Chapter 6. Virtual Private Networks

Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with others. This can be an expensive proposition, especially for small to medium sized businesses (SMBs) that want to expand without paying the high costs associated with enterprise-level, dedicated digital circuits.

Engineers have developed a cost-effective solution to this problem in the form of Virtual Private Networks (VPNs). Following the same functional principles as dedicated circuits, VPNs allow for secured digital communication between two parties (or networks), creating a Wide Area Network (WAN) from existing LANs. Where it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP or datagram (UDP) layers, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard, open source encryption to further mask data in transit.

Some organizations employ hardware VPN solutions to augment security, while others use the software or protocol-based implementations. There are several vendors with hardware VPN solutions such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based VPN solution for Linux called FreeS/Wan that utilizes a standardized IPSec (or Internet Protocol Security) implementation. These VPN solutions act as specialized routers that sit between the IP connection from one office to another. When a packet is transmitted from a client, it sends it through the router or gateway, which then adds header information for routing and authentication called the Authentication Header (AH) and trailer information for CRC file integrity and security called the Encapsulation Security Payload (ESP).

With such a heightened level of security, a cracker must not only intercept a packet, but decrypt the packet as well (which, in the case of most VPNs, usually employ the triple Data Encryption Standard [3DES] 168-bit cipher). Intruders who employ a man-in-the-middle attack between a server and client must also have access to the keys exchanged for authenticating sessions. VPNs are a secure and effective means to connect multiple remote nodes to act as a unified Intranet.

The security, reliability, and functional compatibility with similar IPSec implementations make FreeS/Wan a strong candidate for WAN deployment. However, because of its strict focus on security, FreeS/Wan and other IPSec implementations have been observed to be more difficult to configure, deploy, and maintain than hardware VPN or proprietary software solutions. Red Hat Linux system administrators and security specialists must also take into account that there is currently no supported IPSec implementation included in their distribution of choice.

6.1. VPNs and Red Hat Linux

Red Hat Linux users and administrators have various options in terms of implementing a software solution to connect and secure their WAN. There are, however, two methods of implementing VPN and VPN-equivalent connections that are currently supported in Red Hat Linux. One equivalent solution involves using OpenSSH as a tunnel between two remote nodes. This solution is a sound alternative to telnet, rsh, and other remote host communication protocols, but it does not completely address the usability needs of all corporate telecommuters and branch offices. Another solution that is more adherent to the de facto definition of a VPN is Crypto IP Encapsulation (CIPE), a method of connecting remote LANs to function as a unified network.