A look into VPNs and setting one up

posted onJuly 15, 2000
by hitbsecnews

This month, I was thinking perhaps I would take you
through an interesting little application called PoPToP - which
offers a free and secure VPN solution for almost any sized business.
But before we get into the application itself, perhaps its a good
idea to talk a bit about VPNs and the technology behind them.

VPN

A virtual private
network is a private network capable of communicating over the public
Internet infrastructure with a predefined level of security. VPNs can
exist between two or more private networks, often referred to as a
server-server VPN or between individual client machines and private
networks which is referred to as a client-server VPN. Why use a VPN
in the first place? Well they overcome the need to have dedicated
leased lines which are expensive or even RAS dial in call and setup
costs.

As I mentioned
above, VPNs may exist between multiple private networks. For example,
suppose your company has a marketing office in Australia and a
research and development office in Malaysia. Both locations have
private networks that are connected to the Internet (via ISDN, ADSL
etc.). Traditionally if these two offices wished to share files on
their networks, they would either have to e-mail the files to each
other, dial in to each other or have some other form of dedicated
link between them. VPNs offer a cost effective solution for joining
these two networks seamlessly without compromising system security.

Different types of VPNs

The two most
popular VPN technologies available today are PPTP and IPsec. There
has been quite a lot of debate and analysis done between the two
competing technologies - however I personally feel that both
technologies have an important role to play in the VPN solution. But
neither PPTP nor IPsec is without flaws. The operation of PPTP as a
VPN is performed by encapsulating the point to point protocol (PPP)
in IP and tunneling it through an IP network. All communication,
authentication and encryption is handled almost exclusively by PPP,
which supports PAP, CHAP, MSCHAP and MSCHAPv2 authentication. PPP
encryption is performed through compression modules and available
patches under Linux allow PPP to support 40-128bit encryption. Some
people make the mistake of assuming that since PPTP uses PPP you need
a modem. This is not the case. In fact, the connection mechanism is
transparent to PPTP.

IPsec

IPsec is a new
series of authentication and encryption security protocols that can
be employed for sending data securely over IP networks. IPsec offers
encryption, authentication, integrity and relay protection to network
traffic. IPsec also specifies a key management protocol for
establishing encryption keys. IPsec, like PPTP, is an open standard
developed by IETF (Internet Engineering Task Force).

IPsec vs PPTP

PPTP is
transparent to the authentication and encryption mechanism.
Microsoft's version of PPTP was recently upgraded to include MSCHAPv2
and MPPE enhanced (more secure) security protocols. Patches are
available for the Linux PPP daemon that allows PPTP solutions such as
PoPToP to take advantage of Microsoft's enhanced VPN security.

IPsec on the other
hand is a relatively new technology and future improvements are sure
to enhance its security further and increase its attractiveness to
businesses. Additionally, with its default presence in Windows 2000,
IPsec will offer small to medium sized businesses a more secure and
affordable solution.

With the thousands
of Windows machines out there already supporting PPTP VPN, the cost
effective solution is obvious. Windows 98 has VPN client software as
an install option. Windows NT 4.0 comes with PPTP (server and client)
by default. Patches for DUN exist for upgrading Windows 95 machines
to include a PPTP client. Which technology you choose to deploy is
really a matter of personal choice - I would go with PPTP - but then
again... that's me.

PoPToP

PoPToP is the PPTP
VPN server for Linux. There are ports for Solaris, OpenBSD, FreeBSD
and many others. It allows Linux servers to function seamlessly in
PPTP VPN environments, enabling administrators to leverage the
considerable benefits of both Microsoft and Linux. The current
release version of PoPToP supports Windows 95, 98, NT and Windows
2000 PPTP clients as well as Linux PPTP clients (obviously).

PoPToP is a PPTP
access concentrator (PAC) that employs an enhanced GRE (generic
routing encapsulation - protocol 47) mechanism for carrying PPP
packets, and a control channel (port 1723) for PPTP control messages.
The basic operation of PoPToP can be setup to work with a patched PPP
daemon to support MSCHAPv2 authentication and RC4-compatible 40-128
bit encryption. A Linux server running PoPToP can effectively replace
a Windows NT PPTP VPN server. However, PoPToP does not support PNS
operation, so it does not replace a Windows NT server when PNS is
required.

Another advantage
of PoPToP (and PPTP in general) is that it is transparent to the
encryption and authentication mechanism. Porting an alternate
encryption algorithm (for example Blowfish) to a PPP compressor
module would not be a difficult task. The only issue with developing
your own authentication mechanism is the simple fact that you will
break generic Windows client support. However, the Linux PPTP client
is available under the GNU GPL and will work seamlessly with any PPP
changes.

Finally PoPToP is
simple. It has a tiny memory footprint and has undergone performance
tweaks. This makes PoPToP very attractive to embedded platforms and
edge networks. When teamed up with the Linux PPTP client, it should
be prove to be a relatively cheap solution for companies with their
own predefined security protocols.

Setting up PoPToP

Getting PoPToP to
run on a standard PPP daemon is a relatively painless task. By
standard PPP daemon, I'm talking about one that doesn't need MSCHAPv2
or RC4-compatible encryption. Here's a quick and rough install guide.

*
Grab the latest copy from
http://www.mortonbay.com/vpn/download_pptp.html

* Log in as root
to install and run PoPToP

* If you
downloaded the PoPToP tar file and stored it in /usr/local/src, type
the following commands :

cd
/usr/local/src/

tar -xvzf
pptpd-1.0.0.tgz

cd pptpd-1.0.0

./configure

make

make install

* If you
downloaded the PoPToP RPM file then just do this instead :

rpm -- install
pptpd-1.0.0.1.i386.rpm

or use gnorpm if
you prefer to install stuff from the GUI.

The PoPToP
binaries are placed in /usr/local/sbin. Check to make sure pptpd and
pptpctrl are there before you continue on.

Set up PoPToP
configuration files. The configuration files are pretty easy to set
up and configure, and the files are commented well enough so you
probably won't get lost. You'll need to set up CHAP authentication as
well.

Once you're done
with the configuration and stuff, just launch PoPToP by typing pptpd.
If you want pptpd to launch at start up, pull the start up file into
/etc/rc.d/init.d

Any standard
Windows client with PPTP VPN installed should now be able to connect
to your PoPToP enabled VPN Linux server. One Windows 98 you can
install it via Control Panel -> Add Remove Programs -> Windows
Setup -> Communications -> Virtual Private Networking.

Conclusion

As you can see
remote access for employees need not be an expensive process. VPNs
can easily replace dedicated lines or remote access servers without
compromising security. PPTP is one VPN technology that is ready to go
right now. Although criticized in the past for its security flaws,
recent enhancements to the authentication and encryption protocols
have made PPTP an attractive solution to businesses. With PoPToP's
ability to take advantage of MSCHAPv2 and RC4 encryption, there's no
reason why any company looking into providing an easier file sharing
mechanism, shouldn't give PoPToP a little spin. I'm sure you'd be
surprised by the results you obtain.

1.) Daemon
processes - psyops
2.)Analysis
: Implications of Internet Growth - CptZZap
3.)The Art of
IRC - JesterS
4.)Network
Stacks & TCP/IP - Liquid Sphear
5.)Basics of
Internet Investigations - madirish
6.)Proliferation of
the Internet
7.)Having fun
with system.ini - xearthed
8.)A look into
VPNs and setting one up - L33tdawg
9.)Review of
DIVA LAN ISDN Router - L33tdawg
10.)Strategies
for Tomorrows War - Cpt ZZap

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes