Prev: Global Warming fake science and what you can do to against it
Next: reliance netconnect
From: Greg Russell on 25 Jan 2010 14:32
We have an iptables firewalling router setup here that is working well,
as we've stress-tested it from external sites using all the attack tools
we can find.

We have several users that are "on the road" and require connectivity
from various sites such as motels, coffeehouses, airports and dialup to
various ISPs. We'd like to have a secure tunneling connection for these
users, and we'd like to ask what might be a viable solution that works
for all these various connection points?

By viable I mean that even username and password wouldn't be sniffable
during connection initiation.
From: Stachu 'Dozzie' K. on 25 Jan 2010 14:52
["Followup-To:" header set to comp.os.linux.security.]
On 2010-01-25, Greg Russell <me(a)invalid.com> wrote:
> We have an iptables firewalling router setup here that is working well,
> as we've stress-tested it from external sites using all the attack tools
> we can find.
>
> We have several users that are "on the road" and require connectivity
> from various sites such as motels, coffeehouses, airports and dialup to
> various ISPs. We'd like to have a secure tunneling connection for these
> users, and we'd like to ask what might be a viable solution that works
> for all these various connection points?
>
> By viable I mean that even username and password wouldn't be sniffable
> during connection initiation.

All three, SSH (v2), IPsec (Openswan is good choice indeed, ipsec-tools
is pretty crappy in configuration) and OpenVPN are viable according to
your definition.

SSH would be least problematic, it's just a single TCP port to be
enabled (and the port could be stolen from HTTPs, which is pretty
commonly passed through firewalls) and would work ideally for me, Linux
admin. But would it be as simple for your users?

IPsec in Openswan implementation is simple to configure once you manage
to understand IPsec itself (and that could be difficult). You need to
consider the other side of connection, though, and if it's Windows, you
may need to do some more set up. But as it is a VPN, your users will see
resources as if they are connected directly to your network. And one
more thing, IPsec requires some non-standard setup for NATs. If you
don't know IPsec yet, don't use it now and save yourself a headache.

OpenVPN is a bit more troublesome in preparing configuration file than
Openswan (not too much, though, if you know IP networks well), but it
needs just a single port (UDP or TCP, you choose) and still gives you
a VPN.

If your users are experienced un*x users, I'd stay with SSH. If they're
just clerks and/or management, I'd go for OpenVPN.

--
Secunia non olet.
Stanislaw Klekot
From: J G Miller on 25 Jan 2010 16:44
On Mon, 25 Jan 2010 19:32:38 +0000, Greg Russell asked:

> We have several users that are "on the road" and require connectivity
> from various sites such as motels, coffeehouses, airports and dialup to
> various ISPs. We'd like to have a secure tunneling connection for these
> users, and we'd like to ask what might be a viable solution that works
> for all these various connection points?

The most secure would as far as I am aware be ssh over an openvpn with
TLS authentication session.

Have a look at the introduction and further documentation at

<http://www.openvpn.NET/index.php/open-source.html>

For even more security, you could consider the use of smart cards plus
user PIN as part of the authorization procedure.

<http://michele.pupazzo.ORG/docs/smart-cards-openvpn.html>

One nice aspect of openvpn is that you can set up categories of users,
with different access privileges, if so desired.

QUOTE
The server can enforce client-specific access rights based on embedded
certificate fields, such as the Common Name.
UNQUOTE

And should a laptop machine be lost on the road, even though the system
should be setup requiring a password as well as a certificate on the
laptop, the certificate on the laptop can be revoked at any time.
From: Lusotec on 25 Jan 2010 17:20
Greg Russell wrote:
> We have an iptables firewalling router setup here that is working well,
> as we've stress-tested it from external sites using all the attack tools
> we can find.
>
> We have several users that are "on the road" and require connectivity
> from various sites such as motels, coffeehouses, airports and dialup to
> various ISPs. We'd like to have a secure tunneling connection for these
> users, and we'd like to ask what might be a viable solution that works
> for all these various connection points?

I would recommend ssh with public/private cryptography keys. It is the
easiest to configure correctly and is flexible enough for most scenarios. It
is also very network/router/firewall friendly.

> By viable I mean that even username and password wouldn't be sniffable
> during connection initiation.

Don't use password authentication. The component between the screen and the
chair is too insecure and unreliable! ;)

Regards.

From: David Brown on 26 Jan 2010 03:33
On 25/01/2010 20:32, Greg Russell wrote:
> We have an iptables firewalling router setup here that is working well,
> as we've stress-tested it from external sites using all the attack tools
> we can find.
>
> We have several users that are "on the road" and require connectivity
> from various sites such as motels, coffeehouses, airports and dialup to
> various ISPs. We'd like to have a secure tunneling connection for these
> users, and we'd like to ask what might be a viable solution that works
> for all these various connection points?
>
> By viable I mean that even username and password wouldn't be sniffable
> during connection initiation.

ipsec solutions are certainly secure (with correct configuration, of
course), but can be a real pain for routing, NAT traversal, and so on.
You are also, as far as I know, limited to a single ipsec tunnel
endpoint for each ip address, though there can be many connections to
the same tunnel end point at the time. By that I mean that you can have
many clients connecting to the server, but they are all attached to the
same virtual network port on the server. Similarly, each client can
only be connected to only one server at a time. (Hopefully someone will
correct me if that's not true.)

ssh is for remote shell access. You /can/ do port forwarding with it to
give access to other resources, but it is not great for the purpose - it
won't make the best use of the bandwidth, and it is far from convenient
to specify the forwarding connections if there are many of them.
However, it is extremely handy for doing ad-hoc connections and giving
yourself a "backdoor" into your system (put it on a non-standard port so
the bad guys don't keep knocking on it). You can either pre-share the
cryptographic keys or use passwords, or both.

openvpn is, IMHO, an extremely useful way to handle remote connections.
It can take a bit of learning to figure out how the configuration is
done, but when you've done it once you just copy and modify the
configuration file for others. It's a no-brainer for the clients - on
windows you get an icon in your tray and you just select "connect" from
the menu as needed. On Linux you can use the command line or a gui as
you fancy. You can configure it on the server with all sorts of
options, and happily have multiple tunnels on different ports. That way
you can have different groups connected to different virtual network
ports on the router, and use iptables and routing to connect them to
different parts of the network. Security is solid, with cryptographic
keys and optional passwords, and support for various other
identification systems.

I use openvpn whenever we need secure external access to a server, along
with a ssh backdoor for maintenance purposes.

 |  Next  |  Last
Pages: 1 2 3 4
Prev: Global Warming fake science and what you can do to against it
Next: reliance netconnect