[securityguide] VPN: Mention other VPN types and move all IPSec info to IPSec section.

Eric Christensen sparks at fedoraproject.org
Mon Jun 16 19:29:22 UTC 2014 

commit 8f6a8c7ffb1257ceea6897a937833a1da484b706
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date:   Mon Jun 16 15:00:35 2014 +0200

    VPN: Mention other VPN types and move all IPSec info to IPSec section.
    
    Signed-off-by: Eric H Christensen <sparks at redhat.com>

 en-US/VPN.xml |   57 ++++++++++++++++++++++++++++++++++++++++++++++++---------
 1 files changed, 48 insertions(+), 9 deletions(-)
---
diff --git a/en-US/VPN.xml b/en-US/VPN.xml
index 42e9c99..f4a2242 100644
--- a/en-US/VPN.xml
+++ b/en-US/VPN.xml
@@ -11,21 +11,47 @@
 		To address this need, <firstterm>Virtual Private Networks</firstterm> (<abbrev>VPN</abbrev>s) were developed. Following the same functional principles as dedicated circuits, <abbrev>VPN</abbrev>s allow for secured digital communication between two parties (or networks), creating a <firstterm>Wide Area Network</firstterm> (<acronym>WAN</acronym>) from existing <firstterm>Local Area Networks</firstterm> (<acronym>LAN</acronym>s). Where it differs from frame relay or ATM is in its transport medium. <abbrev>VPN</abbrev>s transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software <abbrev>VPN</abbrev> implementations incorporate open standard encryption methods to further mask data in transit.
 	</para>
 	<para>
-		Some organizations employ hardware <abbrev>VPN</abbrev> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbrev>VPN</abbrev> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based <abbrev>VPN</abbrev> solution for Linux called FreeS/Wan that utilizes a standardized <firstterm>Internet Protocol Security</firstterm> (<abbrev>IPsec</abbrev>) implementation. These <abbrev>VPN</abbrev> solutions, irrespective of whether they are hardware or software based, act as specialized routers that exist between the IP connection from one office to another.
+		Some organizations employ hardware <abbrev>VPN</abbrev> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbrev>VPN</abbrev> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There are many free software-based <abbrev>VPN</abbrev> solutions for Linux, such as OpenVPN, OpenConnect, FreeS/Wan and others. 
+		They differ on the secure communication protocol used for channel establishment and
+		features.
 	</para>
-	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">
-		<title>How Does a VPN Work?</title>
+	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-Which_VPN_types">
+		<title>Which types of VPN exist?</title>
 		<para>
-			When a packet is transmitted from a client, it sends it through the <abbrev>VPN</abbrev> router or gateway, which adds an <firstterm>Authentication Header</firstterm> (<abbrev>AH</abbrev>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <firstterm>Encapsulating Security Payload</firstterm> (<abbrev>ESP</abbrev>). This latter constitutes the decryption and handling instructions.
+			There are different types of VPN protocols, depending on the
+			underlying secure communication protocols used. In the following
+			paragraphs we try to enumerate the available solutions.
 		</para>
 		<para>
-			The receiving <abbrev>VPN</abbrev> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbrev>VPN</abbrev> connection is transparent to a local node.
-		</para>
-		<para>
-			With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbrev>VPN</abbrev>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet.
+		<itemizedlist>
+			<listitem>
+				<para>
+					<acronym>IPSec</acronym> VPNs that utilize the standardized <firstterm>Internet Protocol Security</firstterm>. Typically the implementation lies in the kernel-space.
+				</para>
+				<para>
+					FreeS/Wan is of this VPN type.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					<acronym>SSL/TLS</acronym> VPNs that utilize the standardized <firstterm>Transport Layer Security</firstterm> protocol or the <firstterm>Datagram Transport Layer Security Protocol</firstterm> (DTLS). Typically the implementation lies on user-space.
+				</para>
+				<para>
+					OpenConnect is of this VPN type.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					Custom VPN protocols.
+				</para>
+				<para>
+					OpenVPN is such a protocol that has its key exchange based on SSL.
+				</para>
+			</listitem>
+		</itemizedlist>
 		</para>
 	</section>
-	
+
 	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">
 		<title>VPNs and &PRODUCT;</title>
 		<para>
@@ -41,6 +67,19 @@
 		<para>
 			The <abbrev>IPsec</abbrev> implementation in &PRODUCT; uses <firstterm>Internet Key Exchange</firstterm> (<firstterm>IKE</firstterm>), a protocol implemented by the Internet Engineering Task Force (<acronym>IETF</acronym>), used for mutual authentication and secure associations between connecting systems.
 		</para>
+
+	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_an_IPSec_VPN_Work">
+		<title>How Does an IPSec VPN Work?</title>
+		<para>
+			When a packet is transmitted from a client, it sends it through the <abbrev>VPN</abbrev> router or gateway, which adds an <firstterm>Authentication Header</firstterm> (<abbrev>AH</abbrev>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <firstterm>Encapsulating Security Payload</firstterm> (<abbrev>ESP</abbrev>). This latter constitutes the decryption and handling instructions.
+		</para>
+		<para>
+			The receiving <abbrev>VPN</abbrev> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbrev>VPN</abbrev> connection is transparent to a local node.
+		</para>
+		<para>
+			With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbrev>VPN</abbrev>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet.
+		</para>
+	</section>
 	
 	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">
 		<title>Creating an <abbrev>IPsec</abbrev> Connection</title>

More information about the docs-commits mailing list