implementing vpns with clients you already paid for v0 9b
Download
Skip this Video
Download Presentation
Implementing VPNs With Clients You Already Paid For (v0.9b)

Loading in 2 Seconds...

play fullscreen
1 / 41

Implementing VPNs With Clients You Already Paid For - PowerPoint PPT Presentation


  • 286 Views
  • Uploaded on

Implementing VPNs With Clients You Already Paid For (v0.9b). Alan Whinery whinery@hawaii.edu July 19, 2005. What This Is About. An exercise in making virtual networks available to as many users, with as little cost, as possible.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Implementing VPNs With Clients You Already Paid For' - KeelyKia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
implementing vpns with clients you already paid for v0 9b

Implementing VPNs With Clients You Already Paid For(v0.9b)

Alan Whinery

whinery@hawaii.edu

July 19, 2005

what this is about
What This Is About
  • An exercise in making virtual networks available to as many users, with as little cost, as possible.
  • An exercise in implementing a single service that will work with a viable client for each prominent operating system.
  • Exploiting pre-deployed resources
  • Exploiting recent developments in IPSec implementations

Copyright 2005, University Of Hawaii ITS

why my customers are interested in virtual networks
Why My Customers Are Interested In Virtual Networks
  • Home/Roadwarrior access to restricted resources
    • File shares
    • SMTP servers
    • Etc.
  • Side-stepping site network restrictions and tampering (i.e. hotel networks)
  • Some privacy concerns

Copyright 2005, University Of Hawaii ITS

what do we want
What Do We Want?
  • To appear as if we’re at UH, no matter where we are. (tunneling)
  • To identify us, as we are distinct from them (authentication)
  • To acknowledge and grant our individual special privileges (?) (authorization)
  • Acceptable cost
  • Most people only want a VN

Copyright 2005, University Of Hawaii ITS

why do we want it
Why Do We Want It?
  • Access restricted resources from anywhere
    • File servers
    • Printers
    • Remote Desktops
    • Mail servers
    • Restricted Web Content, Databases
  • Conceal data from eavesdroppers
  • Alternate Internet Access
  • Exotic Protocols

Copyright 2005, University Of Hawaii ITS

the questions
The Questions
  • Can a useful, non-proprietary, low-cost VPN service be developed to make use of the clients that are pre-deployed?
  • Can the procedural aspects of implementation be designed for security and deploy-ability?
  • Can the user setup be designed such that users can set it up?

Copyright 2005, University Of Hawaii ITS

client os distribution @hawaii edu
Client OS Distribution @hawaii.edu

Copyright 2005, University Of Hawaii ITS

windows os client machines
Windows OS Client Machines

Copyright 2005, University Of Hawaii ITS

macintosh os client machines
Macintosh OS Client Machines

Copyright 2005, University Of Hawaii ITS

unix ish client machines
Unix(ish) Client Machines

Copyright 2005, University Of Hawaii ITS

vpn implementations
VPN Implementations ($$$)
  • Cisco VPN
    • Free client
    • Proprietary; only works with Cisco Solutions
    • Expensive, complete solutions
    • Not already installed on thousands of computers
  • Netscreen VPN
    • Expensive, complete solutions
    • You can apparently use the clients I will describe today, instead of the Netscreen ones.

Copyright 2005, University Of Hawaii ITS

vpn implementations12
VPN Implementations ($)
  • Microsoft-style VPNs
    • Included client (already paid for)
      • Windows XP, Windows 2000, Windows Mobile 2003 (IPSec/L2TP, PPTP*)
      • Mac OS 10.3+ (IPSec/L2TP, PPTP)
      • Mac OS 10.2 (PPTP)
    • Standards-based, works with many things
    • Free client
      • Windows 98SE, Windows ME, Windows NT 4.1
        • IPSec/L2TP, PPTP*
    • Already installed on thousands of computers
    • Capable of good functionality
    • Included Server in Windows XP Pro

Copyright 2005, University Of Hawaii ITS

wait they all do pptp hooray we re saved
Wait! They all do PPTP!Hooray! We’re saved!
  • PPTP is:
    • A viable VPN solution
    • Developed by Cisco and Microsoft
  • Cisco doesn’t do it
  • Microsoft’s Implementation is WORTHLESS.
    • Using PPTP with Windows clients will expose sensitive information to eavesdroppers.
    • After denying that it had problems for years, Microsoft has now designated PPTP as “non-strategic”
    • Setting up a PPTP server for Macs would probably result in Windows users connecting to it.

Copyright 2005, University Of Hawaii ITS

vpn implementations14
VPN Implementations ($)
  • Microsoft-style VPNs (PVPN)
    • Included client (already paid for)
      • Windows XP, Windows 2000, Windows Mobile 2003 (IPSec/L2TP, PPTP*)
      • Mac OS 10.3+ (IPSec/L2TP, PPTP)
      • Mac OS 10.2 (PPTP)
    • Standards-based, works with many things
    • Free client
      • Windows 98, Windows NT 4.1
        • IPSec/L2TP, PPTP*
    • Already installed on thousands of computers
    • Capable of good functionality
    • Included Server in Windows XP Pro

Copyright 2005, University Of Hawaii ITS

um ok go on
Um, OK… Go on…
  • IPSec
    • Standard from the IETF
    • A security technology first
    • Very flexible
      • Can be used with strong encryption
      • Can be used with strong authentication
    • Quirky
  • Many experts seem to agree that IPSec is the network Encryption/Authentication technology that has the fewest things wrong with it.

Copyright 2005, University Of Hawaii ITS

the set up
The Set-up
  • There is a VPN client included in MS Windows XP, 2000, and Mobile 2003
  • There is a free MS VPN client for Windows 98SE, ME, NT 4.0
  • There is a VPN Client included in Apple OS X.III and X.IV
  • There are several free VPN approaches for Unices****

Copyright 2005, University Of Hawaii ITS

voice over ip
Voice Over IP
  • Using free packet sniffer Ethereal, someone with access to your VOIP packets can dump the audio to a file and listen to it with Windows Media Player, all within about 60 seconds.
  • Most VOIP sends key presses “in the clear”
  • There should not be many places where someone can get access to these packets, but hey: “Should not”…

Copyright 2005, University Of Hawaii ITS

about encryption
About Encryption
  • Key Management is key
    • Holy crap, I accidentally created a PKI!
  • Open standards are stronger than closed ones
  • Much that is sensitive is already encrypted (SSL,TLS)

Copyright 2005, University Of Hawaii ITS

common vpn protocols
Common VPN Protocols
  • PPTP: Point-to-Point Tunneling Protocol
    • Microsoft, Cisco
  • L2TP: Layer 2 Tunneling protocol
    • RFC 2661
  • IPSec: IETF “Secure” IP

Copyright 2005, University Of Hawaii ITS

ipsec in the real world
IPSec In The Real World
  • The standards are complex.
  • Deciding which bits of standard are useful is difficult.
  • From the user POV, who cares, anyways?
  • We want to know what can be done with what’s available

Copyright 2005, University Of Hawaii ITS

ipsec in the real world21
IPSec In The Real World
  • Authentication
    • Shared secret
    • X.509 certificates from local CA

Copyright 2005, University Of Hawaii ITS

ipsec in the real world22
IPSec In The Real World
  • Authentication
    • Shared secret
    • X.509 certificates from local CA

Copyright 2005, University Of Hawaii ITS

ipsec in the real world23
IPSec In The Real World
  • NAT sensitivity
    • IPSec has been redesigned to work with NAT
    • NAT is what your Netgear/Linksys/Asante/etc. home gateway does.
    • Stands for “Network Address Translation”
    • Typically, only one IPSec client can go through a NAT device at a time
    • This is appropriate for most home-to-work scenarios
    • The addition to IPSec is called “NAT Traversal” or NAT-T

Copyright 2005, University Of Hawaii ITS

exploiting the installed clients
Exploiting The Installed Clients
  • We have thousands of usable clients installed
  • What do we need to use them?
    • IPSec/L2TP Service
      • Authentication/Key Distribution Strategy
        • Configuration
    • UH ID/Password Authentication
      • RADIUS, et al.

Copyright 2005, University Of Hawaii ITS

pvpn client capabilities
PVPN Client Capabilities

Copyright 2005, University Of Hawaii ITS

making a linux vpn server
Making A Linux VPN Server
  • Relatively mature implementations exist as kernel patches
    • *S/Wan (kernel patches, userland tools)
    • Kame (kernel patches, userland tools)
  • 3P Kernel patches are not optimal
    • Loss of patch development can stall upgrades
  • Recent kernel 2.6 includes built-in IPSec
    • Both *S/wan and Kame tools work with 2.6 kernel IPSec

Copyright 2005, University Of Hawaii ITS

choosing turtle or swan
Choosing Turtle or Swan
  • I have set up ipsec-tools (Kame)
    • Works great with kernel IPSec
    • Except NAT-T in transport mode
  • Openswan 2.3.1dr3/K2.6.11.6
    • Does everything I need

Copyright 2005, University Of Hawaii ITS

l2tpd
L2TPD
  • L2tpd (l2tpd.sourceforge.net)
    • Most common Unix(ish) L2TP package
    • Hasn’t been developed for 4 years
    • Has some issues with Windows L2TP
    • Works as either client and server
    • Requires configuration of Linux PPP
    • Does not do dynamic address assignment
    • Branch project, rp-l2tpd, is also stalled

Copyright 2005, University Of Hawaii ITS

l2tpns
L2TPNS
  • l2tpns ( l2tpns.sourceforge.net )
    • Acts as server side only
    • Handles PPP internally
    • Better performance than l2tpd
    • Assigns dynamic addresses
    • Supports multiple-server clustering
    • Speaks BGP
    • Active development: Last release: July 2, 2005
    • Has CLI interface with “show banana” command
  • ns = “network server”

Copyright 2005, University Of Hawaii ITS

slide30
Sold!

Copyright 2005, University Of Hawaii ITS

server set up
Server Set-Up
  • Compile Linux 2.6.xx kernel for IPSec, tap/tun, etc.
  • OpenSSL is already present in most Linux distributions ( www.OpenSSL.org )
  • Get Openswan ( www.openswan.org )
  • Get l2tpns ( l2tpns.sourceforge.net )
  • Compile and install everything
  • Set up OpenSSL and mkca on isolated server
  • Generate server certificate

Copyright 2005, University Of Hawaii ITS

server as a package
Server As A Package
  • Once set up for this purpose, there are minimal differences between installations
  • Server could be packaged as a live CD distribution with CD/Flash/floppy based site configs
  • VPN service needs its own box, because you can’t route tunnel endpoints through the tunnel.

Copyright 2005, University Of Hawaii ITS

x 509 certificates
X.509 Certificates
  • Certificates can be individual, revocable
  • If there is limited, local use, may as well root the CA here at home
  • PVPNs use the *.p12 cert distribution scheme incorporates 3DES encryption and a copy of the CA certificate
  • CA and certificate creation can be done with:
    • OpenSSL ( www.openssl.org )
    • mkca ( http://klake.org/~jt/mkca/ )
  • Revocation list can be distributed to clients via a web server

Copyright 2005, University Of Hawaii ITS

certificate distribution
Certificate Distribution
  • Currently, requests are submitted via an SSL web page
    • User enters encryption password
  • Personal certificates are ID’ed by <name>@hawaii.edu email address.
  • Existence and status of email address is checked, cert package is sent back to said address
  • Currently, there are manual steps
  • Currently issuing certs valid for one year, renewal strategy involves panicking
  • PHPki : http://sourceforge.net/projects/phpki/

Copyright 2005, University Of Hawaii ITS

windows configuration
Windows Configuration
  • Import certificate into proper place with “easy”* 19-step procedure
  • Configure VPN connection with “easy”* 17-step procedure
  • For NAT-T:
    • Win2000/XP-SP0/XP-SP1 must be patched
    • Windows XP SP2 requires altering a registry entry
  • Double-click connection icon, enter password
  • You’re connected

Copyright 2005, University Of Hawaii ITS

windows configuration36
Windows Configuration
  • The cert import procedure can be replaced by a single command, with certimport
  • The Win XP SP2 registry entry is relatively easy to alter with a script
  • The connection can be created with a script (or so it seems)
  • The NSIS installer ( nsis.sourceforge.net ) automate everything

Copyright 2005, University Of Hawaii ITS

macintosh os x
Macintosh OS X
  • 10.3 Panther does GUI IPSec/L2TP, but not certificates.
  • 10.4 Tiger does GUI IPSec/L2TP, with certificates, but is more finicky about certificates than Windows
  • NAT-T as implemented in OS X uses the wrong rfc identifier in negotiating NAT-T with the IKE daemon, and will not work unless it’s fixed, or a hack is done in Openswan
  • PPTP is potentially secure, but if you set it up, how do you prevent Windows users from connecting to it?

Copyright 2005, University Of Hawaii ITS

macintosh os x38
Macintosh OS X
  • The OS X GUI client can probably be made to work
  • A work-around can be effected by editing the Kame IPSec config files in vi

Copyright 2005, University Of Hawaii ITS

win xp pro built in
Win XP Pro Built-In
  • Included in Windows XP
  • Accepts 1 connection at a time
  • Will do PPTP – MS-PPTP is BAD
    • Accepts PPTP connections from Mac OS X
  • Will do L2TP/IPSec
    • Authenticates IPSec with certificates
    • Authenticates access with a Windows password
    • I have used it with the Windows Mobile 2003 client
  • With Internet Connection Sharing, will act like a home gateway

Copyright 2005, University Of Hawaii ITS

win xp pro built in40
Win XP Pro Built-In
  • All you need is Windows XP machine which can reach your restricted resource
  • Will (supposedly) allow you to access LAN resources at the server end.
  • Will allow you to use Remote Desktop Securely

Copyright 2005, University Of Hawaii ITS

acknowledgments
Acknowledgments
  • Jacco De Leeuw
    • http://www.jacco2.dds.nl/index.html
    • Guardian of the PVPN web page
  • Paul Wouters, Xelerence Corp.
    • Patient answerer of the same questions, over and over…

Copyright 2005, University Of Hawaii ITS

ad