Product SiteDocumentation Site

4.2. Data in Motion

Data in motion is data that is being transmitted over a network. The biggest threats to data in motion are interception and alteration. Your user name and password should never be transmitted over a network without protection as it could be intercepted and used by someone else to impersonate you or gain access to sensitive information. Other private information such as bank account information should also be protected when transmitted across a network. If the network session was encrypted then you would not have to worry as much about the data being compromised while it is being transmitted.
Data in motion is particularly vulnerable to attackers because the attacker does not have to be near the computer in which the data is being stored rather they only have to be somewhere along the path. Encryption tunnels can protect data along the path of communications.

4.2.1. Virtual Private Networks (VPNs)

Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with others. This can be an expensive proposition, especially for small to medium sized businesses (SMBs) that want to expand without paying the high costs associated with enterprise-level, dedicated digital circuits.
To address this need, Virtual Private Networks (VPNs) were developed. Following the same functional principles as dedicated circuits, VPNs allow for secured digital communication between two parties (or networks), creating a Wide Area Network (WAN) from existing Local Area Networks (LANs). Where it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard encryption methods to further mask data in transit.
Some organizations employ hardware VPN solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware VPN solutions, such as Cisco, Nortel, IBM, and Checkpoint. There are many free software-based VPN solutions for Linux, such as OpenVPN, OpenConnect, FreeS/Wan and others. They differ on the secure communication protocol used for channel establishment and features.

4.2.1.1. Which types of VPN exist?

There are different types of VPN protocols, depending on the underlying secure communication protocols used. In the following paragraphs we try to enumerate the available solutions.
  • IPSec VPNs that utilize the standardized Internet Protocol Security. Typically the implementation lies in the kernel-space.
    FreeS/Wan is of this VPN type.
  • SSL/TLS VPNs that utilize the standardized Transport Layer Security protocol or the Datagram Transport Layer Security Protocol (DTLS). Typically the implementation lies on user-space.
    OpenConnect is of this VPN type.
  • Custom VPN protocols.
    OpenVPN is such a protocol that has its key exchange based on SSL.

4.2.1.2. VPNs and Fedora

Fedora provides various options in terms of implementing a software solution to securely communicating across a WAN. One option available within Fedora is Internet Protocol Security (IPsec) which does a good job of addressing the usability needs of many organizations. Another option is OpenVPN which has functionality built into GNOME's Network Manager.

4.2.1.3. OpenConnect

Fedora supports OpenConnect for connecting remote hosts and networks to each other using an SSL/TLS-based secure tunnel on a common carrier network such as the Internet. The protocol is compatible with the CISCO AnyConnect and can be used to connect to CISCO gateways in addition to OpenConnect servers. OpenConnect utilizes two channels, a TCP channel under TLS, and a UDP channel under DTLS to establish the tunnel. The UDP channel takes precedence when can be reliably established, and the TCP channel is used as backup.
OpenConnect can be deployed to connect a host to a network, or a network to network. The mode is determined by the server which provides the appropriate configuration (e.g., routes) to the client.
4.2.1.3.1. Authentication of an OpenConnect Connection
An OpenConnect connection can be established after the credentials are available to the user. The credentials may be a username-password pair, a client certificate or both. In all cases, the server's certificate (or its hash) must be available or known to the user.
4.2.1.3.2. OpenConnect Installation
Deploying OpenConnect client side requires that the NetworkManager-openconnect, and openconnect RPM packages be installed. The server side requires the ocserv RPM package. The available applications are listed below.
  • /usr/sbin/openconnect — It is the client tunnel establishment tool. Refer to the openconnect(8) man page for more information.
  • /usr/sbin/ocserv — it is the openconnect server application. Refer to the ocserv(8) man page for more information.
  • /etc/ocserv/ocserv.confocserv's daemon configuration file used to configure various aspects of the connection, including authentication methods and encryption algorithms used in the connection. Refer to the ocserv(8) man page for a complete listing of available directives.
To configure an OpenConnect client on Fedora, you can use the Network Manager Tool, or manually execute the openconnect application with the appropriate command line parameters.
4.2.1.3.3. OpenConnect Client Configuration
OpenConnect's default operation connects one desktop or workstation (host) to a network. The server openconnect connects to provides the routes that are available from the VPN tunnel.
To configure a host-to-host IPsec connection, use the following steps for each host:
  1. Select the configuration option on the top right menu and select the Network settings.
  2. On the Network tab, click + to start the new connection configuration wizard.
  3. On the Add Network Connection dialog, click VPN.
  4. Then select the Cisco AnyConnect Compatible VPN (openconnect).
  5. Enter the gateway (server address) for the connection, and optionally specify the server's certificate. If no certificate is specified you'll be prompted to trust the one that is obtained by the server on the initial connection.
  6. Save and, return the the initial Network tab, and then click on the newly created VPN connection. You'll be prompted for the username and password.