Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048 [email protected]
Dec 15, 2015
Securing Remote PC Access to UNIX/Linux Hosts
with VPN or SSH
Charles T. Moetului
WRQ, Inc.
(206) 217-7048
What is VPN?
A Virtual Private Network, or VPN, is a private connection between two machines or
networks over a shared or public network.
Privacy and security over the public network is maintained through the use of a tunneling
protocol.
RAS Server
To LAN
Modem pool
Home office
Remote user
Remote user
Home office
RAS Server
Remote Office
To LAN
Secure Dialup
Why VPN?Pros:
•Utilizes the Internet’s infrastructure
•Implementation Costs
Cons:
•Administrative costs
•Lack of interoperability
•Variable performance
Corporate HQ
Remote office
Remote office Remote office
Remote office
Home office
Remote user
VPN
Internet
Tunneling
Tunneling is the process of encapsulating network packets within other network packets before sending
them over a network
PC to Server
Gateway to Gateway
PC with VPN Client
VPN Server
Internet
VPN ServerVPN Server
Internet To Remote officeTo Remote office
To LAN
VPN Tunnel
VPN Tunnel
PPTP Control Packet PPTP Data Packet
Data Link Header
IP
TCP
PPTP Control Message
Data Link Trailer
Data Link Header
IP Header
GRE Header
PPP Header
Encrypted Payload
Data Link Trailer
En
crypte
d
En
crypte
d
L2TP
Layer 2 Tunneling Protocol combines the best of L2F (Layer 2 Forwarding) with the best of PPTP protocol and also tunnels through a
PPP connection
(RFC 2661)
L2TP Data PacketL2TP Control Packet
Data Link Header
IP Header
IPSec ESP Header
UDP Header
L2TP Control Message
IPSec ESP Trailer
IPSec ESP Auth Trailer
Data Link Trailer
Data Link Header
IP Header
IPSec ESP Header
UDP Header
L2TP Header
PPP Header
Payload
IPSec ESP Trailer
IPSec ESP Auth Trailer
Data Link TrailerE
ncryp
ted
En
crypte
d
IPsec
Internet Protocol Security is an Internet Standard protocol used for securing data
across the Internet (RFC 2401)
In a VPN environment IPsec can be used as a complete protocol solution or as the
encryption tool within another VPN protocol such as L2TP
VPN via IPsec
VPN
Client
Decrypt packetsusing inboundSA and send to
application
3. Encryptpackets withoutbound SA
1. Use IKE to negotiate
2. Negotiate Phase 2 SA(inbound & outbound SA)
Phase 1 SA VPN
Server
Decrypt packetsusing inboundSA and send to
application
Encrypt packetsusing outbound
SA
SSH
Secure Shell provides a single secure session between two computers over a shared
network.
The session requires server software on a host and client software on a connecting
client
Secure Shell Basics
Secure
Shell
Client
Secure
Shell
Server
1. Establish secure tunnel
2. Authenticate server
4. Encrypted
session
3. Authenticate client
OS
TCP Stack
OS
TCP Stack5. Arbitrary
TCP port forwarding
5. Arbitrary TCP port
forwarding
Comparing VPNs
• PPTP and L2TP– Uses control packets to build and tear down VPN
tunnel– Uses data packets to send the data through the
tunnel
• IPSec– Negotiates Security Associations (SAs)– Uses outbound SA to encrypt and send packets.– Uses inbound SA to decrypt incoming packets.
Comparing VPN and SSH
• PPTP, L2TP and IPSec– Connects PCs to a companies’ network– Connects companies remote networks to each
other
• SSH– Connects a PC directly to a Host running SSH– Can configure other service ports to be forwarded
through the SSH tunnel
Implementing VPNs• Enterprise Service Providers (ESP)
– provides Network Access Servers (NAS)– provides VPN clients for individual PC’s– maintains the network infrastructure
• Hardware only Providers– provides VPN Servers with built in VPN software– may or may not maintain network infrastructure
Implementing VPNs• Hardware and software providers
– provides VPN Servers– provides VPN client and VPN server software– may or may not maintain network infrastructure
• Software only providers– provides VPN software to run on existing
hardware– does not maintain network infrastructure