In our scenario, a small office network is protected by Linux firewall and we’ll implement the secure OpenVPN to access the internal office network (File Server, Database Server and Desktop PCs) securely from anywhere in the Internet.

OpenVPN Server Installation
Download the OpenVPN and LZO packages, these are packaged RPMs for Fedora/Redhat, which also works for CentOS and Whiteboxlinux.

Install the packages:

Enable packet forwarding between 2 interfaces in OpenVPN Server:

#echo 1 > /proc/sys/net/ipv4/ip_forward

Master Certificate Authority (CA) Certificate and Key:
A set of scripts bundled with OpenVPN make the PKI management easier. We’ll use these scripts to generate a master CA certificate/key, a server certificate/key and 2 keys/certificates for separate clients.

Change your directory to easy-rsa subdirectory in your OpenVPN installation:

# cd /usr/share/doc/openvpn-2.0.7/easy-rsa

Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. My vars parameters are as following, you need to setup your own:

export KEY_COUNTRY=HK
export KEY_PROVINCE=KLN
export KEY_CITY=Hong Kong
export KEY_ORG=”OpenVPN-TEST”
export KEY_EMAIL=”niranjan.kunwar@gmail.com”

Initialize the PKI:

Generate Certificate and Key for the Server:

Generate Certificates and Keys for 2 clients:

#sh build-key client-win
#sh build-key client-osx

Generate Diffie Hellman parameters

Copy the keys and certificate to /etc/openvpn

#cp dh1024.pem server.crt server.key ca.crt /etc/openvpn/

Server Configuration file
A sample configuration file server.conf can be found in /usr/share/doc/openvpn-2.0.7/sample-config-files, copy it to /etc/openvpn and customize it according to your needs. There are many possible customizations that you can do to the configuration file. In our case the VPN Server will be listening to UDP port 1194, which is the official OpenVPN port number. We’ll offer the virtual address 192.168.0.0/24 to the vpn clients and push the route 192.168.1.0, which is our Office LAN subnet. Following is the contents of our configuration file server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.1.0 255.255.255.0″
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Start the OpenVpn Server:

# service openvpn start

Windows Client Installation and Configuration
Download the OpenVPN GUI for Windows and install it.

Copy the ca.crt, client-win.crt and client-win.key files from OpenVPN Server to the windows pc at C:\Program Files\OpenVPN\config. A Sample client configuration file client.ovpn can be found in C:\Program Files\OpenVPN\sample-config directory, also copy it to C:\Program Files\OpenVPN\config and customize it according to your needs. Following is the contents of our client configuration file client.ovpn:

client
dev tun
proto udp
remote vpn.nirlog.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client-win.crt
key client-win.key
ns-cert-type server
comp-lzo
verb 3

Connect:

Ping test:

Successful ping to 192.168.0.1 shows that you can reach the server via vpn tunnel. You should be able to ping the Desktops and Servers (192.168.1.x) in the office network too.

OS X Client Installation and Configuration:
Download Tunnelblick and install it by unzipping and dragging the Tunnelblick.app to Applications folder.

Copy the ca.crt, client-osx.crt and client-osx.key files from OpenVPN Server to the Mac at /Users/<yourname>/Library/openvpn. The client configuration file openvpn.conf can be found in /Users/<yourname>/Library/openvpn directory, customize it according to your needs. Following is the contents of our client configuration file openvpn.conf:

client
dev tun
proto udp
remote vpn.nirlog.com 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client-osx.crt
key client-osx.key
ns-cert-type server
comp-lzo
verb 3

Connect:

Ping test:

Successful ping to 192.168.0.1 shows that you can reach the server via vpn tunnel. You should be able to ping the Desktops and Servers (192.168.1.xxx) in the office network too.

I’ve used IPSec, PPTP and SSL VPNs for quite some time and found them to have their own strengths and weaknesses. IPSec is secure but too complicated, with too many options for implementation and configuration. PPTP is easy to use and configure but it had some security issues in the past, which deters serious security minded organizations to implement it. Commercial SSL VPNs are easy to use but they’re very expensive and still haven’t solved all the remote connection problems.

I was introduced to SoftEther (popular Japanese personal VPN) by one of my boss few years ago, it’s secure and free but the documents are available only in Japanese. While I was searching for english documents of SoftEther, I came across an Wikipedia entry, which said “It is similar to OpenVPN, though it is closed source software”. I’d heard about OpenVPN but had never given it a serious look. This time I decided to look at it. I was pleasantly surprised by it’s ease of installation, use and robust security. Here are few points to note about OpenVPN:

• It’s a free and opensource.
• It’s secure; uses the SSL/TSL protocol.
• It’s easy to install and use. Graphical User Interfaces are available for those who fear the command lines.
• Has flexible authentication scheme based on certificates, smart cards, or traditional username/password credentials.
• Can be implemented as a bridge or a router (OSI layer 2 or layer 3).
• Excellent cross-platform support, it can be installed in Linux, Unix, Windows and Mac OS X.
• Good documentation, FAQs, HowTos and articles.

If you’re looking for a secure, cheap, flexible and easy to use vpn solution, then you should give OpenVPN a try.

Opening speech was given by the Senior Inspector WONG Hung-Fu of Technology Crime Division, Crime Prevention Unit, Commercial Crime Bureau, Hong Kong Police Force. Unfortunately he choose to speak in Cantonese (which I don’t understand) but from his slides and later explained to me by other participant he was showing figures of increasing cyber crimes in Hong Kong specially Phishing, Spyware and P2P related crimes.

Sonicwall

They talked about the new generation of UTM (Unified Threat Management) Firewalls they’re offering. The UTM Firewalls includes following security solutions in one box:

• Real-time Gateway Anti-Virus Scanning
• VPN/Firewall
• Intrusion Prevention Service
• Gateway Anti-Virus, Anti-Spyware
• Wireless Security

The new sonicwalls also include DPI (Deep Packet Inspection). From my experience sonicwalls are very cheap compared to other products in the market but are worth their cost.

They also talked about their SSL-VPN about which I’d written earlier. They mainly focused on technology side of SSL-VPN instead of their product and admitted their target is SME and cannot compete with Netscreen or Aventail on features. But price-wise they made it clear that they’re the only ones affordable by small companies.

Barracuda

The guy from Barracuda explained how Spams and Viruses are becoming a daily headache to everyone. He also introduced several of their products. Barracuda Spam Firewall, which is a powerful enterprise-class anti-spam and anti-virus solution for email servers. They’ve sold 30,000 devices and are actively supporting them. The main features of Barracuda Spam Firewall are:

• Anti-spam
• Anti-virus
• Anti-spoofing
• Anti-phishing
• Anti-spyware (Attachments)
• Denial of Service

Other products from Barracuda are: Spyware firewall and IM Firewall

Encentuate

Existing security access solutions e.g. passwords, tokens, digital certificates etc.. as they grow stronger, they make it more inconvenient for end users and enterprises to manage them. So Encentuate was founded to address the need of enterprises to simplify, strengthen and track access across their digital assets and physical infrastructure. They provide Single sign-on and sign-off automation, authentication management and user-centric access auditing and reporting.

TippingPoint

They claimed that TippingPoint is the most powerful Intrusion Prevention System (IPS) in the world and it’s performance is unparalleled. TippingPoint security team is providing the vulnerability analysis for SANS Newsletter every week. One more interesting thing in TippingPoint solution is the Digital Vaccine Service that delivers new filters on a weekly or even daily basis for protection against the latest vulnerabilities, exploits, viruses and rogue applications. This means the TippingPoint with Digital Vaccine can protect from many unpatched but known vulnerabilities.

Riverbed

They make your WAN perform like a LAN. The steelhead appliances provide wide-area data service (WDS). Basically, by deploying this product in different branch offices you can access the resources in other branches much more efficiently. They achieve this by acceleration of all TCP applications, packet caching and compression. They demonstrated us a file transfer with and without the steelhead. In a 1Mbps line it took 53 sec to transfer a 10MB file and it took 2.5 sec with steelhead. Quite impressive.

radware

Radware provides a wide range of products for managed service solutions, application access solutions, application security solutions and application front end solutions. Today they mainly presented the APSolute Application Front-End (AFE) Solutions with AppDirector and AppXcel. The combination of these two products enable application availability and continuity, accelerated application performance, guaranteed service levels, application security, IT server infrastructure scalability and consolidation, all in one integrated solution.

Allot

They had the most interesting products and demo. NetEnforcer and NetXplorer can thoroughly inspect, monitor and control traffic and bandwidth usage on broadband networks, with very detailed reporting and analysis. This is a traffic management solutions for carriers and service providers with total visibility and robust control of both traffic and subscribers:

Traffic Control:

• Control P2P applications
• Achieve intelligent network visibility
• Guarantee unsurpassed Quality of Experience
• Mitigate Security threats

Subscriber Control:

• Deploy new application-based services
• Track behavior and trends
• Deliver innovative billing models
• Enable self-provisioning capabilities

Installation

A fully functional 30 days evaluation version (iso image) can be downloaded from the Download Site (requires registration). You can burn the CD and installation takes less than 20 minutes. Following is the recommended hardware by Astaro:

• minimum Pentium II or compatible CPU
  256 MB RAM
  8 GB SCSI/IDE HD
  bootable CDROM SCSI/IDE
  3 PCI-NICs (Internet, Local Net, Demilitarized Zone) (for testing, 1 is enough)

Support, Documents, Downloads and other useful stuffs are available in MyAstaro portal. You can login with the registered email address and the password that was sent to you by Astaro. A searchable knowledgebase with useful infromation is also available (doesn’t require login).

Features Review

Firewall: Excellent, similar to other high end firewalls like Netscreen or Cisco PIX with both stateful packet inspection and application-level deep packet filtering. Supports multiple interface and HA, setting up DMZ is very easy. Other good firewall features are; transparent mode, traffic shaping, QoS and detailed reporting.

VPN: PPPT is easy to setup and didn’t encounter any problem. IPSec; both Road Warrier and Site to Site vpn work smoothly and do have rich and confusing choice of Encryption algorithms, Authentication methods and IPSec protoclols.

Intrusion Protection: Based on popular open source software Snort. It is a signature based system which detects most of the popular attacks. The bad point about this and actually any Intrusion Protection System is that they produce a lot of false positives.

Proxies: SMTP, HTTP, DNS, POP3, IDENT. Actively tested the SMTP and HTTP proxies only. I think both of them are quite good. SMTP proxy is capable of doing attachment filtering but one limitation I found is that, we cannot customize the concurrent smtp connection. It should be set to either 20 or unlimited.

Email/HTTP Anti-Virus: Anti-virus works together with proxy server. It is using Kaspersky anti-virus engine which is quite popular with Linux/Unix platform. Infected Emails can be quarantine or deleted and can be released from the server if necessary.

Anti-Spam: It is using SpamAssassin anti-spam engine. The score can be adjusted and it allows to set 2 levels of threshold. For example we can quarantine when the score is 5 and delete when the score reaches 10 or 15. Supports whitelist and blacklist. One good feature is the daily SPAM Digest it sends to the users. So, if the users find some legitimate emails quarantined we can immediately release them.

HTTP Content Filtering: Uses signature to categorize the web sites and can block them based on category, users custom domain or keywords. Also supports blacklist and whitelist.

Logging/Reporting: Logging is very detail and well categorized. Has a very good feature called Live Log, which can be browsed from the web for troubleshooting.

Updates: Anti-Virus Pattern, Intrusion Protection, Content Filtering, and the OS updates are done automatically according to the schedule.

Backup: Backup and recovery is very easy in case of failures. Setup takes around 20mins and restore 5 mins. It also supports HA.

Overall I think this is an excellent product that has got most of the security features. The ease of management, relatively low cost and impressive features makes it an excellent choice for an integrated security product.

If you don’t want to install the software and love out-of-the box solution, then they’ve Astaro Security Gateway Appliances.

Different sort of remote access are being used today. It’s a necessity and convenience upon which businesses are relying. VPN (Virtual Private Network) is a mature technology and many big networks are connected to each other by it. The main technologies being used for VPN today are IPSec (IP Security), PPTP (Point to Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and SSL (Secure Socket Layer). If we categorize them in terms of their use then the VPNs can be of 2 types.

1. Site to site VPN (one network is connected to another network)

2. Mobile VPN (A mobile PC/Notebook/PDA is connected to a network)

For site to site VPN IPSec is the most popular one. In real life it’s usually a secure connection between Head office and branch offices. It’s managed by technical team so, there’s no direct involvement of non-technical users, it’s transparent and seamless for them. It’s proven to be quite effective that way.

As for the mobile VPN, there is a direct and active involvement of the end user, no matter whether they’re technical or non-technical person. So, this one becomes a challenge in terms of security, productivity and manageability. The main problem with mobile IPSec VPN is that it requires the installation of a client software and configuration which makes it quite difficult for the end users and creates a lot of overhead for technical support.

The SSL VPN on the other hand don’t require any dedicated client installation. Basically web browser is the client. If the user knows how to browse a web site then it’s enough. This makes SSL VPN the killer application in mobile secure remote connection. Currently the SSL VPNs are quite expensive compared to IPSec and PPTP but I think they’ll be able to compete price-wise soon.

Most of the Networking vendors are already in the SSL VPN market. Current market leader is Aventail. I’ve had an opportunity to test Aventail and Sonicwall SSL VPN. Aventail has solved most of the problem that SSL VPN needs to solve and other ssl vpns are still quite far behind the leader. E.g. if you have a web application running in your local network heavily relying on java scripts then you might face some problems with sonicwall ssl vpn (I’ve heard that other ssl vpns have similar problems) but Aventail seems to work smoothly. Also Aventail has better security policy control and easier management system.

If you want the best ssl vpn solutions then you should definitely choose Aventail but if you need a cost effective solution then Sonicwall should do the job.

Available SSL VPN solutions: