IPSec
SnapGear software engineers have completed a major enhancement to the SnapGear
family of Internet security appliances and SecureEdge OEM platforms by adding strong VPN
support based upon the IPSec standard. Many appliance style products
currently claim to have IPSec support but most lack the full IPSec feature
set and instead only support "pass through" mode - effectively only
permitting IPSec information to pass through the device but not adding any
additional value or security.
FreeS/WAN
The FreeS/WAN IPsec implementationwas chosen as
the basis for the enhancement as it was already open source while being
technically complete and mature. Both FreeS/WAN and the
uClinux kernel are
freely available under the GNU Public License. The port took place in a matter of days, one of the
advantages of using a Linux operating system. Compatibility issues were
minimal, primarily because of the standardisation of Linux library
interfaces.
This implementation provides support for both auto and manual keying, and
typically uses 3DES for the tunnel encryption. Although encryption is
software based, there are hooks for the addition of hardware encryption
support such as for the Hi/fn 7901.
The overall uClinux kernel size increase was around 150kb for the full IPSec stack:
| text | data | bss | dec | hex | filename |
|---|
| 403820 | 72080 | 74019 | 549919 | 8641f | std/linux |
| 491144 | 127588 | 82733 | 701465 | ab419 | with-ipsec/linux |
In addition, an application binary called Pluto was implemented to handle
the key management. This was also an opportunity to test the enhanced malloc
that was described in a previous SnapGear Technical Bulletin.
IPSec with the original uClinux malloc:
| PID | STAT | SIZE | SHARED | %CPU | COMMAND |
|---|
| 21 | R | 74K | 0K | 0.0 | /bin/sh |
| 17 | S | 520K | 0K | 0.0 | pluto |
| 22 | S | 39K | 0K | 0.0 | /bin/inetd |
| 23 | S | 39K | 0K | 0.0 | /bin/flatfsd |
| 24 | S | 137K | 0K | 0.0 | /bin/boa |
| | total: | used: | free: | shared: | buffers: | cached: |
|---|
| Mem: | 2052096 | 1351680 | 700416 | 0 | 303104 | 24576 |
|---|
Ipsec with the new malloc:
| PID | STAT | SIZE | SHARED | %CPU | COMMAND |
|---|
| 21 | R | 54K | 0K | 0.2 | /bin/sh |
| 17 | S | 416K | 0K | 0.2 | pluto |
| 22 | S | 27K | 0K | 0.0 | /bin/inetd |
| 23 | S | 27K | 0K | 0.0 | /bin/flatfsd |
| 24 | S | 77K | 0K | 0.0 | /bin/boa |
| | total: | used: | free: | shared: | buffers: | cached: |
|---|
| Mem: | 2052096 | 1122304 | 929792 | 0 | 307200 | 20480 |
|---|
Thus, with Pluto key management overheads use just over another 400K over
the kernel increase. However, some customers prefer to use their own key
distribution scheme as an alternative to Pluto, thus regaining the space.
On a SecureEdge SE2520 raw loopback encryption yields IPSec throughput of
48Mb/second. In end-to-end tests via the results were measured as:
| raw TCP/IP | --> | 8320 kb/s |
| IPsec (software 3DES encryp) | --> | 816 kb/s |
| IPsec (Hifn hardware 3DES encrypt) | --> | 3208 kb/s |
Interoperability
By virtue of chosing the FreeS/WAN implementation the SnapGear/SecureEdge appliances gains instant compatibility advantages with Cisco and Nortel equipment as well as common software such as Raptor Firewall, PGP on Macintosh, Windows IPSEC clients, and Native Solaris IPSec software to name a few.
What is a VPN?
A VPN, or Virtual Private Network, is a group of two or more computer
systems, typically connected to a private LAN, that communicate "securely"
over the Internet. VPNs can replace a private WAN. Typically uses of a VPN
are to connect branch offices and telecommuters into an enterprise-wide
corporate network via the Internet, and can eliminate all long distance
charges. A VPN should include encryption for privacy of data, strong
authentication to prevent third-parties from "spoofing" data, and mechanisms
for preventing any tampering of messages that must pass through the
Internet. The end points of a VPN should not reveal information about the
private network topology from potential attackers on the public network. An
often overlooked security issue is that although a given VPN may be
inherently secure there are other ways of subverting the security such as by
attacking the supporting framework of hosts, firewalls, and routers.
What is IPSec?
IPSEC is a set of extensions to the IP protocol family providing
cryptographic security services. These services include privacy
(encryption), authentication, and message integrity. Replay protection is
also provided by merit of the combination of authication and message
integrity. One of the practical features of IPSec is that it provides
similar services as SSL but operates at the network layer completely
transparently to your applications, and is much more powerful. We can say
this because your applications do not have to have any knowledge of IPSec to
be able to use it. You can use any IP protocol over IPSec. You can create
encrypted tunnels (VPNs), or just do encryption between computers.
So the three ways that IPSec would be setup are:
- Host-to-Host (or, for example, Workstation-to-Workstation)
- Host-to-Network (eg between a host and router)
- Network-to-Network (eg router to router)
The last option, in combination with a secure firewalling router, let's you
bridge remotely entire facilities seamlessly.
What are the protocols behind IPSec?
The term IPSec actually covers a series of protocols used to send
authenticated and/or encrypted data over IP networks. Roughly
speaking, the protocols fall into three categories: encapsulating
security payload (ESP) and authentication header (AH), which define
encryption and authentication methods for IP payloads; and the IP
security association key management protocol (ISAKMP), which
manages the exchange of secret keys between senders and recipients
of ESP or AH packets.
AH provides authentication, integrity, and replay protection but not
encryption and, unlike ESP, also secures parts of the IP header of the
packet (such as the source/destination addresses). However, ESP provides
privacy of the data by securing everything in the packet that
follows the header. Encryption can be used orthogonally to
authentication/integrity, and vice versa.
What about PPTP?
PPTP is an open documented standard published by the Internet Engineering
Task Force (IETF) as RFC 2637 ftp://ftp.ietf.org/rfc/rfc2637.txt.
The operation of PPTP as a VPN is performed by encapsulating the Point to
Point Protocol (PPP) in IP and tunneling through an IP network. All
communication, authentication and encryption is handled almost exclusively
by PPP. The connection mechanism to the IP network is transparent to PPTP.
PPTP takes advantage of PPP for its authentication and encryption. PPP can
support PAP, CHAP, MSCHAP and MSCHAPv2 authentication. PPP encryption is
performed through compressor modules and under uCinux allow PPP to support
RC4 compatible 40-128 bit encryption.
PPTP is widely deployed in both client and server forms due its default
existence in Microsoft Windows platforms.
PPTP vs IPSec
PPTP relies on the PPP daemon to provide the authentication and encryption
mechanisms. Microsoft's version of PPTP was recently upgraded to include
MSCHAPv2 and MPPE enhanced (and more secure) security protocols. Patches are
available for the Linux PPP daemon that allow PPTP solutions such as PoPToP
to take advantage of Microsoft's enhanced VPN security.
Bruce Schneier, Chief Technical Officer of Counterpane Internet Security Inc recently analysed Microsoft's MSCHAPv2 and
MPPE security protocols and found that Microsoft have addressed the major
security weaknesses found in MSCHAP. Schneier states that the fundamental
weakness of the current authentication and encryption protocols (MSCHAPv2
and MPPE) is that it is only as secure as the password chosen by the user.
MSCHAPv2 relies on password based keys in its authentication and encryption
mechanisms. Because most uses select poor passwords this can leave the VPN
open to dictionary style password attacks. IPSec was also analysed and found
to be superior (security-wise) to PPTP.
PPTP VPN (with MSCHAPv2 and 40-128 bit RC4 encryption) is available now.
With the countless Windows machines already out there supporting PPTP VPN
the cost effective solution is obvious. Windows 98 has VPN client software
as an install option. Windows NT 4.0 comes with PPTP (server and client) by
default. Patches (Microsoft Dial up Networking patch) exist for upgrading
windows 95 machines to include a PPTP client. Windows 2000 has PPTP and
IPsec by default. Again, the only problem is that your VPN is only as secure
as the supporting infrastructure.
PoPToP - SnapGear's PPTP answer
PoPToP is the PPTP VPN server for Linux (known
ports exist for Solaris, OpenBSD, FreeBSD and others). PoPToP allows Linux
servers to function seamlessly in PPTP VPN environments thus enabling
administrators to leverage the considerable benefits of both Microsoft and
Linux. The current release version of PoPToP supports Windows 95, 98, NT and
Windows 2000 PPTP clients as well as the Linux PPTP client.
PoPToP is a PPTP Access Concentrator (PAC) that employs an enhanced GRE
(Generic Routing Encapsulation - protocol 47) mechanism for carrying PPP
packets and a Control channel (port 1723) for PPTP control messages. The
basic operation of PoPToP is to wrap PPP packets up in IP and
send them across the public Internet infrastructure. At the other end of the
connection the PPP packets are stripped from the IP packet and handed to the
PPP daemon. The operation is almost identical to a dial-in session, except
for the fact that the PPP packets are wrapped in IP and sent over an IP
network as opposed to a generic phone line and modem configuration.
PoPToP has been setup to support MSCHAPv2 authentication and RC4 compatible
40-128 bit encryption. A SnapGear box running PoPToP can effectively replace a
Windows NT PPTP VPN server. However, PoPToP does not support PNS operation.
Originally pioneered by Moreton Bay (now SnapGear) in February '99 for their
eLIA (which has since evolved to become the SecureEdge development platform)
platform, PoPToP was released under the GNU GPL in April '99 and has since
found widespread acceptance on standard Linux servers and firewalls in large
production sites and small business and home networks.
A total VPN solution for OEMs and ISPs
The SecureEdge family of development platforms support both IPSec and PPTP while providing
a Linux firewall shield and additional gateway and server features such as
Layer 3 routing, DHCP client/server, and numerous other standard Linux
services. With a range of connectivity options including ADSL, cable modem,
T1, ISDN, and V.90 the SecureEdge family is the first choice for OEMs wishing to
bypass costly and risky development cycles to produce an end product.
Similarly, ISPs are finding the units to be affordable and able to solve
many edge problems as part of a total branded service offering. SecureEdge units
are comparable to Cisco, Nortel, 3COM and other hardware systems as well
as commercial software firewalling systems running on Linux, Unix, and
Windows NT servers.
More information on VPNs may be obtained from the SnapGear VPN Whitepaper
More information on PoPToP may be obtained from the PoPToP Project Page
Further information on SnapGear VPN Routers
Further information on SecureEdge Development Platforms
Further Technical Bulletins
| 
