Networking

Get the basics of a secure VPN

Virtual Private Networks (VPNs) seem to be

a hot topic lately—a week doesn't go by without a new article or white paper being

released on the subject. For many business users, having instant access to data

while on the move is now seen as a necessity rather than a luxury. Gone are the

days of slow and troublesome dial-up connections; we're now in the age of

broadband! These days high-speed internet access is cheap and offers speeds

which could only have been dreamt of ten years ago; Wi-Fi hotspots offer access

from most coffee shops, city centers and airports! Another form of VPN is that

which connects two private networks, using public networks as a bridge. A

gateway on each of the private networks faces the Internet, data is then transferred

between the two gateways via this low-cost public infrastructure. This allows

branch offices to effectively share data and work together without the

horrendous costs involved in hiring private lines.


The advantages of allowing data access via

public networks are clear: high-speed and low cost. Where's the catch? Well, as

per usual the issue is that of security. It's all very well utilizing public

networks, but they are just that—public, and since anyone could be viewing the

data you transmit, we have to assume that they are. Let's take a look at two

protocols developed to address security in this area.

Point-to-Point-Tunnelling

Protocol (PPTP) was developed by Microsoft to enable remote users to securely

access corporate networks. It was first introduced in Windows NT 4 and the

source code was made available so that other third parties could develop

compatible software. Here's a full description of PPTP,

the key point being "PPTP encapsulates the

encrypted and compressed PPP packets into IP datagrams for transmission over

the Internet." One thing

which makes PPTP a good choice for remote or roaming users is that all versions

of Windows (NT4 to XP) have an inbuilt client program, meaning there is no need

for additional software installation. Windows Server can be used; however, for those

not already using Windows Server, a better solution may be Poptop. Poptop is an open source PPTP server which

can be hosted on a Linux platform, Cyberguard

even use Poptop in their embedded VPN solutions.

IP Security (IPSec)

is a standard for authenticating and encrypting IP packets; working on the

network layer to create a secure tunnel between two nodes, via a public

network. The two main parts of the IPSec standard are the Encapsulating

Security Payload (ESP) protocol and Internet Key

Exchange (IKE) protocol. ESP takes care of data encryption and integrity, while

IKE uses public key or pre-shared secret techniques to authenticate each host

and set up a secure session. Giants such as Microsoft

and Cisco

have adopted IPSec and support its use.


In a small to medium enterprise, cost is

normally a big consideration. I personally use OpenBSD to provide for our

company's VPN needs—OpenBSD takes a paranoid approach with proactive security

and integrated cryptography, and best of all, it's free! All of the tools

needed for creating point-to-point VPN connections are included as default; Poptop

is also available in the OpenBSD ports (selection of linux/unix packages ported

to the BSD platform). The system manual pages give full

instructions on setting up your VPN; this can look a little in-depth and

over complex but once you have an understanding of what's happening, it's

really quite simple. The inbuilt firewall, Packet Filter, is a very simple but

powerful, making OpenBSD a good multipurpose platform; DHCP, DNS, FTP, VPN,

PPTP can all be run with proven reliability and security. The configuration of

Poptop is a little more difficult; it took me 3-4 days of reading mailing list

archives and manuals to actually get it working, but now that I know how, it

doesn't take long to set up a new server.


As you can see from a quick Google search,

there are many companies offering different VPN solutions, all based around the

same underlying technology. Most of them don't come cheap and that's not even

taking in to account consultancy fees, etc. I hope I've shown here that

implementing a secure VPN solution (whether it be for remote/roaming users or

interoffice communication) doesn't have to be expensive or particularly

difficult.

If there's any interest in the topic, I

would consider writing a tutorial on setting up an OpenBSD network gateway with

VPN and PPTP. Please post your comments and let me know…

Editor's Picks