Chapter 6.

Virtual Private Networks

Organizations with several satellite offices often connect to each other with dedicated lines for effi 

ciency and protection of sensitive data in transit. For example, many businesses use frame relay or

Asynchronous Transfer Mode (ATM) lines as an end to end networking solution to link one office

with others. This can be an expensive proposition, especially for small or medium sized businesses

(SMBs) that want to expand without paying the high costs associated with enterprise level, dedicated

digital circuits.

Engineers have developed a cost effective solution to this problem in the form of Virtual Private

Networks (VPNs). Following the same functional principles as dedicated circuits, Virtual Private Net 

works allow for secured digital communication between two parties (or networks), creating a Wide

Area Network (WAN) from existing LANs. Where it differs from frame relay or ATM is in its trans 

port medium. VPNs transmit over IP or datagram (UDP) layers, making it a secure conduit through

the Internet to an intended destination. Most free software VPN implementations incorporate open

standard, open source encryption to further mask data in transit.

Some organizations employ hardware VPN solutions to augment security, while others use the soft 

ware or protocol based implementations. There are several vendors with hardware VPN solutions such

as Cisco, Nortel, IBM, and Checkpoint. There is a free software based VPN solution for Linux called

FreeS/Wan that utilizes a standardized IPSec implementation. These VPN solutions act as specialized

routers that sit between the IP connection from one office to another. When a packet is transmitted

from a client, it sends it through the router or gateway, which then adds header information for rout 

ing and authentication called the Authentication Header (AH) and trailer information for CRC file

integrity and security called the Encapsulation Security Payload (ESP).

With such a heightened level of security, a cracker must not only intercept a packet, but decrypt the

packet as well (which, in the case of most VPNs, usually employ a triple Data Encryption Standard

(3DES) 192 bit cypher). Intruders who employ a man in the middle attack between server and client

must also have access to the keys exchanged for authenticating sessions. VPNs are secure and effective

means to connect multiple remote nodes to act as a unified Intranet.

6.1. VPNs and Red Hat Linux

Red Hat Linux users and administrators have various options in terms of implementing a software

solution to secure their WAN. There are, however, two methods of implementing VPN and VPN 

equivalent connections that currently ship with Red Hat Linux. One equivalent solution involves using

OpenSSH as a tunnel between two remote nodes. This solution is a sound alternative to telnet, rsh,

and other remote host communication protocols, but does not completely address the usability needs

of all corporate telecommuters. Another solution that is more adherent to the de facto definition of

a VPN is Crypto IP Encapsulation (CIPE), a method of connecting remote LANs to function as a

unified network.

6.2. Crypto IP Encapsulation (CIPE)

CIPE is a VPN implementation developed primarily for Linux. CIPE uses encrypted IP packets that

are encapsulated, or "wrapped", in datagram (UDP) packets. Packets are given destination header

information and are encrypted using the default CIPE encryption mechanism, then transferred over IP

as UDP packets via its own virtual device (cipcbx) over a carrier network (such as the Internet) to an

intended remote node. The following figure shows a typical CIPE setup connecting two Linux based

networks: