Virtual Private Networks; Vpns And Red Hat Enterprise Linux; Ipsec - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Chapter 6.

Virtual Private Networks

Organizations with several satellite offices often connect to each other with dedicated lines for
efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or
Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with
others. This can be an expensive proposition, especially for small to medium sized businesses (SMBs)
that want to expand without paying the high costs associated with enterprise-level, dedicated digital
circuits.
To address this need, Virtual Private Networks (VPNs) were developed. Following the same functional
principles as dedicated circuits, VPNs allow for secured digital communication between two parties (or
networks), creating a Wide Area Network (WAN) from existing Local Area Networks (LANs). Where
it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP using datagrams
as the transport layer, making it a secure conduit through the Internet to an intended destination. Most
free software VPN implementations incorporate open standard encryption methods to further mask
data in transit.
Some organizations employ hardware VPN solutions to augment security, while others use the
software or protocol-based implementations. There are several vendors with hardware VPN solutions
such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based VPN solution for Linux
called FreeS/Wan that utilizes a standardized IPsec (or Internet Protocol Security) implementation.
These VPN solutions, regardless if hardware or software based, act as specialized routers that sit
between the IP connection from one office to another.
When a packet is transmitted from a client, it sends it through the router or gateway, which then adds
header information for routing and authentication called the Authentication Header (AH). The data is
encrypted and is enclosed with decryption and handling instruction called the Encapsulating Security
Payload (ESP). The receiving VPN router strips the header information, decrypts the data, and routes
it to its intended destination (either a workstation or node on a network). Using a network-to-network
connection, the receiving node on the local network receives the packets decrypted and ready for
processing. The encryption/decryption process in a network-to-network VPN connection is transparent
to a local node.
With such a heightened level of security, a cracker must not only intercept a packet, but decrypt the
packet as well. Intruders who employ a man-in-the-middle attack between a server and client must
also have access to at least one of the private keys for authenticating sessions. Because they employ
several layers of authentication and encryption, VPNs are a secure and effective means to connect
multiple remote nodes to act as a unified Intranet.

6.1. VPNs and Red Hat Enterprise Linux

Red Hat Enterprise Linux users have various options in terms of implementing a software solution
to securely connect to their WAN. Internet Protocol Security, or IPsec is the supported VPN
implementation for Red Hat Enterprise Linux that sufficiently addresses the usability needs of
organizations with branch offices or remote users.

6.2. IPsec

Red Hat Enterprise Linux supports IPsec for connecting remote hosts and networks to each other
using a secure tunnel on a common carrier network such as the Internet. IPsec can be implemented
using a host-to-host (one computer workstation to another) or network-to-network (one LAN/WAN to
53