Chapter 6. Virtual Private Networks

Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with others. This can be an expensive proposition, especially for small to medium sized businesses (SMBs) that want to expand without paying the high costs associated with enterprise-level, dedicated digital circuits.

Engineers have developed a cost-effective solution to this problem in the form of Virtual Private Networks (VPNs). Following the same functional principles as dedicated circuits, VPNs allow for secured digital communication between two parties (or networks), creating a Wide Area Network (WAN) from existing LANs. Where it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP using datagrams (UDP) as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard, open source encryption to further mask data in transit.

Some organizations employ hardware VPN solutions to augment security, while others use the software or protocol-based implementations. There are several vendors with hardware VPN solutions such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based VPN solution for Linux called FreeS/Wan that utilizes a standardized IPsec (or Internet Protocol Security) implementation. These VPN solutions act as specialized routers that sit between the IP connection from one office to another.

When a packet is transmitted from a client, it sends it through the router or gateway, which then adds header information for routing and authentication called the Authentication Header (AH). The data is encrypted and is enclosed with decryption and handling instruction called the Encapsulating Security Payload (ESP). The receiving VPN router strips the header information and routes it to its intended destination (either a workstation or node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets decrypted and ready for processing. The encryption/decryption process in a network-to-network VPN connection is transparent to a local node.

With such a heightened level of security, a cracker must not only intercept a packet, but decrypt the packet as well (which, in the case of most VPNs, usually employ the triple Data Encryption Standard [3DES] 168-bit cipher). Intruders who employ a man-in-the-middle attack between a server and client must also have access to the keys exchanged for authenticating sessions. VPNs are a secure and effective means to connect multiple remote nodes to act as a unified Intranet.

6.1. VPNs and Red Hat Enterprise Linux

Red Hat Enterprise Linux users and administrators have various options in terms of implementing a software solution to connect and secure their WAN. There are, however, two methods of implementing VPN connections that are currently supported in Red Hat Enterprise Linux. An equivalent solution that can be used as a secure substitute to using a VPN involves running OpenSSH as a tunnel between two remote nodes. This solution is a sound alternative to Telnet, rsh, and other remote host communication methods, but it does not completely address the usability needs of all corporate telecommuters and branch offices. Two supported solutions included with Red Hat Enterprise Linux that are more adherent to the definition of a VPN are Crypto IP Encapsulation (CIPE) and the Internet Protocol Security (IPsec).