Implementing VPNs With Clients You Already Paid For (v0.9b) - PowerPoint PPT Presentation

Implementing vpns with clients you already paid for v0 9b l.jpg
Download
1 / 41

Implementing VPNs With Clients You Already Paid For (v0.9b). Alan Whinery whinery@hawaii.edu July 19, 2005. What This Is About. An exercise in making virtual networks available to as many users, with as little cost, as possible.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Implementing VPNs With Clients You Already Paid For (v0.9b)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Implementing vpns with clients you already paid for v0 9b l.jpg

Implementing VPNs With Clients You Already Paid For(v0.9b)

Alan Whinery

whinery@hawaii.edu

July 19, 2005


What this is about l.jpg

What This Is About

  • An exercise in making virtual networks available to as many users, with as little cost, as possible.

  • An exercise in implementing a single service that will work with a viable client for each prominent operating system.

  • Exploiting pre-deployed resources

  • Exploiting recent developments in IPSec implementations

Copyright 2005, University Of Hawaii ITS


Why my customers are interested in virtual networks l.jpg

Why My Customers Are Interested In Virtual Networks

  • Home/Roadwarrior access to restricted resources

    • File shares

    • SMTP servers

    • Etc.

  • Side-stepping site network restrictions and tampering (i.e. hotel networks)

  • Some privacy concerns

Copyright 2005, University Of Hawaii ITS


What do we want l.jpg

What Do We Want?

  • To appear as if we’re at UH, no matter where we are. (tunneling)

  • To identify us, as we are distinct from them (authentication)

  • To acknowledge and grant our individual special privileges (?) (authorization)

  • Acceptable cost

  • Most people only want a VN

Copyright 2005, University Of Hawaii ITS


Why do we want it l.jpg

Why Do We Want It?

  • Access restricted resources from anywhere

    • File servers

    • Printers

    • Remote Desktops

    • Mail servers

    • Restricted Web Content, Databases

  • Conceal data from eavesdroppers

  • Alternate Internet Access

  • Exotic Protocols

Copyright 2005, University Of Hawaii ITS


The questions l.jpg

The Questions

  • Can a useful, non-proprietary, low-cost VPN service be developed to make use of the clients that are pre-deployed?

  • Can the procedural aspects of implementation be designed for security and deploy-ability?

  • Can the user setup be designed such that users can set it up?

Copyright 2005, University Of Hawaii ITS


Client os distribution @hawaii edu l.jpg

Client OS Distribution @hawaii.edu

Copyright 2005, University Of Hawaii ITS


Windows os client machines l.jpg

Windows OS Client Machines

Copyright 2005, University Of Hawaii ITS


Macintosh os client machines l.jpg

Macintosh OS Client Machines

Copyright 2005, University Of Hawaii ITS


Unix ish client machines l.jpg

Unix(ish) Client Machines

Copyright 2005, University Of Hawaii ITS


Vpn implementations l.jpg

VPN Implementations ($$$)

  • Cisco VPN

    • Free client

    • Proprietary; only works with Cisco Solutions

    • Expensive, complete solutions

    • Not already installed on thousands of computers

  • Netscreen VPN

    • Expensive, complete solutions

    • You can apparently use the clients I will describe today, instead of the Netscreen ones.

Copyright 2005, University Of Hawaii ITS


Vpn implementations12 l.jpg

VPN Implementations ($)

  • Microsoft-style VPNs

    • Included client (already paid for)

      • Windows XP, Windows 2000, Windows Mobile 2003 (IPSec/L2TP, PPTP*)

      • Mac OS 10.3+ (IPSec/L2TP, PPTP)

      • Mac OS 10.2 (PPTP)

    • Standards-based, works with many things

    • Free client

      • Windows 98SE, Windows ME, Windows NT 4.1

        • IPSec/L2TP, PPTP*

    • Already installed on thousands of computers

    • Capable of good functionality

    • Included Server in Windows XP Pro

Copyright 2005, University Of Hawaii ITS


Wait they all do pptp hooray we re saved l.jpg

Wait! They all do PPTP!Hooray! We’re saved!

  • PPTP is:

    • A viable VPN solution

    • Developed by Cisco and Microsoft

  • Cisco doesn’t do it

  • Microsoft’s Implementation is WORTHLESS.

    • Using PPTP with Windows clients will expose sensitive information to eavesdroppers.

    • After denying that it had problems for years, Microsoft has now designated PPTP as “non-strategic”

    • Setting up a PPTP server for Macs would probably result in Windows users connecting to it.

Copyright 2005, University Of Hawaii ITS


Vpn implementations14 l.jpg

VPN Implementations ($)

  • Microsoft-style VPNs (PVPN)

    • Included client (already paid for)

      • Windows XP, Windows 2000, Windows Mobile 2003 (IPSec/L2TP, PPTP*)

      • Mac OS 10.3+ (IPSec/L2TP, PPTP)

      • Mac OS 10.2 (PPTP)

    • Standards-based, works with many things

    • Free client

      • Windows 98, Windows NT 4.1

        • IPSec/L2TP, PPTP*

    • Already installed on thousands of computers

    • Capable of good functionality

    • Included Server in Windows XP Pro

Copyright 2005, University Of Hawaii ITS


Um ok go on l.jpg

Um, OK… Go on…

  • IPSec

    • Standard from the IETF

    • A security technology first

    • Very flexible

      • Can be used with strong encryption

      • Can be used with strong authentication

    • Quirky

  • Many experts seem to agree that IPSec is the network Encryption/Authentication technology that has the fewest things wrong with it.

Copyright 2005, University Of Hawaii ITS


The set up l.jpg

The Set-up

  • There is a VPN client included in MS Windows XP, 2000, and Mobile 2003

  • There is a free MS VPN client for Windows 98SE, ME, NT 4.0

  • There is a VPN Client included in Apple OS X.III and X.IV

  • There are several free VPN approaches for Unices****

Copyright 2005, University Of Hawaii ITS


Voice over ip l.jpg

Voice Over IP

  • Using free packet sniffer Ethereal, someone with access to your VOIP packets can dump the audio to a file and listen to it with Windows Media Player, all within about 60 seconds.

  • Most VOIP sends key presses “in the clear”

  • There should not be many places where someone can get access to these packets, but hey: “Should not”…

Copyright 2005, University Of Hawaii ITS


About encryption l.jpg

About Encryption

  • Key Management is key

    • Holy crap, I accidentally created a PKI!

  • Open standards are stronger than closed ones

  • Much that is sensitive is already encrypted (SSL,TLS)

Copyright 2005, University Of Hawaii ITS


Common vpn protocols l.jpg

Common VPN Protocols

  • PPTP: Point-to-Point Tunneling Protocol

    • Microsoft, Cisco

  • L2TP: Layer 2 Tunneling protocol

    • RFC 2661

  • IPSec: IETF “Secure” IP

Copyright 2005, University Of Hawaii ITS


Ipsec in the real world l.jpg

IPSec In The Real World

  • The standards are complex.

  • Deciding which bits of standard are useful is difficult.

  • From the user POV, who cares, anyways?

  • We want to know what can be done with what’s available

Copyright 2005, University Of Hawaii ITS


Ipsec in the real world21 l.jpg

IPSec In The Real World

  • Authentication

    • Shared secret

    • X.509 certificates from local CA

Copyright 2005, University Of Hawaii ITS


Ipsec in the real world22 l.jpg

IPSec In The Real World

  • Authentication

    • Shared secret

    • X.509 certificates from local CA

Copyright 2005, University Of Hawaii ITS


Ipsec in the real world23 l.jpg

IPSec In The Real World

  • NAT sensitivity

    • IPSec has been redesigned to work with NAT

    • NAT is what your Netgear/Linksys/Asante/etc. home gateway does.

    • Stands for “Network Address Translation”

    • Typically, only one IPSec client can go through a NAT device at a time

    • This is appropriate for most home-to-work scenarios

    • The addition to IPSec is called “NAT Traversal” or NAT-T

Copyright 2005, University Of Hawaii ITS


Exploiting the installed clients l.jpg

Exploiting The Installed Clients

  • We have thousands of usable clients installed

  • What do we need to use them?

    • IPSec/L2TP Service

      • Authentication/Key Distribution Strategy

        • Configuration

    • UH ID/Password Authentication

      • RADIUS, et al.

Copyright 2005, University Of Hawaii ITS


Pvpn client capabilities l.jpg

PVPN Client Capabilities

Copyright 2005, University Of Hawaii ITS


Making a linux vpn server l.jpg

Making A Linux VPN Server

  • Relatively mature implementations exist as kernel patches

    • *S/Wan (kernel patches, userland tools)

    • Kame (kernel patches, userland tools)

  • 3P Kernel patches are not optimal

    • Loss of patch development can stall upgrades

  • Recent kernel 2.6 includes built-in IPSec

    • Both *S/wan and Kame tools work with 2.6 kernel IPSec

Copyright 2005, University Of Hawaii ITS


Choosing turtle or swan l.jpg

Choosing Turtle or Swan

  • I have set up ipsec-tools (Kame)

    • Works great with kernel IPSec

    • Except NAT-T in transport mode

  • Openswan 2.3.1dr3/K2.6.11.6

    • Does everything I need

Copyright 2005, University Of Hawaii ITS


L2tpd l.jpg

L2TPD

  • L2tpd (l2tpd.sourceforge.net)

    • Most common Unix(ish) L2TP package

    • Hasn’t been developed for 4 years

    • Has some issues with Windows L2TP

    • Works as either client and server

    • Requires configuration of Linux PPP

    • Does not do dynamic address assignment

    • Branch project, rp-l2tpd, is also stalled

Copyright 2005, University Of Hawaii ITS


L2tpns l.jpg

L2TPNS

  • l2tpns ( l2tpns.sourceforge.net )

    • Acts as server side only

    • Handles PPP internally

    • Better performance than l2tpd

    • Assigns dynamic addresses

    • Supports multiple-server clustering

    • Speaks BGP

    • Active development: Last release: July 2, 2005

    • Has CLI interface with “show banana” command

  • ns = “network server”

Copyright 2005, University Of Hawaii ITS


Slide30 l.jpg

Sold!

Copyright 2005, University Of Hawaii ITS


Server set up l.jpg

Server Set-Up

  • Compile Linux 2.6.xx kernel for IPSec, tap/tun, etc.

  • OpenSSL is already present in most Linux distributions ( www.OpenSSL.org )

  • Get Openswan ( www.openswan.org )

  • Get l2tpns ( l2tpns.sourceforge.net )

  • Compile and install everything

  • Set up OpenSSL and mkca on isolated server

  • Generate server certificate

Copyright 2005, University Of Hawaii ITS


Server as a package l.jpg

Server As A Package

  • Once set up for this purpose, there are minimal differences between installations

  • Server could be packaged as a live CD distribution with CD/Flash/floppy based site configs

  • VPN service needs its own box, because you can’t route tunnel endpoints through the tunnel.

Copyright 2005, University Of Hawaii ITS


X 509 certificates l.jpg

X.509 Certificates

  • Certificates can be individual, revocable

  • If there is limited, local use, may as well root the CA here at home

  • PVPNs use the *.p12 cert distribution scheme incorporates 3DES encryption and a copy of the CA certificate

  • CA and certificate creation can be done with:

    • OpenSSL ( www.openssl.org )

    • mkca ( http://klake.org/~jt/mkca/ )

  • Revocation list can be distributed to clients via a web server

Copyright 2005, University Of Hawaii ITS


Certificate distribution l.jpg

Certificate Distribution

  • Currently, requests are submitted via an SSL web page

    • User enters encryption password

  • Personal certificates are ID’ed by <name>@hawaii.edu email address.

  • Existence and status of email address is checked, cert package is sent back to said address

  • Currently, there are manual steps

  • Currently issuing certs valid for one year, renewal strategy involves panicking

  • PHPki : http://sourceforge.net/projects/phpki/

Copyright 2005, University Of Hawaii ITS


Windows configuration l.jpg

Windows Configuration

  • Import certificate into proper place with “easy”* 19-step procedure

  • Configure VPN connection with “easy”* 17-step procedure

  • For NAT-T:

    • Win2000/XP-SP0/XP-SP1 must be patched

    • Windows XP SP2 requires altering a registry entry

  • Double-click connection icon, enter password

  • You’re connected

Copyright 2005, University Of Hawaii ITS


Windows configuration36 l.jpg

Windows Configuration

  • The cert import procedure can be replaced by a single command, with certimport

  • The Win XP SP2 registry entry is relatively easy to alter with a script

  • The connection can be created with a script (or so it seems)

  • The NSIS installer ( nsis.sourceforge.net ) automate everything

Copyright 2005, University Of Hawaii ITS


Macintosh os x l.jpg

Macintosh OS X

  • 10.3 Panther does GUI IPSec/L2TP, but not certificates.

  • 10.4 Tiger does GUI IPSec/L2TP, with certificates, but is more finicky about certificates than Windows

  • NAT-T as implemented in OS X uses the wrong rfc identifier in negotiating NAT-T with the IKE daemon, and will not work unless it’s fixed, or a hack is done in Openswan

  • PPTP is potentially secure, but if you set it up, how do you prevent Windows users from connecting to it?

Copyright 2005, University Of Hawaii ITS


Macintosh os x38 l.jpg

Macintosh OS X

  • The OS X GUI client can probably be made to work

  • A work-around can be effected by editing the Kame IPSec config files in vi

Copyright 2005, University Of Hawaii ITS


Win xp pro built in l.jpg

Win XP Pro Built-In

  • Included in Windows XP

  • Accepts 1 connection at a time

  • Will do PPTP – MS-PPTP is BAD

    • Accepts PPTP connections from Mac OS X

  • Will do L2TP/IPSec

    • Authenticates IPSec with certificates

    • Authenticates access with a Windows password

    • I have used it with the Windows Mobile 2003 client

  • With Internet Connection Sharing, will act like a home gateway

Copyright 2005, University Of Hawaii ITS


Win xp pro built in40 l.jpg

Win XP Pro Built-In

  • All you need is Windows XP machine which can reach your restricted resource

  • Will (supposedly) allow you to access LAN resources at the server end.

  • Will allow you to use Remote Desktop Securely

Copyright 2005, University Of Hawaii ITS


Acknowledgments l.jpg

Acknowledgments

  • Jacco De Leeuw

    • http://www.jacco2.dds.nl/index.html

    • Guardian of the PVPN web page

  • Paul Wouters, Xelerence Corp.

    • Patient answerer of the same questions, over and over…

Copyright 2005, University Of Hawaii ITS


  • Login