ssh, openswan, openvpn or ...?
in [General Linux]
|
From: Greg Russell on 25 Jan 2010 14:32 We have an iptables firewalling router setup here that is working well, as we've stress-tested it from external sites using all the attack tools we can find. We have several users that are "on the road" and require connectivity from various sites such as motels, coffeehouses, airports and dialup to various ISPs. We'd like to have a secure tunneling connection for these users, and we'd like to ask what might be a viable solution that works for all these various connection points? By viable I mean that even username and password wouldn't be sniffable during connection initiation.
From: Stachu 'Dozzie' K. on 25 Jan 2010 14:52 ["Followup-To:" header set to comp.os.linux.security.] On 2010-01-25, Greg Russell <me(a)invalid.com> wrote: > We have an iptables firewalling router setup here that is working well, > as we've stress-tested it from external sites using all the attack tools > we can find. > > We have several users that are "on the road" and require connectivity > from various sites such as motels, coffeehouses, airports and dialup to > various ISPs. We'd like to have a secure tunneling connection for these > users, and we'd like to ask what might be a viable solution that works > for all these various connection points? > > By viable I mean that even username and password wouldn't be sniffable > during connection initiation. All three, SSH (v2), IPsec (Openswan is good choice indeed, ipsec-tools is pretty crappy in configuration) and OpenVPN are viable according to your definition. SSH would be least problematic, it's just a single TCP port to be enabled (and the port could be stolen from HTTPs, which is pretty commonly passed through firewalls) and would work ideally for me, Linux admin. But would it be as simple for your users? IPsec in Openswan implementation is simple to configure once you manage to understand IPsec itself (and that could be difficult). You need to consider the other side of connection, though, and if it's Windows, you may need to do some more set up. But as it is a VPN, your users will see resources as if they are connected directly to your network. And one more thing, IPsec requires some non-standard setup for NATs. If you don't know IPsec yet, don't use it now and save yourself a headache. OpenVPN is a bit more troublesome in preparing configuration file than Openswan (not too much, though, if you know IP networks well), but it needs just a single port (UDP or TCP, you choose) and still gives you a VPN. If your users are experienced un*x users, I'd stay with SSH. If they're just clerks and/or management, I'd go for OpenVPN. -- Secunia non olet. Stanislaw Klekot
From: J G Miller on 25 Jan 2010 16:44 On Mon, 25 Jan 2010 19:32:38 +0000, Greg Russell asked: > We have several users that are "on the road" and require connectivity > from various sites such as motels, coffeehouses, airports and dialup to > various ISPs. We'd like to have a secure tunneling connection for these > users, and we'd like to ask what might be a viable solution that works > for all these various connection points? The most secure would as far as I am aware be ssh over an openvpn with TLS authentication session. Have a look at the introduction and further documentation at <http://www.openvpn.NET/index.php/open-source.html> For even more security, you could consider the use of smart cards plus user PIN as part of the authorization procedure. <http://michele.pupazzo.ORG/docs/smart-cards-openvpn.html> One nice aspect of openvpn is that you can set up categories of users, with different access privileges, if so desired. QUOTE The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name. UNQUOTE And should a laptop machine be lost on the road, even though the system should be setup requiring a password as well as a certificate on the laptop, the certificate on the laptop can be revoked at any time.
From: Lusotec on 25 Jan 2010 17:20 Greg Russell wrote: > We have an iptables firewalling router setup here that is working well, > as we've stress-tested it from external sites using all the attack tools > we can find. > > We have several users that are "on the road" and require connectivity > from various sites such as motels, coffeehouses, airports and dialup to > various ISPs. We'd like to have a secure tunneling connection for these > users, and we'd like to ask what might be a viable solution that works > for all these various connection points? I would recommend ssh with public/private cryptography keys. It is the easiest to configure correctly and is flexible enough for most scenarios. It is also very network/router/firewall friendly. > By viable I mean that even username and password wouldn't be sniffable > during connection initiation. Don't use password authentication. The component between the screen and the chair is too insecure and unreliable! ;) Regards.
From: David Brown on 26 Jan 2010 03:33
On 25/01/2010 20:32, Greg Russell wrote: > We have an iptables firewalling router setup here that is working well, > as we've stress-tested it from external sites using all the attack tools > we can find. > > We have several users that are "on the road" and require connectivity > from various sites such as motels, coffeehouses, airports and dialup to > various ISPs. We'd like to have a secure tunneling connection for these > users, and we'd like to ask what might be a viable solution that works > for all these various connection points? > > By viable I mean that even username and password wouldn't be sniffable > during connection initiation. ipsec solutions are certainly secure (with correct configuration, of course), but can be a real pain for routing, NAT traversal, and so on. You are also, as far as I know, limited to a single ipsec tunnel endpoint for each ip address, though there can be many connections to the same tunnel end point at the time. By that I mean that you can have many clients connecting to the server, but they are all attached to the same virtual network port on the server. Similarly, each client can only be connected to only one server at a time. (Hopefully someone will correct me if that's not true.) ssh is for remote shell access. You /can/ do port forwarding with it to give access to other resources, but it is not great for the purpose - it won't make the best use of the bandwidth, and it is far from convenient to specify the forwarding connections if there are many of them. However, it is extremely handy for doing ad-hoc connections and giving yourself a "backdoor" into your system (put it on a non-standard port so the bad guys don't keep knocking on it). You can either pre-share the cryptographic keys or use passwords, or both. openvpn is, IMHO, an extremely useful way to handle remote connections. It can take a bit of learning to figure out how the configuration is done, but when you've done it once you just copy and modify the configuration file for others. It's a no-brainer for the clients - on windows you get an icon in your tray and you just select "connect" from the menu as needed. On Linux you can use the command line or a gui as you fancy. You can configure it on the server with all sorts of options, and happily have multiple tunnels on different ports. That way you can have different groups connected to different virtual network ports on the router, and use iptables and routing to connect them to different parts of the network. Security is solid, with cryptographic keys and optional passwords, and support for various other identification systems. I use openvpn whenever we need secure external access to a server, along with a ssh backdoor for maintenance purposes. |