Secure connections

Introduction

APOP works by sending some sessions-specific information to the client (pop server PID and time of day), and have the POP client generate a hashed value based on this unique information and his login password. This hashed value is sent to the server, which also generates the hashed value and compares it with what the client sent: If the two match, it means that the client knows the logon password, and is granted access. That way, the password itself is not sent in clear text over the Internet, unlike POP3. Unfortunaly, very few mail clients support APOP (Eudora and Outlook Express; Outlook is supposed to support it, but I'm not positive it actually works. Both Outlook Express and Outlook call APOP "Logon using Secure Password/Authentication".) For linux users, another solution is to run fetchmail, which can retrieve mail using APOP, RPOP, KPOP, IMAP-K4, IMAP-GSS, and IMAP-CRAMMD5 in addition to the non-encrypted pop and imap flavors.

On the other hand, if you want to secure the entire session instead of just the logon step, you will have to use SSL. Two possibilities are available: Use a third-party tool like SSH or sTunnel to create an SSL tunnel, and then have both the mail server and client send data over this encrypted channel instead of directly over the Net; The second possibility is to use servers and clients that support SSL natively, ie. with no need to run an additional utility to build a tunnel before mail data is to travel over the wire.
SSL-capable mail servers are qpopper 4, and IMAP-Courier. SSL-capable clients are Outlook Express, Outlook, and Netscape.

Once we have a working SSL tunnel, non-secure applications can be set up to send their data through this secure channel instead of sending data in the clear over the Net.

To secure SMTP, whether it's between the two MTAs or to allow only authenticated servers/clients to user you mailer as relay, configure your MTA to use TSL (Securing Sendmail with TLS.)

Open ports on Windows hosts

More infos: ResNet Security Plan

Firewalls

• Tiny Personal Firewall
• ZoneLab's ZoneAlarm
• Cisco PIX
• SmoothWall
• IPCop
• SonicWall
• WatchGuard
• GNAT
• Microsoft ISA
• CheckPoint Firewall-1

VPN

What is it and how does it work?

• tunneling (PPTP, L2F, L2TP - mix of Microsoft's PPTP and Cisco's L2F -, IPSec, TunnelV, and CIPE)
• user authentication (RADIUS/TACACS/LDAP/NDS/PAP/CHAP, X.509 certified public key)
• packet integrity (RC4)
• packet encryption (MPPE/RAS/DES/3-DES.) Generally, VPNs operate at layers 2 and 3 of the OSI model. PPTP, L2F, and L2TP are largely aimed at dial-up VPNs, while IPSec's main focus has been LAN–to–LAN solutions

Commercial IPSec clients include:

1. BorderWare IPSec VPN Client
2. NAI PGPNet
3. Checkpoint VPN-1 SecuRemote
4. Checkpoint Raptor MobileNT http://www.checkpoint.com/techsupport/freedownloads.html
5. F-Secure VPN+ http://www.datafellows.com/products/vpnplus Checkpoint SecureRemote VPN-1 4.1
6. NTS TunnelBuilder
7. Mobile NT http://www.axent.com IRE SafeNet SoftPK
8. Xedia's AccessPoint http://www.ire.com http://www.xedia.com

PPTP

PPTP was developed into the form of an Internet-Draft by a group called the PPTP Forum, and free clients are readily available for the different flavors of Windows. On the Linux side, you'll have to install PPPd and PopTop (the open-source PPTP server.) Note that for testing purposes, it's OK to have the server and the client physically on the same LAN, and just pick up some unused IP addresses to be used for the tunnel. Two channels are required: The control connection (over TCP), and the data channel.

IPSec

IPSec tunnels do not support failover (if the IPSec VPN goes south, all current connections are lost.) Data confidentiality is achieved through the IPSec Encapsulating Security Payload (ESP). Data integrity is provided by the IPSec Authentication Header (AH) which digitally signs the outbound packet (data and headers). This signature is why IPSec and NAT are mutually incompatible, as changing any information in the header changes the packet's signature (Native IPsec requires that there be no change to the headers.)
A solution this is to use so-called ESP in tunnel mode, where the original packet (including headers) is encapsuled in a new IP packet, whose source address is the outbound address of the sending VPN host, and its destination address is the inbound address of the receiving VPN host. ESP with authentication encrypts and signs the contents of the original packet. The headers of the new packet are not signed, which makes NAT possible. Another issue that IPSec and NAT present, is that some X.509 certificates can be generated based on the host's external IP address.

Finally, negotiation of connection parameters is achieved through IKE (Internet Key Exchange.) Authentication inform can be picked up from a Secure DNS server ("Secure DNS - A version of the DNS or Domain Name Service enhanced with authentication services"). The Linux Router Project includes support for IPSec/FreeSWAN (http://lrp.steinkuehler.net/Packages/ipsec1.5.htm) Check the introduction available from FreeSWAN's site for infos on compatibility with other IPSec-capable devices.

CIPE - Crypto IP Encapsulation

TunnelV

Vtun

http://vtun.sourceforge.net/

Things to check when choosing a VPN

• Bandwidth and CPU-usage: VPNs use more bandwidth and number-crunching than standard connections, so make sure the VPN host is fast enough, and that whatever VPN solution you choose doesn't create a bottleneck (ie. installing an add-on on your router to support VPN might entail higher-latency)
• Type of VPN to choose: hardware-based (router or stand-alone box), firewall-based, or server-based. VPN uses TCP port 1723 (PPTP) or UDP port 1701 (L2TP); encapsulation of PPP frames for tunneling uses GRE, and lets you encrypt only data flow that really need it. Usually, VPNs are set up in parallel with the firewall (ie. it also sits between two networks), or in the private network.
• which network protocols need to be supported: IPSec only handles IP data flow, so you'll need to look at Cisco's GRE (Generic Routing Encapsulation) or L2F/L2TP/PPTP to support other protocols
• do you need to support NAT or firewall proxying? IPSec implementations typically don't do this
• user authentication: To authenticate users, the main solutions consist in the traditional choices offered by PPP (PAP, CHAP, MS-CHAP), and, increasingly, use of X.509 certificates
• storage of user credentials: either proprietary (the VPN manufacturer's own database system, Microsoft's SAM/Active Directory or Novell's NDS), RADIUS/TACACS, or LDAP
• data encryption: L2F/L2TP do not provide native support for encryption, which PPTP and IPSec do. Most vendors offer support for RSA, DES, and 3-DES. To solve the issue of distributing encryption keys, the choices include PPP-ECP (Point-to-Point Protocol's Encryption Control Protocol), Microsoft's PPE (Point-to-Point Encryption), and ISAKMP/IKE (Internet Security Association Key Management Protocol/Internet Key Exchange.)

Installing PPTP

Setting up the Linux PPTP server

Installing PPPd

1. rpm -Uvh ppp.rpm
2. vi /etc/ppp/options

   debug
   name myremotesrv
   noauth //No PPP authentication please
   require-chap
   #proxyarp //Otherwise, error message in log
   

3. vi /etc/ppp/chap-secrets

   ACME\jdoe * mypasswd *

   Important: Note that the NT domain must be included in the user's login (domain = ACME, here)

Installing PopTop

1. rpm -Uvh pptpd.rpm
2. vi /etc/pptpd.conf

   debug
   localip 192.168.0.78-79
   remoteip 192.168.0.78-79

   Note: As shown, you can use ranges of IPs instead of specific IPs to hand out to clients.

Setting up the Windows NT4 PPTP client

1. Double-click on My Computer | Dial-up Networking
2. Create a new entry: In the Basic tab, Phone number = the IP address of the remote PopTop server; In the Server tab, uncheck Enable Software Compression, click on the TCP/IP Settings and uncheck Use IP Header Compression; In the Security tab, select Accept only encrypted authentication
3. Connect
4. Open a DOS box, type ROUTE PRINT, and make sure that all connections to your LAN actually go through the VPN tunnel instead of directly on the LAN

Setting up the Windows 98 PPTP client

Setting up the Windows 2000 PPTP client

Installing FreeS/WAN

Installing the Linux FreeS/WAN server

1. Make sure that connectivity works OK between the two hosts that will act as IPSec gateways
2. FreeSWAN requires GMP (GNU multi-precision arithmetic; must have binary + headers) and Libdes (encryption) libraries, so make sure those are installed (eg. rpm -qa | grep gmp ; ldconfig -v | grep des)
3. Untar the FreeSWAN tarball in /usr/src
4. cd /usr/src/freeswan
5. make menugo
6. cd /usr/src/linux
7. make bzImage, and install the new kernel as you usually do
8. make modules ; make modules_install
9. Reboot
10. Check that IPSec is loaded : dmesg | grep klips

Installing the Windows 2000 IPSec client

Installing the Windows 98 IPSec client

Installing the Linux Router Project

Installing LinVPN 1.2

Installing TunnelV

1. Install SSLeay (OpenSSL OK?)
2. Install glibc2 (libc6)
3. Compile a new kernel with Ethertap and Netlink
4. Enable IP forwarding : echo 1 >/proc/sys/net/ipv4/ip_forward
5. Load one ethertap kernel module for each tunnel you want open at a time
6. Untar TunnelV, followed by make ; make install. If SSLeay is located in a non-standard location, edit Makefile. To uninstall, run make uninstall
7. A password is necessary the first time the remote end's RSA public key is authenticated: Edit the [Tunnel Vision] section and add Magic Password = mypassword. Needless to say, the password must be the same on both ends. After the first connection, remove the Magic Password line to forbid remote hosts from using passwords.
8. On the receiving end, launch TunnelV on a given port, eg. tunnelv 1234
9. On the sending end, try to connect through tunnelv that-other-guy's-address 1234
10. Check that a tunnel is available: You should see something like "Starting to exchange packets". Another thing to look at is whether the tap0 ethertap device is up by running ifconfig
11. Check if a route is available to reach the other site through the tunnel. If no route is available, add one through route add -net my-subnet-number netmask 255.255.255.0 tap0

Q&A/Troubleshooting

TunnelV: routes wrong

I can't stop pptpd (killall/kill/kill -9 : nothing works)

Cannot complete PPP negotiation because of "Cannot determine ethernet address for proxy ARP"

After successfull CHAP authentication, I get "Registering your computer in the network", followed by a disconnection

What are Security Associations?

Why can't we just use SSH tunneling?

What is link encryption via MPPE?

What is GRE used for?

What are LAC and LNS?

Resources

• Secure file transfers with scp
  • http://www.jfitz.com/tips/ssh_for_windows.html
  • http://winscp.vse.cz/eng/
  • http://www.networksimplicity.com/openssh/
  • http://www.reverse.net/freeware-ssh-clients.html
  • http://www.ece.nwu.edu/~mack23/ssh-clients.html
  • http://www.utu.net/ohjeet/ssh_for_windows.html
• PPTP: An Overview by Mik Newton http://www.cis.unisa.edu.au/~cisdak/teaching/CNS_student.data/Research%20Project%20Submissions/pptp/pptp/page1.html
• Lotta links at http://www.cis.ohio-state.edu/~jain/refs/refs_vpn.htm
• Going Beyond The Buzz To Understand VPN Technology http://www.csot.com/GlobeSrv/vpn/vpnarticle.htm
• PopTop
• FreeSWAN
• KAME http://www.kame.net/
• TunnelV http://www.worldvisions.ca/tunnelv/
• CIPE http://sites.inka.de/bigred/devel/cipe.html
• Infos on IPSec http://www.hsc.fr/ressources/veille/ipsec/index.html.en
• http://www.hsc.fr/ressources/ipsec/ipsec2000/index.html.fr
• Linux Router Project (LRP) http://lrp.steinkuehler.net/
• Ipsec practical configurations for Linux Freeswan 1.x. by Jean-Francois Nadeau http://jixen.tripod.com/
• http://www.quintillion.com/fdis/moat/ipsec+routing/
• http://www.securityfocus.com/focus/linux/articles/linux-ipsec.html
• http://www.securityfocus.com/focus/linux/articles/ipsecgateway.html?&_ref=294879751

Temp stuff

Path: club-internet!grolier!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!news.mel.connect.com.au!not-for-mail
From: "moth" 
Newsgroups: comp.os.linux.networking,comp.os.linux.security
Subject: Re: Easiest 2 point VPN to create
Date: Tue, 29 May 2001 12:08:34 +1000
Organization: Customer of Connect.com.au Pty. Ltd.
Lines: 101
Message-ID: <9ev0d2$k5q$1@perki.connect.com.au>
References: <4FCQ6.165996$BB5.2806376@typhoon.columbus.rr.com>
NNTP-Posting-Host: gatekeeper.ultradata.com.au
Mime-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Trace: perki.connect.com.au 991102178 20666 203.8.71.129 (29 May 2001 02:09:38 GMT)
X-Complaints-To: abuse@connect.com.au
NNTP-Posting-Date: 29 May 2001 02:09:38 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Xref: club-internet comp.os.linux.networking:290667 comp.os.linux.security:32140

Many ways to do this, one you can do it with dedicated VPN hardware
(like a cisco router that supports VPN etc) or another way you can do it
strictly via software (im sure there are other ways)

Lets say you cant be bothered forking over the big bucks for the
hardware solution, so we are left with a software solution.  and lets
say you cant be bothered forking over more big bucks for third party
software, which means we are left with an Open source solution.  and the
one i like is OpenSSH

Ingredients you will need.  (if you dont have the exact ingredients
similar ones will suffice)

A Firewall that allows packet masquerading - in my example i am using
RedHat 6.2 with ipchains running the packet filtering
A copy of OpenSSH installed and up and running on the approriate
machines.

now here is a scenario of a software VPN i created ages ago.

create the rules in your firewall to enable the ports for your VPN that
you wish to use...for example

        /sbin/ipchains -A input -j REJECT -p TCP -s $ANY -d $LAN
20022 -l
        /sbin/ipchains -A input -j REJECT -p TCP -s $ANY -d $LAN 22 -l
        /sbin/ipchains -A input -j ACCEPT -p TCP -s $SSH1 -d
$SSH_SERVER1 20022
        /usr/sbin/ipmasqadm portfw -a -P tcp -L $ETH2_ADDR 20022 -R
$SSH_SERVER1 22

The $LAN = 172.16.0.0/16 say,  $ANY=0.0.0.0/0 $SSH1= host you want to
allow into your network
$SSH_SERVER1=the server in your LAN that you want the external host to
connect to.  ETH2_ADDR=address of the external ethernet card on the
firewall

now the first line is a default rejection from any host to connect to
the LAN via port 20022.  the second is the same but for the standard
port 22 that OpenSSH uses.  the third line simply allows the particular
host SSH1 through your firewall on port 20022 to the SSH_SERVER1.  The
last line is the most important, and it takes all packets recieved on
the external interface that are destined for port 20022 and forwards
those packets onto the SSH_SERVER1 host to port 22!!!

So what do we have here?  Well basically we have an external host SSH1
that initiates an ssh session to the external address of the firewall
(i.e. your companies gateway).  so they type in "># ssh
123.456.789.abc:20022" at their unix prompt.  now assuming that
everything is configured nicely with thier firewall, the initialisation
packets for the ssh session hit your gateway on your firewall, where the
masquerading rule in line 4, picks them up and says "ok i have packets
from SSH1 hiting that are comming in for port 20022...everything
matches, so i will forward them onto SSH_SERVER1 to port 22"  so it
forwards the packets and the ssh session is established. (because i like
to allow my users to ssh out anywhere they like...so ssh back out is no
problem on my firewall and router).

So why did i choose port 20022 rather than just port 22?  well two
reasons.  one i might have more than one server on the lan that you
would like to set up VPN's via ssh for, so for each server you give it a
different port...say for another server SSH_SERVER2 you would make users
hit your external interface on port 20023 say...or any port you like (as
long as its above 1024).  and also you might have ssh running with its
default port 22 on the firewall for internal lan access / administration
etc!

remember you also have to clear all these ports and rules via the router
thats connecting you to the internet.  so you have to modify the
access-lists assuming your router is perfomring packet security.  So
thats a nice example of a FREE secure VPN...well as secure as it can be
with OpenSSH.

cheers
moth


"C"  wrote in message
news:4FCQ6.165996$BB5.2806376@typhoon.columbus.rr.com...
> Hello:
>
> I have recently started researching some HOW TO docs on creating VPNs.
Most
> of them refer to a "main" site and then smaller multiple "remote"
sites.
> What I need is the ability to have 2 sites send TCP/IP traffic through
an
> encrypted tunnel over the internet. Both sites should be able to see
one
> another and have equal permissions with regard to access of
machines...
> What is the best way to do this?
>
>
> As always, all advice is appreciated!!!
>
> Thanks,
> Chris
>

TunnelV

sTunnel

1. cd /usr/src/qpopper4.0/
2. ./configure --enable-shy --enable-specialauth --enable-standalone --with-gdbm
3. make ; make install ; popper 127.0.0.1:110 -s
4. mv stunnel.tar.gz /usr/src ; cd /usr/src ; tar xzvf stunnel.tar.gz
5. cd stunnel ; ./configure ; make ; make install
6. chmod 600 ./stunnel.pem
7. ./stunnel -f -d pop3s -r pop3
8. Copy stunnel.pem on the client Windows host, edit it to remove the private key, and right-click on this stripped-down version followed by Install Certificate. NOTE: OE still prompting me to accept certificate!
9. Configure your favorite email client to connect to POP3 in SSL mode (ie. port POP3S/995)

make 
....
/usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes \
        -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
Using configuration from stunnel.cnf
Generating a 1024 bit RSA private key
..........++++++
....................................................++++++
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank. 

APOP with qpopper 4

Hi there,


With any luck this will be a no brainer for someone out there..


I have an Alpha running DUnix 4 which works and has been working fine for a number of years with the various versions of Qpopper without a problem. We have been concerned with some security issues and so Qpopper 4 supporting SSL was a great idea for us, nice integration with Eudora 5.1 etc.


The problem is (on the 5.1r client side):
(All works fine when things are set to SSL for POP: none)


Error while checking mail for <>
I said: STLS
And then the POP server said: SSL negotiation failed.


The problem (from the server side):


May 11 15:10:38  -f [24170]: (null) at 

	service pop3s
	{
	        socket_type     = stream        
	        protocol        = tcp
	        wait            = no
	        user            = root
	        server          = /usr/sbin/popper
	        server_args     = qpopper -l 1
	        port            = 995
	}