|
1
|
- Implementation and Application
|
|
2
|
- David F Gardiner
- Vice President of Architecture and Technology, Unisys Corporation
- Professor Doyle D. Knight
- Mechanical and Aerospace Engineering
- Dr. Alexei Kotelnikov
- Engineering Computing Services
|
|
3
|
- Motivation
- Objective
- VPN Technology
- Implementation
- Application
- Conclusion
- Future Work
- Q & A
|
|
4
|
|
|
5
|
|
|
6
|
|
|
7
|
- The main problem:
- Fragmentation of resources
- Inefficiency of information management
- Security problems
- Unavailable direct access to private networks
- Possible solutions:
- Purchase leased lines
- Set up a VPN (Virtual Private Network)
- Our choice:
- Build Linux VPN machines!
|
|
8
|
- Research on VPN technology
- Acquire VPN software package for Linux
- Installation of VPN
- Configuration of VPN
- Testing Host to Host connection
- Testing Host to Network connection
- Testing Network to Network connection
- Analysis
|
|
9
|
- Predominant standard/ tech. to create VPN
- Designed to protect Internet (IP) traffic
- Protects with:
- Authentication (AH: Authentication Header)
- Key Exchange (IKE: Internet Key Exchange)
- Encryption (ESP: Encapsulating Security Payload)
- In another words:
- Making sure you talk to who they say they really are
- Making sure you have the key to open the message
- Making sure you send your message in a way that only the recipient
understands
|
|
10
|
- Tunnel: logical connection through which two devices appear to be
directly connected
- Tunnel works on a principal of packet encapsulation
- Packet Encapsulation: process of placing a packet within another packet
|
|
11
|
- You want to send a letter to your friend and make sure he’s the only one
who reads it
- You have signed up for “magical”
postal services
|
|
12
|
- The Hardware: Custom-made AMD PC
- AMD 1700+ XP processor
- 512MB RAM
- 40 Gigs HDD
- Two Network Interface Cards (NIC)
- The Software: Linux FreeSWAN
- Open-source package that provides IPsec capabilities
- Composed of two primary pieces: KLIPS and Pluto
- KLIPS: low-level drivers of IPsec
- Pluto: manages key exchange
|
|
13
|
- Obtain the latest Linux kernel source code
- Obtain the latest FreeSWAN software source code
- Compile and build a new kernel with FreeSWAN source code
- Install the new Kernel
- Load into the new Kernel
- Check whether the IPsec functionality has been added to the new Kernel
|
|
14
|
- Create new sets of Keys on both gateways
- Modify ipsec.secrets
- Modify ipsec.conf
- Configure the system to have FreeSWAN start up at boot time
- Initiate Connection between the gateways
|
|
15
|
- Two access points to the Internet
- All the machines in the private subnet goes to Firewall machine by
default
- Firewall machine redirects all the VPN related traffic to VPN gateway
- To implement, configure the routing table on the Firewall machine
|
|
16
|
- Scenario 1:
- Two database machines remotely located needs to synchronize data
securely
- Scenario 2:
- Two email servers synchronize the data
|
|
17
|
- Scenario 1:
- A businessman on a trip wants to download his documents that contain
sensitive information from company server into his laptop
- Scenario 2:
- A professor wants to run his computational software on his desktop from
home which needs to talk to the license server at Rutgers
|
|
18
|
- Scenario 1:
- Employees from two different regional offices want to synchronize
sensitive data and work on the same project remotely
- Scenario 2:
- System Administrator at Rutgers needs to add more computers to the
computational cluster but has no more space in the room
- Scenario 3:
- Financial consulting company needs to relay critical and market
sensitive information to a private sector of a company and needs a
secure way to do so
|
|
19
|
- Unisys lab: 16 cluster machines
- ECS Machine Room: 20 cluster machines
- Goal: Remotely combine 16 of Unisys cluster machines to the existing
computational cluster through VPN
- Expected Outcome:
- The machines in the Unisys lab should be added transparently to the
queuing system and participate in compiling submitted jobs over VPN
tunnel
|
|
20
|
|
|
21
|
|
|
22
|
- The need for VPN
- Information Consolidation
- Security Concerns
- Access to Private Network
- Technology of VPN
- VPN Implementation
- VPN Applications
|
|
23
|
- Academic Institutions:
- Professors will be able to securely conduct research related work from
home
- Previously unrelated groups of machines can be merged seamlessly (Joint
clusters from Physics, Chemistry, and Engineering)
- Industry:
- Effectively manage and regulate confidential information over the wire
remotely
- Consolidate various entities of the company by sharing resources and
management over VPN
- Build secure enterprise network with clients, partners, suppliers, etc
|
|
24
|
- Documentation:
- A complete guide on Linux VPN installation and configuration
- Installation package (on CDROM):
- Pre-complied kernel for different architectures
- Custom-made RPM package for FreeSWAN
- Automatic installation script
- Original source codes
- Documentation files
|
|
25
|
- Building Linux Virtual Private Networks
- Oleq Kolesnikov and Brian Hatch, 1st Edition, Feb. 4, 2002
- FreeSWAN Online Documentation
- Setting up a VPN Gateway
- Linux Journal, January 2002, Issue 93
- Administering Linux IPSec VPN
- Sys Admin, March 2002, Volume 11, Number 3
- Lesson 165: IP VPN Services
- Network Magazine April 2002, Vol.17, No.4
|
|
26
|
|
|
27
|
- Advantages of Linux VPN (FreeSWAN)
- Cost savings
- Expandability (Hardware and Kernel Configuration- prototype)
- Load Sharing capabilities (more than one VPN machines in parallel)
- More support in open source community
- Disadvantages of Linux VPN
- Difficult to build and configure
- Difficult to maintain
- With one machine, might be slower than hardware accelerated encryption
|
|
28
|
- Performance degrades due to encryption and encapsulation of original IP
packets
- Depends on types of ciphers for encryption and decryption
- Average performance loss on VPN connection compared to connection with
out VPN:
- ~15-20% loss in CPU performance
- ~10-15% loss in network performance
|
Notes