Lately I've been dealing with managing security for multiple networks. Things have gotten completely complex as I add more computers, more data, connect to more remote networks, and allow other people to connect to my local network. Security is not something that comes natural in such a setup. Each time I add another remote connection or take on more liability for intellectual property, I first think how I plan on segmenting the data and network into my existing security plan.
Segmentation provides security by allowing me to build walls between everything on my network so that I can conceptually understand where everything resides on the network. I need to always be aware of where my private personal data is.... as well as my employer's private data, so that I can insure I won't be the weak link and result in unknown damages.
I have my home network which contains all my personal information, the remote office network that contains work related private data (I also have local office data because network speeds are too slow for large data), and from time to time there are reasons that I would like to be able to allow my friends and family to connect to my network.
It is important that my own network be very secure and that all the networks that I connect to are also very secure. Otherwise, I don't know what is going on in my network... and I might as well publish the data I hold for anyone to read.
There are many solutions when it comes to virtual private networking (VPN). There are hardware based (many solutions that claim to be hardware are actually simple hardware running software VPN---beware.) solutions that allow you to set and forget, typically with a web interface for administration. There are also straight software solutions that allow you to connect your OS to a VPN tunnel.
There are many VPN protocols to choose from like: simple SSH tunnelling, PPTP, IPSec, SSL/TLS, and other propritary protocols.
Making sense of what to use for your own VPN can be a hard decision. For a long time I stayed away from VPN and used simple dynamic firewalls that would allow me to block everyone from my internal network but allow those people who knew the special "open seaseme" passwords to come in. This worked well for simple authentication, but I still needed to ensure that all the protocols I used were encrypted using SSH or SSL. This solution does provide a nice way of hiding services but it doesn't allow for remote users to actually enter the network to participate in network broadcasts and give them the ability to really feal like they are connected to the network.
I'm starting to think that the best solution is a Linux-based VPN endpoint. While this does require more work upfront, it also provides the greatest flexibility. Using Linux as a VPN endpoint not only allows me to connect to enterprise VPN endpoints like SonicWall but it allows allows me to be a VPN gateway for my local network.
The only drawback I see with this approach is that any solution I create must be supported by me... and I have to be always mindful of network vulnerabilities that might arise in software I use. Then again, I think that the problem of support and maintenance is a problem if you roll your own device or if you buy a device off the shelf.
Some VPN solutions I'm looking at now are:
OpenVPN - SSL VPN for most every OS out there. Since it uses SSL and not PPTP it will require the installation of a client on the OS of your choice. For example OpenVPN GUI for Windows allows you to connect to an OpenVPN server from your windows machine. There are many good HOWTOs and readmes on setting this solution up, and it seems pretty straight forward.
CIPE - a project that looks to tunnel IP packets in encrypted UDP packets. The whole idea of the project is to be as simple as possible. There are implementations for both linux and windows. I've heard some good things about this solution because it is easy to setup.
[NOTICE: This project looks like it is slow or dead. The development team has left, making me think other alternatives would be better]
Poptop - The PPTP Server for Linux - A PPTP server solution for Linux.
I've also been looking at hardware solutions for VPN endpoints. There are many cheap endpoints out there today made by Linksys, Netgear, Dlink, etc. However, these endpoint can't work as gateways and are usually on cheap hardware that is slow when compared to a enterprise grade hardware alternative or even a flow blow PC running Linux.
Specifically I've been looking for ways to connect cheap endpoints to the Sonicwall enterprise products.
Here is a link talking about hooking up a Linksys BEFSX41 to a SonicWall VPN.
SonicWALL VPN with FreeS/WAN using IKE
Using a Linux L2TP/IPsec VPN server
Security Now! - Podcast talks about VPN and other network security issues.
HTTP Tunneling (SSH over HTTPS)HTTP tunnel - Wikipedia, the free encyclopedia
HTTPTunnel - Tunnel Connections Through Restrictive Proxies
DAG: Tunneling SSH over HTTP(S)
JHttpTunnel -- Implementation of GNU httptunnel's protocol in Java
Punching holes into firewalls
socat - a Multipurpose relay, Securing traffic between two socat instances using SSL
SSH Over Proxy
corkscrew is a tool for tunneling SSH through HTTP proxies.
FoxyProxy - firefox proxy plugin that lets you resolve DNS through SOCKS proxy.
stunnel - multiplatform SSL tunneling proxy - Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
Stunnel.org - examples of stunnel usage
FoxyProxy - firefox proxy plugin, supports DNS through SOCKS.
socat - socat - Multipurpose relay think "netcat++" (extended design, new implementation).
Polipo — a caching web proxy
mitmproxy - home - an SSL-capable man-in-the-middle proxy
cortesi - mitmproxy: A 30-second client playback example
cortesi - Introducing mitmproxy: an interactive man-in-the-middle proxy
TorTor: anonymity online
Tor Browser Bundle - portable USB flash drive client for Tor, including Firefox and Pidgin.
FreenetThe Freenet Project - /index
Hamachi unmangedLogMeIn - Virtual Networking with LogMeIn Hamachi² - 100% free for non-commercial use with up to 16 clients.
freelan - an open-source, multi-platform, peer-to-peer VPN software
cjdnsInstead of letting other computers connect to you through a shared IP address which anyone can use, cjdns only lets computers talk to one other after they have verified each other cryptographically. That means there is no way anyone can be intercepting your traffic.
Cjdns - Wikipedia, the free encyclopedia
cjdelisle/cjdns · GitHub - Cjdns implements an encrypted IPv6 network using public-key cryptography for address allocation and a distributed hash table for routing. This provides near-zero-configuration networking, and prevents many of the security and scalability issues that plague existing networks.
Hyperboria - a global decentralized network of "nodes" running cjdns software. The goal of Hyperboria is to provide an alternative to the internet with the principles of security, scalability and decentralization at the core.
Getting started - meshwiki
Install on Ubuntu - meshwiki
Performing UDP tunneling through an SSH connection