Upload
chloe-atkins
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Implementing VPNs With Clients You Already Paid For(v0.9b) Alan Whinery
July 19, 2005
What This Is About
An exercise in making virtual networks available to as many users, with as little cost, as possible.
An exercise in implementing a single service that will work with a viable client for each prominent operating system.
Exploiting pre-deployed resources Exploiting recent developments in IPSec
implementations
Copyright 2005, University Of Hawaii ITS
Why My Customers Are Interested In Virtual Networks Home/Roadwarrior access to restricted
resources– File shares– SMTP servers– Etc.
Side-stepping site network restrictions and tampering (i.e. hotel networks)
Some privacy concerns
Copyright 2005, University Of Hawaii ITS
What Do We Want?
To appear as if we’re at UH, no matter where we are. (tunneling)
To identify us, as we are distinct from them (authentication)
To acknowledge and grant our individual special privileges (?) (authorization)
Acceptable cost Most people only want a VN
Copyright 2005, University Of Hawaii ITS
Why Do We Want It?
Access restricted resources from anywhere– File servers– Printers– Remote Desktops– Mail servers– Restricted Web Content, Databases
Conceal data from eavesdroppers Alternate Internet Access Exotic Protocols
Copyright 2005, University Of Hawaii ITS
The Questions
Can a useful, non-proprietary, low-cost VPN service be developed to make use of the clients that are pre-deployed?
Can the procedural aspects of implementation be designed for security and deploy-ability?
Can the user setup be designed such that users can set it up?
Copyright 2005, University Of Hawaii ITS
Client OS Distribution @hawaii.edu
Unices3%
Windows85%
MacOS12%
Copyright 2005, University Of Hawaii ITS
Windows OS Client Machines
XP63%
NT0%
989%
950%
200028%
20030%
Copyright 2005, University Of Hawaii ITS
Unix(ish) Client Machines
Solaris24%
OSF1%
Linux73%
IRIX1%
FreeBSD1%
Copyright 2005, University Of Hawaii ITS
VPN Implementations ($$$) Cisco VPN
– Free client
– Proprietary; only works with Cisco Solutions
– Expensive, complete solutions
– Not already installed on thousands of computers
Netscreen VPN– Expensive, complete solutions
– You can apparently use the clients I will describe today, instead of the Netscreen ones.
Copyright 2005, University Of Hawaii ITS
VPN Implementations ($) Microsoft-style VPNs
– Included client (already paid for)• Windows XP, Windows 2000, Windows Mobile 2003
(IPSec/L2TP, PPTP*)• Mac OS 10.3+ (IPSec/L2TP, PPTP)• Mac OS 10.2 (PPTP)
– Standards-based, works with many things– Free client
• Windows 98SE, Windows ME, Windows NT 4.1– IPSec/L2TP, PPTP*
– Already installed on thousands of computers– Capable of good functionality– Included Server in Windows XP Pro
Copyright 2005, University Of Hawaii ITS
Wait! They all do PPTP!Hooray! We’re saved! PPTP is:
– A viable VPN solution– Developed by Cisco and Microsoft
Cisco doesn’t do it Microsoft’s Implementation is WORTHLESS.
– Using PPTP with Windows clients will expose sensitive information to eavesdroppers.
– After denying that it had problems for years, Microsoft has now designated PPTP as “non-strategic”
– Setting up a PPTP server for Macs would probably result in Windows users connecting to it.
Copyright 2005, University Of Hawaii ITS
VPN Implementations ($) Microsoft-style VPNs (PVPN)
– Included client (already paid for)• Windows XP, Windows 2000, Windows Mobile 2003
(IPSec/L2TP, PPTP*)• Mac OS 10.3+ (IPSec/L2TP, PPTP)• Mac OS 10.2 (PPTP)
– Standards-based, works with many things– Free client
• Windows 98, Windows NT 4.1– IPSec/L2TP, PPTP*
– Already installed on thousands of computers– Capable of good functionality– Included Server in Windows XP Pro
Copyright 2005, University Of Hawaii ITS
Um, OK… Go on…
IPSec– Standard from the IETF
– A security technology first
– Very flexible• Can be used with strong encryption
• Can be used with strong authentication
– Quirky
Many experts seem to agree that IPSec is the network Encryption/Authentication technology that has the fewest things wrong with it.
Copyright 2005, University Of Hawaii ITS
The Set-up
There is a VPN client included in MS Windows XP, 2000, and Mobile 2003
There is a free MS VPN client for Windows 98SE, ME, NT 4.0
There is a VPN Client included in Apple OS X.III and X.IV
There are several free VPN approaches for Unices****
Copyright 2005, University Of Hawaii ITS
Voice Over IP
Using free packet sniffer Ethereal, someone with access to your VOIP packets can dump the audio to a file and listen to it with Windows Media Player, all within about 60 seconds.
Most VOIP sends key presses “in the clear” There should not be many places where
someone can get access to these packets, but hey: “Should not”…
Copyright 2005, University Of Hawaii ITS
About Encryption
Key Management is key– Holy crap, I accidentally created a PKI!
Open standards are stronger than closed ones
Much that is sensitive is already encrypted (SSL,TLS)
Copyright 2005, University Of Hawaii ITS
Common VPN Protocols
PPTP: Point-to-Point Tunneling Protocol– Microsoft, Cisco
L2TP: Layer 2 Tunneling protocol– RFC 2661
IPSec: IETF “Secure” IP
Copyright 2005, University Of Hawaii ITS
IPSec In The Real World
The standards are complex. Deciding which bits of standard are useful
is difficult. From the user POV, who cares, anyways? We want to know what can be done with
what’s available
Copyright 2005, University Of Hawaii ITS
IPSec In The Real World
Authentication– Shared secret– X.509 certificates from local CA
Copyright 2005, University Of Hawaii ITS
IPSec In The Real World
Authentication– Shared secret– X.509 certificates from local CA
Copyright 2005, University Of Hawaii ITS
IPSec In The Real World
NAT sensitivity– IPSec has been redesigned to work with NAT
– NAT is what your Netgear/Linksys/Asante/etc. home gateway does.
– Stands for “Network Address Translation”
– Typically, only one IPSec client can go through a NAT device at a time
– This is appropriate for most home-to-work scenarios
– The addition to IPSec is called “NAT Traversal” or NAT-T
Copyright 2005, University Of Hawaii ITS
Exploiting The Installed Clients
We have thousands of usable clients installed
What do we need to use them?– IPSec/L2TP Service
• Authentication/Key Distribution Strategy– Configuration
– UH ID/Password Authentication• RADIUS, et al.
Copyright 2005, University Of Hawaii ITS
PVPN Client Capabilities
Win XP Win 2000 98/ME/NT Win Mobile OS X.III OSX.IVPSK Yes Yes Yes Yes Yes YesCerts Yes Yes Yes Yes Sort Of YesNAT-T Yes* Yes Yes Yes Sort Of Sort OfL2TP/PPP Yes Yes Yes Yes Yes Yes
Copyright 2005, University Of Hawaii ITS
Making A Linux VPN Server
Relatively mature implementations exist as kernel patches– *S/Wan (kernel patches, userland tools)– Kame (kernel patches, userland tools)
3P Kernel patches are not optimal– Loss of patch development can stall upgrades
Recent kernel 2.6 includes built-in IPSec– Both *S/wan and Kame tools work with 2.6
kernel IPSec
Copyright 2005, University Of Hawaii ITS
Choosing Turtle or Swan
I have set up ipsec-tools (Kame)– Works great with kernel IPSec– Except NAT-T in transport mode
Openswan 2.3.1dr3/K2.6.11.6– Does everything I need
Copyright 2005, University Of Hawaii ITS
L2TPD
L2tpd (l2tpd.sourceforge.net)– Most common Unix(ish) L2TP package– Hasn’t been developed for 4 years– Has some issues with Windows L2TP– Works as either client and server– Requires configuration of Linux PPP– Does not do dynamic address assignment– Branch project, rp-l2tpd, is also stalled
Copyright 2005, University Of Hawaii ITS
L2TPNS l2tpns ( l2tpns.sourceforge.net )
– Acts as server side only– Handles PPP internally– Better performance than l2tpd– Assigns dynamic addresses– Supports multiple-server clustering– Speaks BGP– Active development: Last release: July 2, 2005– Has CLI interface with “show banana” command
ns = “network server”
Copyright 2005, University Of Hawaii ITS
Server Set-Up
Compile Linux 2.6.xx kernel for IPSec, tap/tun, etc.
OpenSSL is already present in most Linux distributions ( www.OpenSSL.org )
Get Openswan ( www.openswan.org ) Get l2tpns ( l2tpns.sourceforge.net ) Compile and install everything Set up OpenSSL and mkca on isolated server Generate server certificate
Copyright 2005, University Of Hawaii ITS
Server As A Package
Once set up for this purpose, there are minimal differences between installations
Server could be packaged as a live CD distribution with CD/Flash/floppy based site configs
VPN service needs its own box, because you can’t route tunnel endpoints through the tunnel.
Copyright 2005, University Of Hawaii ITS
X.509 Certificates Certificates can be individual, revocable If there is limited, local use, may as well root the
CA here at home PVPNs use the *.p12 cert distribution scheme
incorporates 3DES encryption and a copy of the CA certificate
CA and certificate creation can be done with:– OpenSSL ( www.openssl.org )– mkca ( http://klake.org/~jt/mkca/ )
Revocation list can be distributed to clients via a web server
Copyright 2005, University Of Hawaii ITS
Certificate Distribution Currently, requests are submitted via an SSL web
page– User enters encryption password
Personal certificates are ID’ed by <name>@hawaii.edu email address.
Existence and status of email address is checked, cert package is sent back to said address
Currently, there are manual steps Currently issuing certs valid for one year, renewal
strategy involves panicking PHPki : http://sourceforge.net/projects/phpki/
Copyright 2005, University Of Hawaii ITS
Windows Configuration
Import certificate into proper place with “easy”* 19-step procedure
Configure VPN connection with “easy”* 17-step procedure
For NAT-T:– Win2000/XP-SP0/XP-SP1 must be patched
– Windows XP SP2 requires altering a registry entry
Double-click connection icon, enter password You’re connected
Copyright 2005, University Of Hawaii ITS
Windows Configuration
The cert import procedure can be replaced by a single command, with certimport
The Win XP SP2 registry entry is relatively easy to alter with a script
The connection can be created with a script (or so it seems)
The NSIS installer ( nsis.sourceforge.net ) automate everything
Copyright 2005, University Of Hawaii ITS
Macintosh OS X 10.3 Panther does GUI IPSec/L2TP, but not
certificates. 10.4 Tiger does GUI IPSec/L2TP, with certificates,
but is more finicky about certificates than Windows NAT-T as implemented in OS X uses the wrong rfc
identifier in negotiating NAT-T with the IKE daemon, and will not work unless it’s fixed, or a hack is done in Openswan
PPTP is potentially secure, but if you set it up, how do you prevent Windows users from connecting to it?
Copyright 2005, University Of Hawaii ITS
Macintosh OS X The OS X GUI client can probably be made
to work A work-around can be effected by editing
the Kame IPSec config files in vi
Copyright 2005, University Of Hawaii ITS
Win XP Pro Built-In Included in Windows XP Accepts 1 connection at a time Will do PPTP – MS-PPTP is BAD
– Accepts PPTP connections from Mac OS X Will do L2TP/IPSec
– Authenticates IPSec with certificates– Authenticates access with a Windows password– I have used it with the Windows Mobile 2003 client
With Internet Connection Sharing, will act like a home gateway
Copyright 2005, University Of Hawaii ITS
Win XP Pro Built-In
All you need is Windows XP machine which can reach your restricted resource
Will (supposedly) allow you to access LAN resources at the server end.
Will allow you to use Remote Desktop Securely
Copyright 2005, University Of Hawaii ITS