Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Implementing an SSL-Based Network? 31

Posted by Cliff from the stunneling-to-freedom dept.
A Nominal Coward asks: "I've been doing some research into making my communications more secure, everything from email to news, from IRC to www. Most of the information I've found repeats one suggestion, 'tunnel your connections over SSL.' Yet while everyone claims this is the best thing to do, no one seems to explain how. I haven't been able to find a faq, howto, or demonstration of how to set this up properly; just lots of people saying 'SSL is good.' What am I missing? I've downloaded and installed stunnel, a free (speech & beer) SSL tunneling proxy, but - don't laugh - now what? All I've managed to do is make an SSL connection to an IRC server a friend set up specifically for that purpose. Where do I go from here in order to secure my other connections, like mail, news, and web? Do I have to subscribe with providers who explicitly provide SSL access, if so, which are recommended? I would appreciate advice from others who have managed to get this working."
This discussion has been archived. No new comments can be posted.

Implementing an SSL-Based Network? More

Implementing an SSL-Based Network?

Comments Filter:

  • Why SSL? (Score:1, Informative)

    by Anonymous Coward
    Do the right thing and use IPSec. It encrypts all traffic, not just selected ports, and it will be included in IPv6. SSL might be your only option for communication with external servers and especially POP3 over SSL is very common, but for using services on a friend's system (who I suppose is open to suggestions), IPSec is a better choice.

  • Yes, you need something at both ends (Score:5, Insightful)

    by Papineau ( 527159 ) on Saturday June 22, 2002 @10:09AM (#3748886) Homepage
    Yes, as with every other protocol/combination of protocols (HTTP over TCP overIP), both ends of your many communications will need to speak the same way.

    For mail, some providers offer pops (that is, secure POP3), but you'll have to ask around to know which ones do. Another way to go is Web mail: those packages usually allow https connections. But don't forget that with both these tools, your mail is only secure between you and your ISP: the SMTP protocol your provider's server use to deliver it to other servers is not encrypted. If you really want one end to the other secure mail (as in: nobody will be able to read it unless they are the intended receiver or they're the NSA or CIA), then use PGP, GPG or any other good mail encryption package. Then it'll reach your recipient in a unreadable format. But all your recipients must have a public key, else you won't be able to encrypt it in the first place (so for helpdesks, mailing-lists, etc. it won't work).

    For news, www, etc., do you intend to encrypt what you receive (content)? What you receive (URL)? What you send (even if it ends up on a public nntp server)? For some of those, it won't work because you'd want every connection to be encrypted, period. Normal web servers essentially serving "free" info don't need that, and there's some overhead if you encrypt everything. So it won't be put in practice.

    Usually people use stunnel for, eg, remote X sessions, where you don't want other people to spy what you're doing. A couple apps also use ssh to do the same (cvs). But in each case, both ends of the communication must be properly set up to communicate through an encrypted layer.

    IPsec (as mentionned in another post) is also good, but as soon as your packets leave the other IPsec end (as in, leave the corporate firewall), your communication will again be very plain to read.
  • coming from some one who has done this, this can be a pain in the ass. Especially if you want to do it for multiple services. My suggestion would be, if you can't narrow it down to only 2 or 3 services, that you use a VPN.

  • confusing your apples and oranges (Score:4, Insightful)

    by coyote-san ( 38515 ) on Saturday June 22, 2002 @12:09PM (#3749190)
    Your question, and the answers, have confused apples and oranges. They look similar (round, fruit), but there are some key differences.

    Specifically, you could use a tunnel (stunnel, ssh), or you can use applications that directly support SSL. Setting up the applications takes a bit of research since it hasn't been standardized yet, but it's not too hard once you figure out where the documentation has been hidden. (Sometimes in the source code. *grrr*.) Setting up a tunnel is probably a bit easier, but it requires that the server explicitly provide a tunnel.

    The benefits of a tunnel is that it provides a "one size fits all" solution - if you can do it for one application, you can do it for others. More importantly, you can use it with applications that don't yet support SSL directly.

    The benefits of direct SSL support is that the clients can almost always verify the identity of the server (it is possible to set up a server so it doesn't require an X.509 certificate, but it's much more common for the server to require one). Optionally, the server can require that clients provide a certificate to identify themselves.

    If you control the server, the choice may come down to authentication and identity. If you don't care who connects, or who they connect to, e.g., because you'll be using (username,password) to log in, you should probably go with a tunnel. If you need to establish identity, or want to use a "login-less" mechanism, you should probably go with direct SSL and possibly require client certs.
    • The benefits of direct SSL support is that the clients can almost always verify the identity of the server (it is possible to set up a server so it doesn't require an X.509 certificate, but it's much more common for the server to require one). Optionally, the server can require that clients provide a certificate to identify themselves.

      Visit here [openssl.org] or man openssl for more information on creating and managing certificates.

  • Yeah, here's an idea. (Score:3, Interesting)

    by SuiteSisterMary ( 123932 ) <slebrunNO@SPAMgmail.com> on Saturday June 22, 2002 @01:05PM (#3749332) Journal
    Don't do it. Tunnelling is bad. Period. You want a secure network? Use IPSEC or something similar, and encrypt your traffic.
    • IPSEC around the LAN is half the story, and a very valuable part at that, but what about when your traffic escapes to a public network?

      Thats when you need a tunnel. And yes, you can use IPSEC for this too (smoothwall linux does not come with local IPSEC out of the box, but creating an IPSEC tunnel using FreeSWAN in smoothie is like falling off a log)

      • As I said in a different post, if it needs to be encrypted, it cannot escape to a public network. You need VPNs and the like at that point. Or a WAN. The problem is that there's so many bloody ways to tunnel; some built into the protocol, some built into the server, some built into the firewall, some built into the routers, some added on by third party apps, it's a horrible horrible mess. Ideally, the various 'core' protocols of TCP/IP would include provisions for encryption. And using SSL-like technology for this is fine; TLS for example.
    • Out of curiosity-- why is it that you would not tunnel your connections but you would use IPSec?

      Most networks which use IPSec as a VPN solution use dedicated IPSec/LLTP tunnels, and this technique is actually recommended by the National Security Agency (see their guide to implimenting a secure Windows 2000 network architecture).

      IPSec is implimented (as its name implies) at the IP level, so the machines on both sides of the tunnel need to support it. But beyond, that, it is transparent to the ends of the connection, so the applications need not be configured specially to support it. Again, usually, the way that this works is that a computer sends encrypted information to an IPSec gateway which then unencrypts it and sends it its destination. However, it should be noted that when IP v6 becomes more common, the strategy will probably shift away from tunnelling.
      • Mainly because, as you say, IPSEC is, at least, something of a standard, and is much more transparent. Less ad hoc, perhaps, is the phrase I'm looking for. But I prefer something that will encrypt the traffic in a 'blanket' fashion, and completely unbeknownest to the application itself. Perhaps we're using different terminology here, or perhaps I misunderstood the original post. There's a difference between 'creating an encrypted 'tunnel' across an unsecure network' and 'tunnelling a protocol through another.' SOAP is 'tunneled' through HTTP over port 80, and that sucks ass. Building a VPN 'tunnel' across the Internet, using IPSec, L2PP, or something else, is great, because it doesn't affect the original data, other than to encrypt it. The applications don't need to know what's happening, or why. Things aren't going out to nonstandard sockets/ports/whatever.

  • Small doc on using stunnel to proxy your own http (Score:3, Interesting)

    by ptudor ( 22537 ) on Saturday June 22, 2002 @04:40PM (#3750046) Homepage Journal

    This might help a bit if you're already looking toward stunnel but are unsure of how everything links together.

    http://www.ptudor.net/~ptudor/stun-proxy.html [ptudor.net]

  • Building Linux VPNs book may help (Score:3, Informative)

    by Helevius ( 456392 ) on Saturday June 22, 2002 @06:26PM (#3750476) Homepage
    You will find a useful comparison of Linux-based options in Building Linux VPNs [buildinglinuxvpns.net] by Oleg Kolesnikov and Brian Hatch.

    They include SSH, SSL, IPSec, and other approaches, and don't waste time explaining TCP/IP.

    Helevius

  • ssh -X will forward X11 connections. You can also forward ports over the ssh connection:

    ssh -L 143:server:143 -L 25:server:25 user@server

    Then you can set your mail client to use localhost as the server and everything goes through the tunnel (143 is IMAP, 25 is SMTP). Note you have to run the above example as root, since it forwards remote ports to local privleged ports (<1024). If you don't want to do it as root, forward to local ports &gt 1024. This isn't the perfect solution in most cases, but it offers one option.

  • Re: (Score:2, Interesting)

    by account_deleted ( 4530225 )
    Comment removed based on user account deletion

  • PPP over SSL (Score:3, Interesting)

    by TheLink ( 130905 ) on Monday June 24, 2002 @06:38AM (#3756013) Journal
    You can do PPP over SSL too.

    The popular opinion would be that you might be better off using IPSEC.

    However to my unenlightened eyes IPSEC seems more complicated than SSL and so more likely to have security problems. E.g. like SSH- complex, and thus many security problems.

    That said, if you want encryption from every point to every point then go for IPSEC.

    IPSEC performance should be better than PPP over SSL.

    Unfortunately, whilst SSL just requires a TCP connection, IPSEC needs UDP.

    Cheerio,
    Link.

  • Yes, use a VPN. Maybe not IPSEC (Score:3, Funny)

    by kwerle ( 39371 ) <kurt@CircleW.org> on Monday June 24, 2002 @11:34AM (#3757079) Homepage Journal
    I always found IPSEC to be FAR more trouble than it was worth. I use VTUN [sf.net], with seems to be much easier.

    Also, I hear OpenVPN [sourceforge.net] is good.

  • Stunnel, SSH, etc... (Score:2, Insightful)

    by percey ( 217659 )
    I've done similar research and here's what I've discovered.
    IPSec is usually used for connect LAN's across the internet because it can encrypt all traffic. The one puzzling thing I've found about IPSec is that once its run, it takes over the the IP, that is you can't run regular IP and IPSec at the same time. This part confused me, as it seemed to indicate that I can't run an open HTTP server on port 80 with accessability to the outside world. Now, I'm sure there's a way around this, I just wasn't able to find it before I realized that stunnel would fit my needs.
    Stunnel (found here) [stunnel.org] is able to encrypt (using SSL) and network connection, so lets say you want to use it to secure POP email, you can use the POPS port(which escapes me now) and have STUNNEL sit there and redirect connections to the POP port, then you can turn off outside access to POP through your firewall, and low and behold you have POPS accessable to major e-mail clients without needing the functionality built into the e-mail server. You can do this with anything, and yes the same thing can be accomplished with SSH, but the one thing is that you need to log into SSH first, because it tunnels all traffic through port 22. Now this can be a good thing too, you can close all the ports except for port 22, and require everyone who wants access to your system to log in using a private key. The configuration is a pain because you'll have to configure each users Putty or other client to forward the connections. Its best use, I think is for tunneling windows clients like PCAnywhere throughout your enterprise and passed the firewall. As for News? I've never heard of NNTPS, but I wouldn't be surprised if its the the same. For web, that's simple, just go get yourself a certificate and follow the openssl instructions. You can even sign your own if you don't want to spend on a Verisign one.
    • I am an avid FreeSWAN user, and I can say that IPSec doesn't block regular IP traffic.

      When using IPSec you route target networks, which can be class As all the way down to a single host (x.x.x.x/32).

      All traffic between me and certain other LANs are encrypted via IPSec, but yet I still run a web, mail and imap server that are accessible to the general Internet population.

Slashdot Top Deals

Crazee Edeee, his prices are INSANE!!!

Close