commit 8f6a8c7ffb1257ceea6897a937833a1da484b706 Author: Nikos Mavrogiannopoulos nmav@redhat.com Date: Mon Jun 16 15:00:35 2014 +0200
VPN: Mention other VPN types and move all IPSec info to IPSec section.
Signed-off-by: Eric H Christensen sparks@redhat.com
en-US/VPN.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 48 insertions(+), 9 deletions(-) --- diff --git a/en-US/VPN.xml b/en-US/VPN.xml index 42e9c99..f4a2242 100644 --- a/en-US/VPN.xml +++ b/en-US/VPN.xml @@ -11,21 +11,47 @@ To address this need, <firstterm>Virtual Private Networks</firstterm> (<abbrev>VPN</abbrev>s) were developed. Following the same functional principles as dedicated circuits, <abbrev>VPN</abbrev>s allow for secured digital communication between two parties (or networks), creating a <firstterm>Wide Area Network</firstterm> (<acronym>WAN</acronym>) from existing <firstterm>Local Area Networks</firstterm> (<acronym>LAN</acronym>s). Where it differs from frame relay or ATM is in its transport medium. <abbrev>VPN</abbrev>s transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software <abbrev>VPN</abbrev> implementations incorporate open standard encryption methods to further mask data in transit. </para> <para> - Some organizations employ hardware <abbrev>VPN</abbrev> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbrev>VPN</abbrev> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based <abbrev>VPN</abbrev> solution for Linux called FreeS/Wan that utilizes a standardized <firstterm>Internet Protocol Security</firstterm> (<abbrev>IPsec</abbrev>) implementation. These <abbrev>VPN</abbrev> solutions, irrespective of whether they are hardware or software based, act as specialized routers that exist between the IP connection from one office to another. + Some organizations employ hardware <abbrev>VPN</abbrev> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbrev>VPN</abbrev> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There are many free software-based <abbrev>VPN</abbrev> solutions for Linux, such as OpenVPN, OpenConnect, FreeS/Wan and others. + They differ on the secure communication protocol used for channel establishment and + features. </para> - <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work"> - <title>How Does a VPN Work?</title> + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-Which_VPN_types"> + <title>Which types of VPN exist?</title> <para> - When a packet is transmitted from a client, it sends it through the <abbrev>VPN</abbrev> router or gateway, which adds an <firstterm>Authentication Header</firstterm> (<abbrev>AH</abbrev>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <firstterm>Encapsulating Security Payload</firstterm> (<abbrev>ESP</abbrev>). This latter constitutes the decryption and handling instructions. + There are different types of VPN protocols, depending on the + underlying secure communication protocols used. In the following + paragraphs we try to enumerate the available solutions. </para> <para> - The receiving <abbrev>VPN</abbrev> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbrev>VPN</abbrev> connection is transparent to a local node. - </para> - <para> - With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbrev>VPN</abbrev>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet. + <itemizedlist> + <listitem> + <para> + <acronym>IPSec</acronym> VPNs that utilize the standardized <firstterm>Internet Protocol Security</firstterm>. Typically the implementation lies in the kernel-space. + </para> + <para> + FreeS/Wan is of this VPN type. + </para> + </listitem> + <listitem> + <para> + <acronym>SSL/TLS</acronym> VPNs that utilize the standardized <firstterm>Transport Layer Security</firstterm> protocol or the <firstterm>Datagram Transport Layer Security Protocol</firstterm> (DTLS). Typically the implementation lies on user-space. + </para> + <para> + OpenConnect is of this VPN type. + </para> + </listitem> + <listitem> + <para> + Custom VPN protocols. + </para> + <para> + OpenVPN is such a protocol that has its key exchange based on SSL. + </para> + </listitem> + </itemizedlist> </para> </section> - + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD"> <title>VPNs and &PRODUCT;</title> <para> @@ -41,6 +67,19 @@ <para> The <abbrev>IPsec</abbrev> implementation in &PRODUCT; uses <firstterm>Internet Key Exchange</firstterm> (<firstterm>IKE</firstterm>), a protocol implemented by the Internet Engineering Task Force (<acronym>IETF</acronym>), used for mutual authentication and secure associations between connecting systems. </para> + + <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_an_IPSec_VPN_Work"> + <title>How Does an IPSec VPN Work?</title> + <para> + When a packet is transmitted from a client, it sends it through the <abbrev>VPN</abbrev> router or gateway, which adds an <firstterm>Authentication Header</firstterm> (<abbrev>AH</abbrev>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <firstterm>Encapsulating Security Payload</firstterm> (<abbrev>ESP</abbrev>). This latter constitutes the decryption and handling instructions. + </para> + <para> + The receiving <abbrev>VPN</abbrev> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbrev>VPN</abbrev> connection is transparent to a local node. + </para> + <para> + With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbrev>VPN</abbrev>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet. + </para> + </section> <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection"> <title>Creating an <abbrev>IPsec</abbrev> Connection</title>