Packets on the Internet flow through a variety of wires and fibers owned and managed by a variety of organizations. The opportunities for someone or something to monitor these packets are large.
The Gauntlet Firewall can be used to create a Virtual Private Network (VPN). VPNs use encryption to allow secure communication between various points within the network.
The following sections explain how you can use your Gauntlet Internet Firewall to exchange encrypted traffic with other Gauntlet Firewalls:
 | Note: This feature is available only in the Unites States domestic version of the Gauntlet product. |
When using a single firewall, the defense perimeter includes the network of systems that sit behind the firewall, inside the perimeter. Communication with any other systems or networks outside the perimeter is over some untrusted network, such as the Internet. A VPN extends the defense perimeter to include other networks and systems.
For example, Yoyodyne has offices in Maryland and California, each protected by a Gauntlet Internet Firewall. When these offices communicate, they use the Internet. Yoyodyne can create a VPN and extend the defense perimeter from its corporate headquarters in Maryland to include the network of systems behind the defense perimeter in its California office, as shown in Figure 28-1.
A VPN is considered private because all traffic that passes through the firewall to another part of the VPN is encrypted. Any program watching the packets flow by would simply see a stream of encrypted data. Without the key used to encrypt the data, the information isn't useful to snoopers. Because the remote host or network shares a key with the firewall, it can decrypt and process the encrypted packets that it receives. In Figure 28-1, all traffic between the firewall in the Maryland office and the firewall in the California office is encrypted.
A VPN is considered a virtual network because you are extending the network from the systems that are physically within the defense perimeter to include other systems or networks that are not. A VPN may or may not trust the other network.
A VPN with trust expands the concept of trust (as in trusted networks) to include not only the systems within your defense perimeter but also all of the systems within the remote defense perimeter. For all intents and purposes, all of these systems are part of the same network within the same defense perimeter. Any activities that you allow within your network can be used with systems on the remote network.
For example, Yoyodyne allows users in the Maryland office to use the network time protocol (NTP) within the network to set the clocks on their systems. If Yoyodyne sets up a VPN with the California office using a trusted link, they can now use ntp with systems in the California office.
You can create trusted links for host-to-host, network-to-network, or host-to-network communications. This allows you to trust individual hosts or entire networks.
A VPN also allows any IP services you desire to pass between the two firewalls. The services simply need to be IP-based. You can allow applications that use the user datagram protocol (UDP) or the transmission control protocol (TCP).
In addition to sharing a defense perimeter against the rest of the world, sites that create a VPN must share the security perimeter in other ways. These sites should share the same policies, procedures, and administrative control. If the security policy for the Maryland office does not allow TELNET from remote locations, then the security policy for the California office should match this. If the policies differ, someone can simply come in through the California office and then connect directly to a system in the Maryland office, which is part of the same VPN.
A VPN without trust does not expand the concept of trust to include the systems within the remote defense perimeter. In this case, the traffic between the two networks is encrypted, providing the privacy. Once it decrypts the traffic, the remote firewall still considers the request as being from an untrusted network. The request is the same as any other that comes from an untrusted network, but with the additional benefit of encryption.
For example, Yoyodyne sets up an untrusted VPN between the Maryland and California offices. Traffic between the two offices is still encrypted. When the firewall for the California office receives and decrypts a TELNET request from a system at the Maryland office, it treats the request as it would any other untrusted network. They cannot send UDP packets between the two networks or trust NTP from the other site as they could using a VPN with privacy with trust.
You can create private links for host-to-host, network-to-network, or host-to-network communications. The most common use of privacy without trust creates a private link between two networks.
Sites that create a VPN without trust must of course share the encryption key that gives them the privacy. However, they can now use different policies and procedures and have different administrative control.
A VPN can use encryption through a series of firewalls. In this case, the traffic between the outer firewalls is encrypted, but the firewalls in between simply pass the encrypted data through. They do not decrypt the data nor do they have the encryption key.
For example, Yoyodyne sets up a VPN (with or without trust) between the firewall for the accounting department in Maryland and the firewall for the accounting department in California. On the firewall for the entire Maryland office (which includes the accounting department), Yoyodyne creates a passthrough link. This link simply passes the encrypted traffic from the accounting firewall in Maryland to the accounting firewall in California. The administrators in the California office must create a similar passthrough link on their firewall to pass encrypted traffic to the accounting firewall in the California office.
You can create passthrough links for host-to-host, network-to-network, or host-to-network communications. The most common use of a passthrough link specifies a host-to-host link for two firewalls.
The firewall handles VPNs by examining all outbound traffic and encrypting any traffic between hosts that are marked as encrypted peers. The exact sequence of events varies depending on whether there is privacy with trust or just privacy.
When the firewall is about to send a packet, it checks to see if the source and destination are listed in a table of encrypted pairs. If the source and destination match an entry in the table, the firewall hands the packet to the swIPe driver for encryption.
The swIPe driver uses the Data Encryption Standard (DES) to encrypt the data using the key provided for this VPN during firewall-to-firewall configuration. The new packet contains encrypted data and a header that indicates this is a special encrypted protocol. The firewall then sends the encrypted packets across the Internet (or other untrusted network) to the firewall for the remote network.
When the remote firewall receives the packet on its outside interface, the IP input layer recognizes this as an encrypted packet because of the special protocol. This information indicates that the firewall should send any packets with this special protocol to the swIPe driver.
If the source and destination addresses in the packet indicate that it is part of a passthrough link, the swIPe driver forwards the packet without modifying it.
The swIPe driver decrypts the data using the same key used to encrypt the data. The swIPe driver passes the now decrypted data back to the IP input layer. This now handles the packet as it would handle any other packet that it receives on the outside interface.
If the VPN between the two networks uses privacy with trust, the routing layer forwards the packet to the appropriate host on the inside network. If the VPN between the two networks uses just privacy with no trust, the routing layer hands the packet to the appropriate service or proxy. The proxies treat this packet as they would any other packet from any other untrusted network.
The first step to creating a VPN is to create a key.
To access VPN configuration:
From within the Gauntlet Firewall Manager, select VPNs.
Click the Swipe Keys tab.
The Swipe Keys window displays.
Before creating your VPN, you must create encryption keys that the firewall can use to encrypt and decrypt traffic.
Before you start adding encryption keys, determine whether you wish to use the same key for every VPN. You must use the same key at each end of a VPN. However, if you have one VPN to your California office and one VPN to your client in New York, you may not wish to use the same key for both networks.
In the Swipe Keys window, click Add.
The Add Swipe Key window displays.
Provide information about your encryption keys.
KeyID
ID number for this key. When you create the trusted or private link, you specify the key you wish to use by Key ID.
If you wish to use this key to create a link with a Gauntlet Firewall running Version 4.0 or greater, enter a number between 0 and 999.
If you wish to use this key to create a link with a Gauntlet Firewall running a version preceding Version 4.0, enter 0.
Key String
Alphanumeric string. The swIPe driver uses an MD5 hashing algorithm to create a pseudo-random number. The swIPe driver uses this value as the DES key.
Ensure that the key string is not simply a word found in a dictionary. For best security, use a long string that includes multiple non-alphabetic characters. For example, Yoyodyne uses the phrase
Try&and*guess(this)one.
Verification
Enter the same value you entered for the Key String.
Authentication Encryption Algorithm
Specifies the authentication algorithm that the swIPe driver uses to verify the contents and source of incoming encrypted packets. Select MD5_128. The larger the hash size, the less likely it is that someone can spoof the verification.
Click OK.
To modify an encryption key:
Select the key you wish to modify.
Click Modify.
Change the settings for this encryption key.
Click OK.
Inform the administrator at the other end of the VPN of your changes.
To access VPN configuration:
This section discusses how to work with VPNs, from the planning stage to the actual implementation and deletion.
When planning the VPNs for your network:
Make sure your firewall is working as you would like before you create a VPN.
Determine whether you wish to use trusted links or private links.
Determine whether you need to create any passthrough links on firewalls that lie between your encrypted links.
Coordinate your efforts with the administrator of the remote network. Discuss your security policies and procedures. Prepare to synchronize the firewalls as you configure them.
To create a trusted or private VPN:
On the VPNs window, click Add.
The Add VPN Link Configuration window displays.
Provide information about your VPN.
Link Type
Select the type of link you are creating.
Local Network Name
Name for your local network or host. This name is for your information only, to help you track the various addresses and subnet masks.
Local Network Address and Mask
IP address for the local network or host. Specify the IP address and subnet mask for the host or network.
If you are creating a trusted link between the networks inside two firewalls, enter the IP address and mask for your network.
If you are creating a private link between two networks that are behind firewalls, enter the IP address of the outside interface of the firewall.
Local Interface
Name of the interface to which the local network is connected.
Remote Network Name
Name for the remote network or host. This name is for your information only, to help you track the various addresses and subnet masks.
Remote Network Address and Mask
IP address for the remote network or host. Specify the IP address and subnet mask for the host or network.
Remote Gateway Address
IP address for the outside interface of the remote firewall. After it encrypts the outgoing packets, the firewalls sends them to this address.
KeyID
Select the Key ID for the encryption key you wish to use for this link.
Click OK.
In the VPNs window, click Add.
The Add VPN Link Configuration window displays.
Provide information about your passthrough link.
Local Network Address and Mask
IP address for the local network or host that is using the encrypted link. Specify the IP address and subnet mask for the host or network.
This is often the IP address of the outside address of the firewall that is using the encrypted link.
Local Network Name
IP address for the local network or host. Specify the IP address and subnet mask for the host or network. If you are creating a trusted link between the networks inside two firewalls, enter the IP address and mask for your network. If you are creating a private link between to networks that are behind firewalls, enter the IP address of the outside interface of the firewall.
Remote Network Address and Mask
IP address for the remote network or host that is using the encrypted link. Specify the IP address and subnet mask for the host or network.
This is often the IP address of the outside address of the firewall that is using the encrypted link.
Remote Network Name
Name for the remote network or host that is at the other end of the encrypted link. This name is for your information only, to help you track the various addresses and subnet masks.
Click OK.
To modify a VPN:
On the VPNs window, select the VPN you wish to modify.
Click Modify.
The Modify VPN Link Configuration window displays.
Change the settings for this VPN.
Click OK.
Inform the administrator at the other end of the VPN of your changes.
To bring up your VPN:
Coordinate your settings with the administrator of the remote VPN.
When exiting the Gauntlet Firewall Manager, click Save, Apply, and Reboot to make your configuration take effect.
When your firewall reboots, your VPN is enabled.
After you have brought up your VPN, you may wish to confirm your configuration.
To verify your configuration:
Log in to the firewall and become root.
Use the trace option of the encryption policy configuration utility (/usr/local/etc/ipe) to display kernel diagnostic messages to the console:
# cd /usr/local/etc # ipe -t on
Watch the console for errors. Verify that there is diagnostic information for each of your links.
The string Swipe_input means the firewall encrypted a packet, while Swipe_output means the firewall decrypted a packet.
Turn off the trace function when you are done to avoid the overhead of the diagnostic feature.
# ipe -t off
To verify the configuration of a trusted link:
Log in to a host other than the firewall within the local network.
Use ping to reach a host within the remote network.
For example, the Yoyodyne administrator in Maryland pings the mail hub on the California office network:
% ping mail.ca.yoyodyne.com
Specify the remote host by IP address to make sure that it is not a DNS problem:
% ping 10.0.6.12
To verify the configuration of a private link:
Log in to a host other than the firewall within the local network.
Connect to a host within the remote network.
For example, the Yoyodyne administrator uses TELNET to connect to the mail hub on the California network:
% telnet 10.0.6.12
The remote firewall should pass this request to its TELNET proxy, as it would any request from an untrusted network. By default, the proxy should display the TELNET proxy prompt.
You can disable your VPN by removing the configuration for the VPN. The next time you reboot your firewall, the firewall does not start the VPN. If you need to disable the VPN and leave your firewall running, use the encryption policy configuration utility (/usr/local/etc/ipe) to disable the VPN:
# ipe -c |