119
If the tunnel client can connect to and authorize the tunnel server, but cannot reach other machines on the internal network, there could be two problems: either IP forwarding is not
enabled on the tunnel server, or the tunnel is in an infinite loop. Such a loop can occur between the virtual IP address and physical IP address of the tunnel server. The loop indicates
a misconfiguration in the Routing tab of the tunnel server configuration.
To diagnose which problem exists, have the user ping the tunnel servers pseudo-adapter address. To do this, the user must open a DOS window and type:
ping virtual_IP
where
virtual_IP
is the pseudo-adapter address. If this ping is successful, ping the tunnel servers real IP address. If this ping fails, the tunnel is in an infinite loop. If the first ping fails
and the second is successful, the IP forwarding is not properly enabled on the tunnel server. If both pings fail, the client machine cannot reach the server at all. This could be a firewall or
router issue on the server side of the connection and should be investigated further.
If all these tests pass, and IP forwarding is properly enabled on the server, the user should attempt to traceroute to a machine on the local network. The command in Windows 95 is:
tracert other_machine
or, from a Unix command line:
traceroute other_machine
where
other_machine
refers to the domain name of the internal machine to which we want to trace traffic. If this is successful, it shows that the client machine is sending packets through
the servers tunnel pseudo-adapter and to the internal machine on the servers network. If it fails, routing is misconfigured on the tunnel server. Recheck the routes on the Routing tab in
the Tunnel
Configuration menu. Next, do the same procedure from the machine internal to the tunnel servers network. Trace
back to the clients unique domain name. If this checks out, and there is still a problem, it resides in some other application or service. If this test fails, routing for the internal network
is improperly configured. Refer to the examples in
Chapter 6 for internal network
configuration scenarios. To support these tests, you may also check the tunnel servers ReadWrite counters in the
Tunnel Manager application. These counters will tell you how many bytes were read and written to the tunnel by a particular tunnel client.
It may take some time to educate both system administrators and end users to this new twist in the Internet troubleshooting process, but with the points presented here and simple networking
common sense, you should have your AltaVista Tunnel up in no time.
120
Chapter 8. Creating a VPN with the Unix Secure Shell
Unix has long been the development platform for the Internet. Everything from the TCPIP suite to HTTP was developed on Unix first. Much of the development for private LAN-to-
LAN connections, including IPSec and IPv6, is taking place on Unix platforms.
In addition, the Linux operating system has become an important Internet server and development platform. Linux, a Unix-like OS, is freely available over the Internet, or can be
purchased on CD for a modest price from a number of sources. Linus Torvalds created Linux as a non-commercial alternative to the other flavors of Unix available on Intel-based
platforms. Linux became popular thanks to ISPs, web presence providers, and universities choosing it to deliver Internet services. Although originally shunned by large businesses
because of a perceived lack of support, it has since garnered applications support from companies such as Corel and Netscape. In 1998, it was estimated that as many as seven
million people worldwide use the OS. Linuxs proliferation has meant that more and more networks are running a Unix OS variant, often as a web server, router, or proxy server.
The Secure Shell SSH is a replacement for insecure methods of accessing a remote Unix host. Its meant to replace the common Unix tools rsh, rcp, and rlogin, and can also replace
telnet in many cases. Its open-ended versatility means that it can also accomplish things like forwarding secure X11 connections and copying files remotely using a companion tool called
scp. In addition, it can be used to tunnel a PPP connection to create a secure virtual private network. If youre willing to spend the time and effort, youll find that this type of connection
can be just as secure and efficient as many of the more expensive solutions out there.
SSH has been around since 1995 and is widely used in many Unix environments all over the world. Like Linux, it came out of Finland. Computer scientist Tatu Ylönen originally created
it, and his SSH Home Page http:www.ssh.comproductsssh
is a great place to find SSH information and links to the freeware SSH distributions. SSH development has since been
taken up by SSH Communications Security, Ltd. http:www.ipsec.com
, who also create IPSec toolkits so that developers can include IPSec in their TCPIP products.
SSH contains quite a bit of functionality and many security improvements over the r utilities. It allows for secure authentication, including RSA host keys, RSA user keys, and passwords.
RSA authentication helps prevent against IP and DNS spoofing and man-in-the-middle attacks. SSH can encrypt transferred data with a choice of ciphers, including 3DES, Blowfish,
and IDEA. This means that you can choose a method based on the sensitivity of your data, the speed of your systems, and patent restrictions in your country. Authentication and encryption
are covered in more detail later in this chapter.
SSH can also be used to forward X11 connections for secure X Window System sessions. It does this by creating a fake X server on the machine from which the SSH client is run. It then
proxies the connection and forwards it to a real X server running the SSH daemon over a secure connection. SSH also has the capability to redirect arbitrary TCPIP ports though only
root can redirect privileged ports. It can redirect a port on a local side to a port on the remote side, or redirect a port on the remote side to a port on the local side. When such a connection
is in place, any data sent through the redirected ports will be sent through the secure connection.
121
A freeware version of SSH is available as source code that can be compiled for almost any Unix and Unix-like platform, including Linux, FreeBSD, Solaris, AIX, and HP-UX.
Commercial versions for those Unix platforms, as well as Windows 3.x95NT and Macintosh, are available from DataFellows. You can also purchase a ready-made SSH-based
VPN product from them.
In this chapter, were going to be using the Unix freeware version of SSH for our examples. In addition, were going to be using Linux as our Unix flavor of choice because its also freely
available and common, though the examples can be extrapolated to other variants, and well mention any platform-specific issues we might be aware of. Well look at the capabilities of
the SSH, how to build and set it up, and its components. Were going to focus on tunneling a PPP connection using SSH to create a secure network, and give you some troubleshooting tips
and resources. Finally, well do a brief performance evaluation of this solution.
8.1 The SSH Software
SSH is both software and a secure communications protocol. It has practically become the de facto security standard for Unix remote access. As of this writing, the IETF SECSH working
group was advancing the second-generation of the protocol, called SSH 2, and protocol drafts are available. More information can be found at the IETFs web site, SSH Security
Communications web site, or
http:www.ssh.fidrafts .
Here are the basics of how SSH works: The SSH server daemon, called sshd, runs on its own well-known TCPIP port: 22. The server listens for connections from an SSH client, for
instance, the program called ssh. Authentication is accomplished using the RSA key exchange for the client and server in conjunction with .rhosts, or using RSA key exchange for
individual SSH users. The keys for hosts and users are typically 1,024 bits in length. The SSH server program also has its own RSA key, which is used in conjunction with the host key for
session key exchange. By default, this key is regenerated every hour and is never saved in a file. This transient key makes it more difficult for someone to decipher packets captured
previously or in the future if they were somehow able to learn the servers current key and host key. The server key is normally 768 bits.
If the user specified a command to run when he invoked the SSH client, that command is run remotely on the server. If no command is specified, a pseudo-terminal is allocated on the
remote server and an interactive login session is begun. A pseudo-terminal or TTY is just the standard virtual character device Unix systems allocate a user when they log in remotely.
Pseudo-terminals under Linux are often denoted as either ttyp or pty, followed by a unique designator. Normally, a pseudo-terminal isnt generated when ssh is used to simply run
a program remotely unless a certain parameter is specified, which well discuss later.
8.1.1 Encryption Capabilities
Encryption algorithms supported as of SSH 1.2.25 are Blowfish, IDEA, 3DES, DES, and arcfour a free RC4 equivalent. These ciphers are normally all enabled on the SSH client. On
the sshd server, some are enabled by default and others can be enabled only at compile time with flags added to the configure script see
Section 8.2 for more on the configure script.
Technical descriptions of these ciphers can be found in Chapter 2
. Your choices are: