On Wed, 2014-06-11 at 15:40 -0400, Eric H. Christensen wrote: > I'm reviewing the VPN section of the Fedora Security Guide and I really... dislike what I'm seeing. The information in there is old and seems to focus on IPSec where we also now support things like OpenVPN, openconnect, vpnc, and PPTP. I'd really appreciate some help with this. If anyone would like to write, edit, or review what's there please let me know. These two patches clean-up a bit the introduction and add a section of openconnect. regards, Nikos
>From d9b5f5f11437cc30b832eceb2cfb018d0a29f0bd Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> Date: Mon, 16 Jun 2014 15:00:35 +0200 Subject: [PATCH 1/2] VPN: Mention other VPN types and move all IPSec info to IPSec section. --- en-US/VPN.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/en-US/VPN.xml b/en-US/VPN.xml index 42e9c99..f4a2242 100644 --- a/en-US/VPN.xml +++ b/en-US/VPN.xml @@ -11,21 +11,47 @@ To address this need, <firstterm>Virtual Private Networks</firstterm> (<abbrev>VPN</abbrev>s) were developed. Following the same functional principles as dedicated circuits, <abbrev>VPN</abbrev>s allow for secured digital communication between two parties (or networks), creating a <firstterm>Wide Area Network</firstterm> (<acronym>WAN</acronym>) from existing <firstterm>Local Area Networks</firstterm> (<acronym>LAN</acronym>s). Where it differs from frame relay or ATM is in its transport medium. <abbrev>VPN</abbrev>s transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software <abbrev>VPN</abbrev> implementations incorporate open standard encryption methods to further mask data in transit. </para> <para> - Some organizations employ hardware <abbrev>VPN</abbrev> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbrev>VPN</abbrev> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based <abbrev>VPN</abbrev> solution for Linux called FreeS/Wan that utilizes a standardized <firstterm>Internet Protocol Security</firstterm> (<abbrev>IPsec</abbrev>) implementation. These <abbrev>VPN</abbrev> solutions, irrespective of whether they are hardware or software based, act as specialized routers that exist between the IP connection from one office to another. + Some organizations employ hardware <abbrev>VPN</abbrev> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbrev>VPN</abbrev> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There are many free software-based <abbrev>VPN</abbrev> solutions for Linux, such as OpenVPN, OpenConnect, FreeS/Wan and others. + They differ on the secure communication protocol used for channel establishment and + features. </para> - <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work"> - <title>How Does a VPN Work?</title> + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-Which_VPN_types"> + <title>Which types of VPN exist?</title> <para> - When a packet is transmitted from a client, it sends it through the <abbrev>VPN</abbrev> router or gateway, which adds an <firstterm>Authentication Header</firstterm> (<abbrev>AH</abbrev>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <firstterm>Encapsulating Security Payload</firstterm> (<abbrev>ESP</abbrev>). This latter constitutes the decryption and handling instructions. + There are different types of VPN protocols, depending on the + underlying secure communication protocols used. In the following + paragraphs we try to enumerate the available solutions. </para> <para> - The receiving <abbrev>VPN</abbrev> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbrev>VPN</abbrev> connection is transparent to a local node. - </para> - <para> - With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbrev>VPN</abbrev>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet. + <itemizedlist> + <listitem> + <para> + <acronym>IPSec</acronym> VPNs that utilize the standardized <firstterm>Internet Protocol Security</firstterm>. Typically the implementation lies in the kernel-space. + </para> + <para> + FreeS/Wan is of this VPN type. + </para> + </listitem> + <listitem> + <para> + <acronym>SSL/TLS</acronym> VPNs that utilize the standardized <firstterm>Transport Layer Security</firstterm> protocol or the <firstterm>Datagram Transport Layer Security Protocol</firstterm> (DTLS). Typically the implementation lies on user-space. + </para> + <para> + OpenConnect is of this VPN type. + </para> + </listitem> + <listitem> + <para> + Custom VPN protocols. + </para> + <para> + OpenVPN is such a protocol that has its key exchange based on SSL. + </para> + </listitem> + </itemizedlist> </para> </section> - + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD"> <title>VPNs and &PRODUCT;</title> <para> @@ -41,6 +67,19 @@ <para> The <abbrev>IPsec</abbrev> implementation in &PRODUCT; uses <firstterm>Internet Key Exchange</firstterm> (<firstterm>IKE</firstterm>), a protocol implemented by the Internet Engineering Task Force (<acronym>IETF</acronym>), used for mutual authentication and secure associations between connecting systems. </para> + + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_an_IPSec_VPN_Work"> + <title>How Does an IPSec VPN Work?</title> + <para> + When a packet is transmitted from a client, it sends it through the <abbrev>VPN</abbrev> router or gateway, which adds an <firstterm>Authentication Header</firstterm> (<abbrev>AH</abbrev>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <firstterm>Encapsulating Security Payload</firstterm> (<abbrev>ESP</abbrev>). This latter constitutes the decryption and handling instructions. + </para> + <para> + The receiving <abbrev>VPN</abbrev> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbrev>VPN</abbrev> connection is transparent to a local node. + </para> + <para> + With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbrev>VPN</abbrev>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet. + </para> + </section> <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection"> <title>Creating an <abbrev>IPsec</abbrev> Connection</title> -- 1.9.3
>From ec2288319efec8b5b5314c6ea31fff272cfedaa5 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> Date: Mon, 16 Jun 2014 15:52:46 +0200 Subject: [PATCH 2/2] VPN: Added OpenConnect section. --- en-US/VPN.xml | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/en-US/VPN.xml b/en-US/VPN.xml index f4a2242..a74c96d 100644 --- a/en-US/VPN.xml +++ b/en-US/VPN.xml @@ -985,6 +985,92 @@ include "/etc/racoon/<replaceable>X.X.X.X</replaceable>.conf"</screen> </section> </section> + + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect"> + <title>OpenConnect</title> + <para> + &PRODUCT; supports <abbrev>OpenConnect</abbrev> for connecting remote hosts and networks to each other using an SSL/TLS-based secure tunnel on a common carrier network such as the Internet. The protocol is compatible with the CISCO AnyConnect and can be used to connect to CISCO gateways in addition to OpenConnect servers. OpenConnect utilizes two channels, a TCP channel under TLS, and a UDP channel under DTLS to establish the tunnel. The UDP channel takes precedence when can be reliably established, and the TCP channel is used as backup. + </para> + <para> + <abbrev>OpenConnect</abbrev> can be deployed to connect a host to a network, or a network to network. The mode is determined by the server which provides the appropriate configuration (e.g., routes) to the client. + </para> + + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Authentication"> + <title>Authentication of an <abbrev>OpenConnect</abbrev> Connection</title> + <para> + An <abbrev>OpenConnect</abbrev> connection can be established after the credentials are available to the user. The credentials may be a username-password pair, a client certificate or both. In all cases, the server's certificate (or its hash) must be available or known to the user. + </para> + </section> + + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Installation"> + <title>OpenConnect Installation</title> + <para> + Deploying <abbrev>OpenConnect</abbrev> client side requires that the <filename>NetworkManager-openconnect</filename>, and <filename>openconnect</filename> RPM packages be installed. The server side requires the <filename>ocserv</filename> RPM package. The available applications are listed below. + </para> + <itemizedlist> + <listitem> + <para> + <command>/usr/sbin/openconnect</command> — It is the client tunnel establishment tool. Refer to the <command>openconnect</command>(8) man page for more information. + </para> + </listitem> + <listitem> + <para> + <command>/usr/sbin/ocserv</command> — it is the openconnect server application. Refer to the <command>ocserv</command>(8) man page for more information. + </para> + </listitem> + <listitem> + <para> + <filename>/etc/ocserv/ocserv.conf</filename> — <command>ocserv</command>'s daemon configuration file used to configure various aspects of the connection, including authentication methods and encryption algorithms used in the connection. Refer to the <filename>ocserv</filename>(8) man page for a complete listing of available directives. + </para> + </listitem> + </itemizedlist> + <para> + To configure an <abbrev>OpenConnect</abbrev> client on &PRODUCT;, you can use the <application>Network Manager Tool</application>, or manually execute the <filename>openconnect</filename> application with the appropriate command line parameters. + </para> + </section> + + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Client_Configuration"> + <title>OpenConnect Client Configuration</title> + <para> + OpenConnect's default operation connects one desktop or workstation (host) to a network. The server openconnect connects to provides the routes that are available from the VPN tunnel. + </para> + <para> + To configure a host-to-host <abbrev>IPsec</abbrev> connection, use the following steps for each host: + </para> + <orderedlist continuation="restarts" inheritnum="ignore"> + <listitem> + <para> + Select the configuration option on the top right menu and select the <application>Network</application> settings. + </para> + </listitem> + <listitem> + <para> + On the <guilabel>Network</guilabel> tab, click <guibutton>+</guibutton> to start the new connection configuration wizard. + </para> + </listitem> + <listitem> + <para> + On the <guilabel>Add Network Connection</guilabel> dialog, click <guibutton>VPN</guibutton>. + </para> + </listitem> + <listitem> + <para> + Then select the <guibutton>Cisco AnyConnect Compatible VPN (openconnect)</guibutton>. + </para> + </listitem> + <listitem> + <para> + Enter the gateway (server address) for the connection, and optionally specify the server's certificate. If no certificate is specified you'll be prompted to trust the one that is obtained by the server on the initial connection. + </para> + </listitem> + <listitem> + <para> + Save and, return the the initial <guilabel>Network</guilabel> tab, and then click on the newly created VPN connection. You'll be prompted for the username and password. + </para> + </listitem> + </orderedlist> + </section> + </section> </section> -- 1.9.3
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
