For Your Eyes Only: Virtual Private Networks
Recent articles in TidBITS and discussions in TidBITS Talk have mentioned virtual private network (VPN) technologies. VPNs are usually brought up as a tool for securing communications across insecure networks. Glenn Fleishman used a VPN to hide all his network traffic while connected to public wireless hotspots during the South by Southwest Interactive conference, and I mentioned VPN technology in TidBITS Talk as a way to enable Apple’s Remote Desktop to control computers behind a firewall. But what exactly is a VPN? This article is intended to explain some of the concepts and terminology behind VPN.
A VPN is a way of securely connecting computers across insecure networks such as the Internet. Although this might sound straightforward, building a secure network involves several subtleties beyond simple encryption. Security requires authentication – each communicator must prove its identity to the other end. Even the encryption component can be difficult – how do you exchange encryption keys on a network that’s insecure?
Why VPN? Why would you want a virtual private network? Most people use them to connect with corporate networks while traveling or working at home, but they have other uses as well. The primary reason I installed a VPN was so I could travel with my laptop, but still access home resources like my iTunes library and email server, resources that are normally protected from other computers on the Internet by a firewall. I also used it at home initially to protect wireless connections that were "secured" by the easily breakable WEP. When I upgraded to an AirPort Express and a Mac mini using the far-more-secure WPA security instead of WEP, I decided to keep using my VPN as a paranoid defense against the possibility that someone figures out how to break WPA. A VPN can also provide a secure connection for programs such as Apple’s Remote Desktop 2, which has weak security on its own.
Do you perform tech support for your extended family, or for home users at a business? Ever run into problems trying to help them remotely because they are behind a firewall? Upgrading to a firewall that provides a VPN can solve this situation by bypassing all the firewall rules, letting you connect and troubleshoot problems remotely.
Firewalls for Security — Broadband users are often wisely advised to install a DSL or cable router with a built-in firewall to protect their home networks, and most use Network Address Translation (NAT) to share the single public IP address that their Internet service provider allocates among several computers. The firewalls in these low-cost routers are usually enabled by default. Or, if you only have one computer, you can activate the firewall built into Mac OS X with the click of a button in the Sharing preference pane.
Firewalls restrict access from the Internet to the local network. If my father has a firewall protecting his home network and I want to provide tech support for him, I can’t just fire up Apple Remote Desktop or a VNC (virtual network computing) program and connect to his computer. There are two reasons for this problem: first, to which IP address do I connect? The public IP address is just the address for the router, not for his computer. Even if he can tell me the IP address that appears in his Network preference pane, that IP is a private address assigned by his NAT firewall and not directly accessible from the Internet.
The second reason is that most firewalls employ a "speak only when spoken to" philosophy. Examples of this idea in action include the Web and the iTunes Music Store: I can view pages from a Web server, but not until my browser makes the initial connection to the server; similarly, the iTunes Music Store can display within iTunes, but only after my computer has sent it a request to send me the info. To extend the analogy, the request for a remote control connection would have to come from the remote computer first to get through the firewall, and since the remote computer won’t necessary have a person in front of it, it’s hard to generate that initial request. (See Chris Pepper’s article, "What’s a Firewall, and Why Should You Care?" in TidBITS-468, for more detailed information on firewalls.)
Open the Ports — One frequently recommended solution to getting through a firewall is to open the port (or ports) an application uses to communicate. Network applications talk using ports. Stealing an analogy from Chris’s firewall article, ports are like apartment numbers in regular mail addresses. If you send a letter to a friend in an apartment building, the building address is not enough: an apartment number is needed to get the letter to the right apartment. Similarly, a computer’s IP address is not enough to get network data to the correct application. The port number is used to direct the data to the correct program such as the Web or mail server. Most popular Internet services have a default "well known" port number.
NAT-based firewalls can redirect incoming traffic to a specific computer on the internal network based on the port number. If you need to use the same application to connect to multiple computers on the internal network there are two options available: configure the firewall to listen on additional non-standard ports and redirect those ports to the standard port on the destination computer (not all firewalls support this capability), or connect to one of the internal computers, then use that computer to access the other computers on the network.
With simple firewalls, opening a port opens it to everyone on the Internet. More complex firewalls can limit access to a port based on things such as source IP address and time of day.
Mac OS X has a full-featured firewall built-in, but Apple’s preference pane limits your options to the simplest configurations – opening a port opens it to everyone on the Internet. Third party tools such as Brian Hill’s BrickHouse can provide GUI access to a much broader range of functionality, or you can use even more full-featured tools like DoorStop X from Open Door Networks or IPNetSentry from Sustainable Softworks.
Even with the more advanced configuration options that BrickHouse or your cable or DSL router offers, building these exceptions can be time consuming and error prone (IPNetSentry takes a different approach for this reason, looking for suspicious activity and, when triggered, banning the intruder). Some simple facts of Internet use can make maintaining these rules difficult. For example, adjusting access for someone with an ever-changing dynamic IP address can be frustrating, or even impossible if you are trying to make the change from a dynamic address not already configured in the firewall rules.
Another issue that opening firewall ports cannot solve is unencrypted data streams. Anybody on the network path between the source and destination can use simple tools to extract the traffic. If you use VNC software for remote control, others on the Internet can view exactly what you are seeing/typing. VNC does encrypt the initial authentication made to a remote computer, but if you use it to change a password or unlock a remote screen saver, the password is sent unencrypted. Both FTP and telnet also send your password as plain text.
The ideal solution is to make your local computer connect over the Internet, through the remote firewall, bypassing all the rules, to any number of computers or devices behind the firewall. Additionally we want to keep those communications secret from prying eyes, and we want to ensure the connecting computer is really the one it is claiming to be.
Virtual private networks were designed to provide this solution by creating a secure tunnel through which all traffic flows from you – wherever you may be on the Internet – to your network. Several types of VPN are available: a group of open protocols referred to as IPsec; Point-to-Point Tunneling Protocol (PPTP); Layer 2 Tunneling Protocol (L2TP), frequently used with IPsec; SSH tunnels; and SSL VPN.
IPsec — Originally, IPsec was used on corporate enterprise networks as a way to connect remote offices over cheaper Internet connections instead of more expensive dedicated lines. Large dedicated VPN firewalls would be placed in each office and connected together. Fortunately, the costs of implementing these systems has dropped considerably over the years, with many inexpensive home routers including VPN capabilities for only a slightly increased cost.
IPsec uses a two-phase system to establish the VPN. In phase one the identity of each participant is authenticated. Phase two is the actual exchange of encrypted data. Each phase negotiates the various methods to be used for authentication and encryption key exchange. To increase the security of the tunnel the two phases re-negotiate, re-authenticate, and exchange new encryption keys at periodic intervals.
PPTP & L2TP — PPTP is an older and less secure VPN technology developed by Microsoft. PPTP is still quite popular (especially in Europe) because it is built into Windows. L2TP is a combination of Microsoft’s PPTP and Cisco’s L2F (Layer Two Forwarding) technology. L2TP over IPsec encapsulates the L2TP traffic in IPsec packets. The use of IPsec allows the authentication phase of the VPN to be encrypted, something PPTP does not support otherwise. Mac OS X supports both PPTP and L2TP over IPsec, both configured via Apple’s Internet Connect application.
SSH — SSH tunnels are a popular method of encrypting and authenticating communications between computers. An SSH tunnel uses a port forwarding model where ssh on the client side gathers all data packets sent to a particular port and sends them through an encrypted tunnel. The server on the far end (running sshd) decrypts the packets and forwards them to the appropriate destination.
Unfortunately, an SSH tunnel is a computer-to-computer system. If I want to use SSH to multiple computers behind a NAT firewall, I must either open additional ports on the firewall, one for each system, or tunnel to one machine, then connect from that computer to other machines. Both methods can be complex to set up. An additional limitation of SSH tunnels is that they support only TCP connections, and not UDP. As a result, ssh tunneling is insufficient for applications like Apple Remote Desktop.
SSL VPN — SSL VPNs are the current hot items in networking. An SSL VPN uses standard Web protocols for authentication and encryption. This approach enables the VPN to work through restrictive firewalls that block the ports of other VPN protocols. SSL VPN technology offers a range of capabilities. At its simplest, the VPN may be a reverse Web proxy, providing authenticated Internet users access to intranet Web servers behind the remote firewall.
SSL VPNs can also provide Web-based file browsers that enable users to access Windows and NFS file shares on the remote network. No special client is needed for this, as the VPN hardware handles the translation from network shares to Web pages.
More advanced SSL VPN units offer functionality similar to SSH tunnels. The user logs in to a Web application and launches a Java or ActiveX client that configures all port forwarding options. In this configuration, just ports needed for an application are tunneled, so the chance of infection from viruses and Trojans is greatly reduced. This limited access enables many corporations to use an SSL VPN to provide network access to untrusted computers, such as employees’ home computers and vendor systems for supporting internal applications. Additionally, many handhelds with wireless networking and Java support can tunnel in via an SSL VPN too.
High-end SSL VPN products offer a complete TCP/IP stack that encrypts packets across an SSL link, an approach called "IPsec replacement" mode because it provides the security of a full IPsec VPN while still being able to work through restrictive firewalls.
SSL VPNs are popular in enterprise networks, but the current high cost of entry keeps them out of the reach of most home and small business users. Because of their flexibility and low cost, I focus on IPsec VPNs for the remainder of this article.
VPN to What? Once you select a VPN protocol, you need to decide the type of connection you want to make: computer-to-computer, computer-to-network, or network-to-network. The computer-to-computer connection enables access only to the individual remote computer. Computer-to-network enables one computer access to all devices on a remote network. And a network-to-network connection enables entire offices of computers to communicate, without the need to configure each machine. Most people are interested in connecting a laptop or small home office machine to a remote network (computer-to-network), so I focus on this scenario.
First, you need to pick a VPN client. Mac OS X includes an IPsec implementation based on Racoon from the KAME Project. As with many Unix applications, you configure the software via a text-based config file. "Simple" configuration examples are available online.
After examining the available documentation, I decided there must be a better way. Fortunately I was not the only one with this idea. A quick Internet search turned up several graphical configuration tools. VPN Tracker ($90 for a personal license, $200 for a professional license) from Equinux, and IPSecuritas (free) from Lobotomo are two of the most popular.
Additionally, many VPN firewall makers have produced Mac OS X versions of their client software. Check Point and Cisco both offer Mac OS X clients for their VPN products. Be sure to check the supported configurations and versions of the software. Cisco only recently added support for dual-processor Macs and Mac OS X 10.4 Tiger, although there are reports it doesn’t completely work even with 10.4.2. MacInTouch has a lengthy list of reader reports on the Cisco VPN client.
<http://www.cisco.com/en/US/products/sw/secursw/ ps2308/products_user_guide_ book09186a00802e1fa2.html>
<http://www.cisco.com/en/US/products/sw/secursw/ ps2308/products_data_ sheet0900aecd801a9de9.html>
Next, to connect your Mac to an entire network via VPN, your network needs a VPN router. Mac OS X 10.4 Tiger Server has many nice VPN configuration options built-in. Academic versions of Mac OS X Server are typically available starting at $250; retail is $500 or $1,000. If you have not yet upgraded, going from Jaguar to Tiger Server is about $370 more than going to non-Server Tiger (non-academic).
In theory, a Mac running the client version of Mac OS X should be able to act as a VPN router too, but most of the documentation I’ve found is for Mac OS X Server. Instructions for setting up a FreeBSD box as a VPN router are available, and they may translate over to Mac OS X.
I don’t have a spare Mac capable of running Mac OS X lying around, so I began looking for a small dedicated VPN router. Most manufacturers of broadband routers offer VPN versions of their products for $10 to $20 more than the non-VPN versions (see below for links to a number of common devices). When looking for a VPN router, watch out for products labeled "IPsec Pass-Thru" – these are not what you want. IPsec Pass-Thru enables a VPN connection to work through the device, but does not mean the router can act as a VPN endpoint. The specifications for a true VPN router should list the number of VPN tunnels the device supports.
<http://www.linksys.com/servlet/Satellite? childpagename=US%2FLayout& amp;packedargs=c%3DL_Product_ C2%26cid%3D1115416832406& amp;pagename=Linksys%2FCommon%2FVisitorWrapper>
<http://www.linksys.com/servlet/Satellite? childpagename=US%2FLayout& amp;packedargs=c%3DL_Product_ C2%26cid%3D1118334818868& amp;pagename=Linksys%2FCommon%2FVisitorWrapper>
Some routers have third-party firmware upgrades available that add VPN server support. The Linksys WRT54G is the most commonly upgraded router, with the Sveasoft firmware upgrade providing a variety of sophisticated features to what Linksys provides.
Quick Tiger Update — When Tiger shipped, it introduced a VPN bug that slowed down certain VPN connections. After I upgraded to Tiger, a ping to my server through a VPN connection took around a thousand milliseconds. Normal ping times with my VPN are about 4 milliseconds.
This problem has been resolved but requires upgrading to at least Mac OS X 10.4.1 plus upgrading your IPsec front-end. IPSecuritas version 2.1 and VPN Tracker 4.0.1 both work properly Mac OS X 10.4.1 and later. At the time of this writing, Check Point had not updated their IPsec clients to work with any version of Mac OS X 10.4. Cisco’s latest release seems to work fine for me. Again, verify the software’s documentation show your particular configuration is supported before installing.
The Double-edged Sword of VPN — After selling you on the concept of using VPN to bypass firewall rules, I’m going to reveal that this is also one of the biggest dangers in using a VPN. Firewall rules exist to increase security; bypassing that security in any way creates very real risks. Many companies are surprised to find themselves infected with Trojan horses and viruses even though they had firewalls in place. It turns out that many laptop users would go home, connect to their unprotected home Internet connections, get infected, then connect via a VPN (bypassing all the firewall rules) and spread the infection all over the internal network. Of course, such problems are less likely for Mac users, but we still cannot become complacent.
Some VPN clients include a client firewall, similar to the firewall built into Mac OS X, to protect against these types of vulnerabilities. Other clients check a list of rules before a VPN connection is allowed. Some examples of rules include ensuring an up-to-date anti-virus product is running, certain security patches are installed, and the computer’s firewall is running.
Even with these protections, you shouldn’t allow any computer to connect to your network if you don’t explicitly trust its maintenance and security. The reverse is true too; you shouldn’t connect your computer to any networks that you don’t implicitly trust; you may be opening yourself to attackers on their network.
[Kevin van Haaren works for a large corporation primarily supporting Windows computers, with the occasional Mac call thrown in to make the week more interesting. This has prepared him well for the job of herding his two cats.]
PayBITS: If Kevin’s article helped you, he asks that you
consider a donation to the EFF, which works to keep encryption
systems legal for everyone. <http://eff.org/support/>
Read more about PayBITS: <http://www.tidbits.com/paybits/>