119 If the tunnel client can connect to and authorize the tunnel server, but cannot reach other machines on the internal network, there could be two problems: either IP forwarding is not enabled on the tunnel server, or the tunnel is in an infinite loop. Such a loop can occur between the virtual IP address and physical IP address of the tunnel server. The loop indicates a misconfiguration in the Routing tab of the tunnel server configuration. To diagnose which problem exists, have the user ping the tunnel servers pseudo-adapter address. To do this, the user must open a DOS window and type: ping virtual_IP where virtual_IP is the pseudo-adapter address. If this ping is successful, ping the tunnel servers real IP address. If this ping fails, the tunnel is in an infinite loop. If the first ping fails and the second is successful, the IP forwarding is not properly enabled on the tunnel server. If both pings fail, the client machine cannot reach the server at all. This could be a firewall or router issue on the server side of the connection and should be investigated further. If all these tests pass, and IP forwarding is properly enabled on the server, the user should attempt to traceroute to a machine on the local network. The command in Windows 95 is: tracert other_machine or, from a Unix command line: traceroute other_machine where other_machine refers to the domain name of the internal machine to which we want to trace traffic. If this is successful, it shows that the client machine is sending packets through the servers tunnel pseudo-adapter and to the internal machine on the servers network. If it fails, routing is misconfigured on the tunnel server. Recheck the routes on the Routing tab in the Tunnel Configuration menu. Next, do the same procedure from the machine internal to the tunnel servers network. Trace back to the clients unique domain name. If this checks out, and there is still a problem, it resides in some other application or service. If this test fails, routing for the internal network is improperly configured. Refer to the examples in Chapter 6 for internal network configuration scenarios. To support these tests, you may also check the tunnel servers ReadWrite counters in the Tunnel Manager application. These counters will tell you how many bytes were read and written to the tunnel by a particular tunnel client. It may take some time to educate both system administrators and end users to this new twist in the Internet troubleshooting process, but with the points presented here and simple networking common sense, you should have your AltaVista Tunnel up in no time. 120

Chapter 8. Creating a VPN with the Unix Secure Shell

Unix has long been the development platform for the Internet. Everything from the TCPIP suite to HTTP was developed on Unix first. Much of the development for private LAN-to- LAN connections, including IPSec and IPv6, is taking place on Unix platforms. In addition, the Linux operating system has become an important Internet server and development platform. Linux, a Unix-like OS, is freely available over the Internet, or can be purchased on CD for a modest price from a number of sources. Linus Torvalds created Linux as a non-commercial alternative to the other flavors of Unix available on Intel-based platforms. Linux became popular thanks to ISPs, web presence providers, and universities choosing it to deliver Internet services. Although originally shunned by large businesses because of a perceived lack of support, it has since garnered applications support from companies such as Corel and Netscape. In 1998, it was estimated that as many as seven million people worldwide use the OS. Linuxs proliferation has meant that more and more networks are running a Unix OS variant, often as a web server, router, or proxy server. The Secure Shell SSH is a replacement for insecure methods of accessing a remote Unix host. Its meant to replace the common Unix tools rsh, rcp, and rlogin, and can also replace telnet in many cases. Its open-ended versatility means that it can also accomplish things like forwarding secure X11 connections and copying files remotely using a companion tool called scp. In addition, it can be used to tunnel a PPP connection to create a secure virtual private network. If youre willing to spend the time and effort, youll find that this type of connection can be just as secure and efficient as many of the more expensive solutions out there. SSH has been around since 1995 and is widely used in many Unix environments all over the world. Like Linux, it came out of Finland. Computer scientist Tatu Ylönen originally created it, and his SSH Home Page http:www.ssh.comproductsssh is a great place to find SSH information and links to the freeware SSH distributions. SSH development has since been taken up by SSH Communications Security, Ltd. http:www.ipsec.com , who also create IPSec toolkits so that developers can include IPSec in their TCPIP products. SSH contains quite a bit of functionality and many security improvements over the r utilities. It allows for secure authentication, including RSA host keys, RSA user keys, and passwords. RSA authentication helps prevent against IP and DNS spoofing and man-in-the-middle attacks. SSH can encrypt transferred data with a choice of ciphers, including 3DES, Blowfish, and IDEA. This means that you can choose a method based on the sensitivity of your data, the speed of your systems, and patent restrictions in your country. Authentication and encryption are covered in more detail later in this chapter. SSH can also be used to forward X11 connections for secure X Window System sessions. It does this by creating a fake X server on the machine from which the SSH client is run. It then proxies the connection and forwards it to a real X server running the SSH daemon over a secure connection. SSH also has the capability to redirect arbitrary TCPIP ports though only root can redirect privileged ports. It can redirect a port on a local side to a port on the remote side, or redirect a port on the remote side to a port on the local side. When such a connection is in place, any data sent through the redirected ports will be sent through the secure connection. 121 A freeware version of SSH is available as source code that can be compiled for almost any Unix and Unix-like platform, including Linux, FreeBSD, Solaris, AIX, and HP-UX. Commercial versions for those Unix platforms, as well as Windows 3.x95NT and Macintosh, are available from DataFellows. You can also purchase a ready-made SSH-based VPN product from them. In this chapter, were going to be using the Unix freeware version of SSH for our examples. In addition, were going to be using Linux as our Unix flavor of choice because its also freely available and common, though the examples can be extrapolated to other variants, and well mention any platform-specific issues we might be aware of. Well look at the capabilities of the SSH, how to build and set it up, and its components. Were going to focus on tunneling a PPP connection using SSH to create a secure network, and give you some troubleshooting tips and resources. Finally, well do a brief performance evaluation of this solution.

8.1 The SSH Software

SSH is both software and a secure communications protocol. It has practically become the de facto security standard for Unix remote access. As of this writing, the IETF SECSH working group was advancing the second-generation of the protocol, called SSH 2, and protocol drafts are available. More information can be found at the IETFs web site, SSH Security Communications web site, or http:www.ssh.fidrafts . Here are the basics of how SSH works: The SSH server daemon, called sshd, runs on its own well-known TCPIP port: 22. The server listens for connections from an SSH client, for instance, the program called ssh. Authentication is accomplished using the RSA key exchange for the client and server in conjunction with .rhosts, or using RSA key exchange for individual SSH users. The keys for hosts and users are typically 1,024 bits in length. The SSH server program also has its own RSA key, which is used in conjunction with the host key for session key exchange. By default, this key is regenerated every hour and is never saved in a file. This transient key makes it more difficult for someone to decipher packets captured previously or in the future if they were somehow able to learn the servers current key and host key. The server key is normally 768 bits. If the user specified a command to run when he invoked the SSH client, that command is run remotely on the server. If no command is specified, a pseudo-terminal is allocated on the remote server and an interactive login session is begun. A pseudo-terminal or TTY is just the standard virtual character device Unix systems allocate a user when they log in remotely. Pseudo-terminals under Linux are often denoted as either ttyp or pty, followed by a unique designator. Normally, a pseudo-terminal isnt generated when ssh is used to simply run a program remotely unless a certain parameter is specified, which well discuss later.

8.1.1 Encryption Capabilities

Encryption algorithms supported as of SSH 1.2.25 are Blowfish, IDEA, 3DES, DES, and arcfour a free RC4 equivalent. These ciphers are normally all enabled on the SSH client. On the sshd server, some are enabled by default and others can be enabled only at compile time with flags added to the configure script see Section 8.2 for more on the configure script. Technical descriptions of these ciphers can be found in Chapter 2 . Your choices are: