[Courses] [Security] VPNs and SSH (was: Port forwarding...)

Raven, corporate courtesan raven at oneeyedcrow.net
Tue Mar 26 17:22:27 EST 2002 

Heya --

Quoth jennyw (Thu, Mar 21, 2002 at 02:26:29PM -0800):
> Do you know of any besides FreeS/WAN? Have you had experience with any of
> them? I know there's OpenBSD VPN, which is a reference platform for IPSEC.
> It sounds good, and OpenBSD has a good reputation, but I've never used it
> before, so I'm a bit hesitant to switch over.

	I tried OpenBSD briefly, went "Aaah, too different from things I
already know, and I don't currently have the time to learn another OS",
and fled back to Linux/FreeBSD.  I have heard good things about the
proactive security measures of OpenBSD, but it is quite different from
FreeBSD, at least in its firewalling capabilities.   I'll get back to it
someday, in my Copious Spare Time.

	Most of the VPN implementations under Linux involve an IPSec
implementation, so it's well worth your while to read up on the
protocol.  I've done FreeS/WAN, Cisco's VPN stuff, and some VPN
masquerading.  If you're interested, there's a how-to at

http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html

	Also worth a look:

http://vtun.sourceforge.net/

> Yes ... because at this point, FreeS/WAN (or whatever) would have unpacked
> the IPSEC packet, so by the time it hits the rules set for the internal
> interface, we're no longer dealing with IPSEC. Right?

	Right.
 
> It's good to hear that it's stable! I guess the bit of uncertainty I've had
> is that a lot of commercial vendors are still using 2.2. Of course, that
> could just be because their modifications are so great that there's
> significant lag time before they can get the changes ported to 2.4.

	Part of that, I think, is because they wanted to a) wait for the
code base to mature some, and then b) have to run all the tests for
their own product's stability once that's happened.  I'd bet that most
of them have 2.4 based products in beta as we speak.
 
> Perhaps many of the reasons I've gone with non-Linux solutions in the past
> are addressed by iptables. Is there a good place to read about iptables?
> There are lots of Web pages out there.

	I'm fond of Rusty's how-tos.  He writes iptables and netfilter
-- good to hear things straight from the programmer sometimes.

http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-7.html

for the basics,

http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html

for the bigger picture.

> what is meant by stateful inspection in the case of iptables? I'm used to
> the Checkpoint definition of stateful inspection, which means looking at the
> packet in context of a session (faked in the case of UDP) and also analyzing
> packets through to the application layer (meaning so that you can tell
> whether something is being sent in http or telnet or whatever, regardless of
> what port it's coming in on, and also make sure that packets are valid for
> the protocol). Is this the same meaning that's used with iptables?

	Partly.  The session-view is there, and you can make rules for
established sessions (so return packets are allowed to enter on a high
port, but packets that aren't part of an existing session are
disallowed) or related sessions (such as the high-port-to-high-port FTP
connection).  You can look at the ports that packets are sent to, and
filter on that just as you did with ipchains.  But if you want real
visibility into layer 7, you're probably looking at a proxy server or
the strings patch.  And the strings patch is still pretty new -- I have
my home box set up like that, but I wouldn't set up my work's firewall
boxes with it yet.

	You can look at UDP statefully (this packet's a reply to that
other packet), but it's a LOT easier to spoof UDP replies and bypass a
firewall that way.  If you're really worried about UDP security, set up
a DMZ as mentioned in the thread about Telsa's firewalls.

> I ask because I read an article on netfilter/iptables that described
> stateful inspection only as session based. Also, am I correct in
> understanding that the firewall features in 2.4 are called netfilter
> and that iptables is just an app. that you can use to configure those
> features?

	Netfilter's the package of security filtering features.  It does
firewalling, NAT, and provides basically a whole new way for packets to
be handled inside the kernel, and when passing back and forth between
the kernel and userland programs.  Iptables is a firewalling front-end to
netfilter (a program written to use the netfilter framework to handle
packet filtering).

> If so, then are there other netfilter-based tools besides iptables? I
> get confused when I read something like "gShield is an iptables
> firewall". I think they mean netfilter?

	If it's iptables, it's also netfilter.  I think what they mean
is "gShield uses iptables, which is a program that uses the netfilter
setup to handle packets".  But they give you a pretty front end to the
front end.  [grin]

	For more on Netfilter, look at:

http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-1.html#ss1.1

More of Rusty's stuff.  [grin]

Sorry I'm terser than usual today -- I have a LOT of mail to catch up
on.   Please ask for clarification or further explanation on anything
that's unclear.

Cheers,
Raven

"Incoming packet over rabbit. SYN."
"Incoming packet over duck. quACK!"
  -- me and Tiff, flinging stuffed animals and tech humor

More information about the Courses mailing list