusing inboundSA and send to

application

Encrypt packetsusing outbound

SA

SSH

Secure Shell provides a single secure session between two computers over a shared

network.

The session requires server software on a host and client software on a connecting

client

Secure Shell Basics

Secure

Shell

Client

Secure

Shell

Server

1. Establish secure tunnel

2. Authenticate server

4. Encrypted

session

3. Authenticate client

OS

TCP Stack

OS

TCP Stack5. Arbitrary

TCP port forwarding

5. Arbitrary TCP port

forwarding

SSH

PC with SSH Client

Host with SSH daemon

Internet

SSH Tunnel

Comparing VPNs

• PPTP and L2TP– Uses control packets to build and tear down VPN

tunnel– Uses data packets to send the data through the

tunnel

• IPSec– Negotiates Security Associations (SAs)– Uses outbound SA to encrypt and send packets.– Uses inbound SA to decrypt incoming packets.

Comparing VPN and SSH

• PPTP, L2TP and IPSec– Connects PCs to a companies’ network– Connects companies remote networks to each

other

• SSH– Connects a PC directly to a Host running SSH– Can configure other service ports to be forwarded

through the SSH tunnel

Implementing VPNs• Enterprise Service Providers (ESP)

– provides Network Access Servers (NAS)– provides VPN clients for individual PC’s– maintains the network infrastructure

• Hardware only Providers– provides VPN Servers with built in VPN software– may or may not maintain network infrastructure

Implementing VPNs• Hardware and software providers

– provides VPN Servers– provides VPN client and VPN server software– may or may not maintain network infrastructure

• Software only providers– provides VPN software to run on existing

hardware– does not maintain network infrastructure

Questions?