410 likes | 736 Views
Implementing VPNs With Clients You Already Paid For (v0.9b). Alan Whinery whinery@hawaii.edu July 19, 2005. What This Is About. An exercise in making virtual networks available to as many users, with as little cost, as possible.
E N D
Implementing VPNs With Clients You Already Paid For(v0.9b) Alan Whinery whinery@hawaii.edu July 19, 2005
What This Is About • An exercise in making virtual networks available to as many users, with as little cost, as possible. • An exercise in implementing a single service that will work with a viable client for each prominent operating system. • Exploiting pre-deployed resources • Exploiting recent developments in IPSec implementations Copyright 2005, University Of Hawaii ITS
Why My Customers Are Interested In Virtual Networks • Home/Roadwarrior access to restricted resources • File shares • SMTP servers • Etc. • Side-stepping site network restrictions and tampering (i.e. hotel networks) • Some privacy concerns Copyright 2005, University Of Hawaii ITS
What Do We Want? • To appear as if we’re at UH, no matter where we are. (tunneling) • To identify us, as we are distinct from them (authentication) • To acknowledge and grant our individual special privileges (?) (authorization) • Acceptable cost • Most people only want a VN Copyright 2005, University Of Hawaii ITS
Why Do We Want It? • Access restricted resources from anywhere • File servers • Printers • Remote Desktops • Mail servers • Restricted Web Content, Databases • Conceal data from eavesdroppers • Alternate Internet Access • Exotic Protocols Copyright 2005, University Of Hawaii ITS
The Questions • Can a useful, non-proprietary, low-cost VPN service be developed to make use of the clients that are pre-deployed? • Can the procedural aspects of implementation be designed for security and deploy-ability? • Can the user setup be designed such that users can set it up? Copyright 2005, University Of Hawaii ITS
Client OS Distribution @hawaii.edu Copyright 2005, University Of Hawaii ITS
Windows OS Client Machines Copyright 2005, University Of Hawaii ITS
Macintosh OS Client Machines Copyright 2005, University Of Hawaii ITS
Unix(ish) Client Machines Copyright 2005, University Of Hawaii ITS
VPN Implementations ($$$) • Cisco VPN • Free client • Proprietary; only works with Cisco Solutions • Expensive, complete solutions • Not already installed on thousands of computers • Netscreen VPN • Expensive, complete solutions • You can apparently use the clients I will describe today, instead of the Netscreen ones. Copyright 2005, University Of Hawaii ITS
VPN Implementations ($) • Microsoft-style VPNs • Included client (already paid for) • Windows XP, Windows 2000, Windows Mobile 2003 (IPSec/L2TP, PPTP*) • Mac OS 10.3+ (IPSec/L2TP, PPTP) • Mac OS 10.2 (PPTP) • Standards-based, works with many things • Free client • Windows 98SE, Windows ME, Windows NT 4.1 • IPSec/L2TP, PPTP* • Already installed on thousands of computers • Capable of good functionality • Included Server in Windows XP Pro Copyright 2005, University Of Hawaii ITS
Wait! They all do PPTP!Hooray! We’re saved! • PPTP is: • A viable VPN solution • Developed by Cisco and Microsoft • Cisco doesn’t do it • Microsoft’s Implementation is WORTHLESS. • Using PPTP with Windows clients will expose sensitive information to eavesdroppers. • After denying that it had problems for years, Microsoft has now designated PPTP as “non-strategic” • Setting up a PPTP server for Macs would probably result in Windows users connecting to it. Copyright 2005, University Of Hawaii ITS
VPN Implementations ($) • Microsoft-style VPNs (PVPN) • Included client (already paid for) • Windows XP, Windows 2000, Windows Mobile 2003 (IPSec/L2TP, PPTP*) • Mac OS 10.3+ (IPSec/L2TP, PPTP) • Mac OS 10.2 (PPTP) • Standards-based, works with many things • Free client • Windows 98, Windows NT 4.1 • IPSec/L2TP, PPTP* • Already installed on thousands of computers • Capable of good functionality • Included Server in Windows XP Pro Copyright 2005, University Of Hawaii ITS
Um, OK… Go on… • IPSec • Standard from the IETF • A security technology first • Very flexible • Can be used with strong encryption • Can be used with strong authentication • Quirky • Many experts seem to agree that IPSec is the network Encryption/Authentication technology that has the fewest things wrong with it. Copyright 2005, University Of Hawaii ITS
The Set-up • There is a VPN client included in MS Windows XP, 2000, and Mobile 2003 • There is a free MS VPN client for Windows 98SE, ME, NT 4.0 • There is a VPN Client included in Apple OS X.III and X.IV • There are several free VPN approaches for Unices**** Copyright 2005, University Of Hawaii ITS
Voice Over IP • Using free packet sniffer Ethereal, someone with access to your VOIP packets can dump the audio to a file and listen to it with Windows Media Player, all within about 60 seconds. • Most VOIP sends key presses “in the clear” • There should not be many places where someone can get access to these packets, but hey: “Should not”… Copyright 2005, University Of Hawaii ITS
About Encryption • Key Management is key • Holy crap, I accidentally created a PKI! • Open standards are stronger than closed ones • Much that is sensitive is already encrypted (SSL,TLS) Copyright 2005, University Of Hawaii ITS
Common VPN Protocols • PPTP: Point-to-Point Tunneling Protocol • Microsoft, Cisco • L2TP: Layer 2 Tunneling protocol • RFC 2661 • IPSec: IETF “Secure” IP Copyright 2005, University Of Hawaii ITS
IPSec In The Real World • The standards are complex. • Deciding which bits of standard are useful is difficult. • From the user POV, who cares, anyways? • We want to know what can be done with what’s available Copyright 2005, University Of Hawaii ITS
IPSec In The Real World • Authentication • Shared secret • X.509 certificates from local CA Copyright 2005, University Of Hawaii ITS
IPSec In The Real World • Authentication • Shared secret • X.509 certificates from local CA Copyright 2005, University Of Hawaii ITS
IPSec In The Real World • NAT sensitivity • IPSec has been redesigned to work with NAT • NAT is what your Netgear/Linksys/Asante/etc. home gateway does. • Stands for “Network Address Translation” • Typically, only one IPSec client can go through a NAT device at a time • This is appropriate for most home-to-work scenarios • The addition to IPSec is called “NAT Traversal” or NAT-T Copyright 2005, University Of Hawaii ITS
Exploiting The Installed Clients • We have thousands of usable clients installed • What do we need to use them? • IPSec/L2TP Service • Authentication/Key Distribution Strategy • Configuration • UH ID/Password Authentication • RADIUS, et al. Copyright 2005, University Of Hawaii ITS
PVPN Client Capabilities Copyright 2005, University Of Hawaii ITS
Making A Linux VPN Server • Relatively mature implementations exist as kernel patches • *S/Wan (kernel patches, userland tools) • Kame (kernel patches, userland tools) • 3P Kernel patches are not optimal • Loss of patch development can stall upgrades • Recent kernel 2.6 includes built-in IPSec • Both *S/wan and Kame tools work with 2.6 kernel IPSec Copyright 2005, University Of Hawaii ITS
Choosing Turtle or Swan • I have set up ipsec-tools (Kame) • Works great with kernel IPSec • Except NAT-T in transport mode • Openswan 2.3.1dr3/K2.6.11.6 • Does everything I need Copyright 2005, University Of Hawaii ITS
L2TPD • L2tpd (l2tpd.sourceforge.net) • Most common Unix(ish) L2TP package • Hasn’t been developed for 4 years • Has some issues with Windows L2TP • Works as either client and server • Requires configuration of Linux PPP • Does not do dynamic address assignment • Branch project, rp-l2tpd, is also stalled Copyright 2005, University Of Hawaii ITS
L2TPNS • l2tpns ( l2tpns.sourceforge.net ) • Acts as server side only • Handles PPP internally • Better performance than l2tpd • Assigns dynamic addresses • Supports multiple-server clustering • Speaks BGP • Active development: Last release: July 2, 2005 • Has CLI interface with “show banana” command • ns = “network server” Copyright 2005, University Of Hawaii ITS
Sold! Copyright 2005, University Of Hawaii ITS
Server Set-Up • Compile Linux 2.6.xx kernel for IPSec, tap/tun, etc. • OpenSSL is already present in most Linux distributions ( www.OpenSSL.org ) • Get Openswan ( www.openswan.org ) • Get l2tpns ( l2tpns.sourceforge.net ) • Compile and install everything • Set up OpenSSL and mkca on isolated server • Generate server certificate Copyright 2005, University Of Hawaii ITS
Server As A Package • Once set up for this purpose, there are minimal differences between installations • Server could be packaged as a live CD distribution with CD/Flash/floppy based site configs • VPN service needs its own box, because you can’t route tunnel endpoints through the tunnel. Copyright 2005, University Of Hawaii ITS
X.509 Certificates • Certificates can be individual, revocable • If there is limited, local use, may as well root the CA here at home • PVPNs use the *.p12 cert distribution scheme incorporates 3DES encryption and a copy of the CA certificate • CA and certificate creation can be done with: • OpenSSL ( www.openssl.org ) • mkca ( http://klake.org/~jt/mkca/ ) • Revocation list can be distributed to clients via a web server Copyright 2005, University Of Hawaii ITS
Certificate Distribution • Currently, requests are submitted via an SSL web page • User enters encryption password • Personal certificates are ID’ed by <name>@hawaii.edu email address. • Existence and status of email address is checked, cert package is sent back to said address • Currently, there are manual steps • Currently issuing certs valid for one year, renewal strategy involves panicking • PHPki : http://sourceforge.net/projects/phpki/ Copyright 2005, University Of Hawaii ITS
Windows Configuration • Import certificate into proper place with “easy”* 19-step procedure • Configure VPN connection with “easy”* 17-step procedure • For NAT-T: • Win2000/XP-SP0/XP-SP1 must be patched • Windows XP SP2 requires altering a registry entry • Double-click connection icon, enter password • You’re connected Copyright 2005, University Of Hawaii ITS
Windows Configuration • The cert import procedure can be replaced by a single command, with certimport • The Win XP SP2 registry entry is relatively easy to alter with a script • The connection can be created with a script (or so it seems) • The NSIS installer ( nsis.sourceforge.net ) automate everything Copyright 2005, University Of Hawaii ITS
Macintosh OS X • 10.3 Panther does GUI IPSec/L2TP, but not certificates. • 10.4 Tiger does GUI IPSec/L2TP, with certificates, but is more finicky about certificates than Windows • NAT-T as implemented in OS X uses the wrong rfc identifier in negotiating NAT-T with the IKE daemon, and will not work unless it’s fixed, or a hack is done in Openswan • PPTP is potentially secure, but if you set it up, how do you prevent Windows users from connecting to it? Copyright 2005, University Of Hawaii ITS
Macintosh OS X • The OS X GUI client can probably be made to work • A work-around can be effected by editing the Kame IPSec config files in vi Copyright 2005, University Of Hawaii ITS
Win XP Pro Built-In • Included in Windows XP • Accepts 1 connection at a time • Will do PPTP – MS-PPTP is BAD • Accepts PPTP connections from Mac OS X • Will do L2TP/IPSec • Authenticates IPSec with certificates • Authenticates access with a Windows password • I have used it with the Windows Mobile 2003 client • With Internet Connection Sharing, will act like a home gateway Copyright 2005, University Of Hawaii ITS
Win XP Pro Built-In • All you need is Windows XP machine which can reach your restricted resource • Will (supposedly) allow you to access LAN resources at the server end. • Will allow you to use Remote Desktop Securely Copyright 2005, University Of Hawaii ITS
Acknowledgments • Jacco De Leeuw • http://www.jacco2.dds.nl/index.html • Guardian of the PVPN web page • Paul Wouters, Xelerence Corp. • Patient answerer of the same questions, over and over… Copyright 2005, University Of Hawaii ITS