Virtual Private Networks (VPNs)
VPNs allow for secured digital communication between two parties (or networks), creating a Wide Area Network (WAN) from existing Local Area Networks (LANs). Where it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard encryption methods to further mask data in transit.
VPNs transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard encryption methods to further mask data in transit.
There are several vendors with hardware VPN solutions such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based VPN solution for Linux called FreeS/Wan that utilizes a standardized IPsec (or Internet Protocol Security) implementation. These VPN solutions, regardless if hardware or software based, act as specialized routers that sit between the IP connection from one office to another.
When a packet is transmitted from a client, it sends it through the router or gateway, which then adds header information for routing and authentication called the Authentication Header (AH). The data is encrypted and is enclosed with decryption and handling instruction called the Encapsulating Security Payload (ESP). The receiving VPN router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets decrypted and ready for processing. The encryption/decryption process in a network-to-network VPN connection is transparent to a local node.
Because they employ several layers of authentication and encryption, VPNs are a secure and effective means to connect multiple remote nodes to act as a unified Intranet.
Tags: Networks (VPNs), Private, virtual
IPsec Host-to-Host Configuration
For a host-to-host connection, you need the following information:
The IP address for both hosts.
A unique name to identify the IPsec connection and distinguish it from other devices or connections (for example, ipsec0).
A fixed encryption key or one automatically generated by racoon.
A pre-shared authentication key that is used to initiate the connection and exchange encryption keys during the session.
For example, suppose Workstation A and Workstation B want to connect to each other through an IPsec tunnel. They want to connect using a pre-shared key with the value of ‘buddies’ and the users agree to let racoon automatically generate and share an authentication key between each host. Both host users decide to name their connections ipsec0.
The following is the ifcfg file for Workstation A for a host-to-host IPsec connection with Workstation B (the unique name to identify the connection in this example is ipsec0, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec0):
DST=X.X.X.X TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK
Workstation A would replace X.X.X.X with the IP address of Workstation B, while Workstation B replaces X.X.X.X with the IP address of Workstation A.
The connection is set to initiate upon boot-up (ONBOOT=yes) and uses the pre-shared key method of authentication (IKE_METHOD=PSK).
The following is the content of the pre-shared key file (called /etc/sysconfig/network-scripts/keys-ipsec0) that both workstations need to authenticate each other.
The contents of this file should be identical on both workstations and only the root user should be able to read or write this file.
For Security chmod to 600
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0
Tags: configuration, Host-to-Host, IPsec
IPsec VPN on Red Hat Linux
IPsec is the supported VPN implementation for Red Hat Enterprise Linux that sufficiently addresses the usability needs of organizations with branch offices or remote users.
IPsec can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one LAN/WAN to another). The IPsec implementation in Red Hat Enterprise Linux uses Internet Key Exchange (IKE), which is a protocol implemented by the Internet Engineering Task Force (IETF) to be used for mutual authentication and secure associations between connecting systems.
On Red Hat Enterprise Linux systems, an IPsec connection uses the pre-shared key method of IPsec node authentication. In a pre-shared key IPsec connection, both hosts must use the same key in order to move to the second phase of the IPsec connection.
Implementing IPsec requires that the ipsec-tools RPM package be installed on all IPsec hosts (if using a host-to-host configuration) or routers (if using a network-to-network configuration).
/sbin/setkey
Manipulates the key management and security attributes of IPsec in the kernel.
/sbin/racoon
The IKE key management daemon, used to manage and control security associations and key sharing between IPsec-connected systems.
/etc/racoon/racoon.conf
The racoon daemon configuration file used to configure various aspects of the IPsec connection, including authentication methods and encryption algorithms used in the connection.
Tags: IPsec, linux, Red Hat, VPN
How to check if the port is associated with the official list of known services.
Example:
cat /etc/services | grep 834
This command returns no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.
Next, check for information about the port using netstat or lsof. To check for port 834 using netstat, use the following command:
The lsof command reveals similar information since it is also capable of linking open ports to services:
These tools reveal a great deal about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Consulting the man pages for lsof, netstat, nmap, and services is therefore highly recommended.
Tags: check, known, official, Port, Services
Redirect all HTTP traffic through the proxy.
If you would like to redirect all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 10.0.0.1:3128
And
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
Where eth1,eth0 are the LAN, WAN devices and 10.0.0.1 is the IP address of your LAN device.
Tags: HTTP, Proxy, redirect, traffic
