[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Big VPN

On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> You might want to check tinc (http://tinc.nl.linux.org)

I strongly recommend *not* to use tinc. 
<http://www.securityfocus.com/archive/1/249142> illustrates that the
authors didn't have enough expertise to build a secure tool 2 years ago.
The problems were still present last autumn, see
<http://www.mit.edu:8008/bloom-picayune/crypto/14238>. What a track record!

With VPN software, IPSec is the only real option if you want to be certain
it is secure.

> Jaroslaw Tabor wrote:
> >I'm looking for good linux (debian of course) based solution for VPN
> >connecting about 100 LANs. The solution should be stable, easy for
> >implementation and easy for management. I've some expirience with VPNs
> >based on PPTPd, but not so big.

PPTP is also believed not to be quite insecure, see
<http://www.schneier.com/pptp-faq.html> (NB old!). A small number of people
believe it's OK these days due to some improvements made by Microsoft
<http://www.schneier.com/paper-pptpv2.html>, but I still wouldn't recommend
it.

Does each of these 100 LANs need to connect to *any* other LAN, or just to 
"your" LAN? Are the LANs real LANs or do you only want to connect single 
"road warrior" machines to "your" LAN?

> >I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> >about security. If I understand this solution right there is no
> >authentication at all. So every one can connect to the LANs if he will
> >spoof IP.

I don't think it is the right thing for you, yes. Its main objective (in my 
eyes) is to protect "general" internet traffic from people who are not 
willing/able to do man-in-the-middle attacks, i.e. from people who just 
sniff on the wire. At least that's what it boils down to as long as no 
"secure DNS" is available...

> >I need something better, because I cannot trust to LAN users. To avoid
> >that, I have idea, to use some kind of secure DNS, which will answer
> >only to authorized peers, but I don't know how to do it.

What's wrong with IPSec with X.509 certificates? You can give out a signed
certificate to all people who should get access to your network, and remove 
individual people from the "allowed" list if necessary. IPSec works with 
all OSes as clients. The only downside (IMHO) is that the server can be 
fairly complex to set up for this kind of scenario.

Secure DNS doesn't exist today, does it?

> >Finally, the questions:
> >Did someone sucessfully build such network ? If yes, how?

Well, since I'm in the mood of handing out URLs today ;-), here are some
useful pages I found about IPSec setups involving both Linux and Windows
clients.

<http://www.freeswan.org/> - you've seen this already I guess :)
<http://www.natecarlson.com/linux/ipsec-x509.php>
<http://www.ipsec-howto.org/> - new kernel 2.6.0 IPSec
<http://ipsec.math.ucla.edu/services/ipsec.html>
<http://lugbe.ch/action/reports/ipsec_htbe.phtml>
<http://vpn.ebootis.de/>

> >Is there any solution to easily manage keys in so big network, if I will
> >choice freeswan (or other) without OE ?

100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec 
should be able to handle it. (Maybe ask the developers to ensure it does.)

> >PS: Sorry, for my poor english, I'm not a native speaker.
> me neither :)
Ditto. :-)

ü,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer     |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯
Reply to: