390 lines
13 KiB
HTML
390 lines
13 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Before we start</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Encrypted Tunnels using SSH and MindTerm HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Introduction"
|
|
HREF="intro.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Software Installation"
|
|
HREF="software-install.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Encrypted Tunnels using SSH and MindTerm HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="intro.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="software-install.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="BEFORE-START"
|
|
>2. Before we start</A
|
|
></H1
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="MINDTERM-INTRO"
|
|
>2.1. Mindterm and SSH Introduction</A
|
|
></H2
|
|
><P
|
|
> Businesses, schools, and home users need more secure network services now more than ever. As
|
|
online business increases, more people continue to access critical company information over insecure
|
|
networks. Companies are using the Internet as a primary means to communicate with travelling
|
|
employees in their country and abroad, sending documents to various field offices around the world,
|
|
and sending unencrypted email; this communication can contain a wealth of information that any
|
|
malicious person can potentially intercept and sell or give to a rival company. Good security policies
|
|
for both users and network administrators can help to minimize the problems associated with a
|
|
malicious person intercepting or stealing critical information within their organization. This paper
|
|
will discuss using Secure Shell (SSH) and MindTerm to secure organizational communication across
|
|
the Internet.
|
|
</P
|
|
><P
|
|
> Home users and business travelers are accessing company resources and sending sensitive data over
|
|
insecure networks. <EM
|
|
>This opens up a whole new area of security issues for System Administrators
|
|
(Securing the home office sensible and securely)</EM
|
|
>, especially since the number of corporate users from
|
|
home with high-speed access is expected to <EM
|
|
>"more than double from 24 million in 2000 to 55 million
|
|
by 2005" (Broadband Access to Increase in Workplace)</EM
|
|
>. <EM
|
|
>The increase in the number of airports and
|
|
hotels offering internet access, especially high-speed access, is increasing and is expected to grow in
|
|
the future (Broadband Moving On Up)</EM
|
|
>. This can also leave a door wide open for a malicious person to
|
|
hijack or view a person's Internet traffic and access their companies. The malicious person may not be
|
|
interested in the work the employee is doing but just want access to a high-speed server to launch
|
|
attacks, store files, or other uses. Business people are really at high risk because they don't know who's
|
|
monitoring their Internet connection in the hotel, airport, or anywhere in their travels. Users of the
|
|
new high-speed connections are usually not taught proper security protocols and some companies
|
|
don't have the staff to help the home user and business traveler set up secure communication.
|
|
Individual users and, surprisingly, some companies have a mentality that <EM
|
|
>"I don't have anything people
|
|
want"</EM
|
|
>. This is very disturbing considering the amount of sensitive information that travels across the
|
|
Internet from an employee's home or from travelers. What's more disturbing is the availability of free
|
|
software to perform these kinds of attacks and the software's ease of use. Dsniff
|
|
(<A
|
|
HREF="http://www.monkey.org/~dugsong/dsniff/"
|
|
TARGET="_top"
|
|
>http://www.monkey.org/~dugsong/dsniff/</A
|
|
>)
|
|
is a freely available program that has utilities that can allow
|
|
anyone with a networked computer to highjack a local network and monitor what others are doing and
|
|
grab passwords and other sensitive data. In his book Secrets and Lies: Digital Security in a Networked
|
|
World, Bruce Schneier states that Technique Propagation is one of the main threats to network
|
|
security: <EM
|
|
>"The Internet is...a perfect medium for propagating successful attack tools. Only the first
|
|
attacker has to be skilled; everyone else can use his software" (Schneier)</EM
|
|
>.
|
|
</P
|
|
><P
|
|
> The purpose of this paper is not how to secure computers but how to set up virtual tunnels to perform
|
|
secure communication, whether sending documents or sending email. Business travelers should read
|
|
<A
|
|
HREF="http://www.sans.org/infosecFAQ/travel/travel_list.htm"
|
|
TARGET="_top"
|
|
> Jim Purcell, Frank Reid, and Aaron Weissenfluh's</A
|
|
>
|
|
articles on travel security. Home users with high-speed access should
|
|
read Ted Tang's
|
|
<A
|
|
HREF="http://www.sans.org/infosecFAQ/start/free.htm"
|
|
TARGET="_top"
|
|
> article</A
|
|
> for information on how to secure your computers with high-speed access. I'd recommend the many resources available on
|
|
<A
|
|
HREF="http://www.sans.org"
|
|
TARGET="_top"
|
|
> www.sans.org</A
|
|
>,
|
|
<A
|
|
HREF="http:// www.securityfocus.com"
|
|
TARGET="_top"
|
|
> www.securityfocus.com</A
|
|
>,
|
|
or
|
|
<A
|
|
HREF="http://www.securityportal.com"
|
|
TARGET="_top"
|
|
> www.securityportal.com</A
|
|
> for tutorials on how to secure your
|
|
computers and servers.
|
|
</P
|
|
><P
|
|
>The way to ensure that sensitive data is transmitted securely and quickly is to use encrypted methods
|
|
of data delivery. This can be by way of encrypted email, using secure web-based email services, or
|
|
establishing encrypted tunnels between two computers. Also, easy to setup and reliable software need
|
|
to be used in order to allow the inexperienced users the ability to quickly establish secure
|
|
communication channels. Taten Ylonen 's
|
|
<A
|
|
HREF="http://www.ssh.com"
|
|
TARGET="_top"
|
|
>Secure Shell</A
|
|
>
|
|
and
|
|
<A
|
|
HREF="http://www.mindbright.se"
|
|
TARGET="_top"
|
|
>MindBright</A
|
|
>
|
|
Technology's MindTerm are a quick, easy to use, and reliable solution for
|
|
securing communication over the Internet.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="MINDTERM-SSH"
|
|
>2.2. MindTerm and SSH</A
|
|
></H2
|
|
><P
|
|
>SSH (Secure Shell) is a secure replacement for remote login and file transfer programs like telnet, rsh,
|
|
and ftp, which transmit data in clear, human-readable text. SSH uses a public-key authentication
|
|
method to establish an encrypted and secure connection from the user's machine to the remote
|
|
machine. When the secure connection is established then the username, password, and all other
|
|
information is sent over this secure connection. You can read more details of how ssh works, the
|
|
algorithms it uses, and the protocols implemented for it to maintain a high level of security and trust
|
|
at the ssh website:
|
|
<A
|
|
HREF="http://www.ssh.com"
|
|
TARGET="_top"
|
|
>www.ssh.com</A
|
|
>. The OpenBSD team has created a free alternative called OpenSSH
|
|
available at:
|
|
<A
|
|
HREF="http://www.openssh.com"
|
|
TARGET="_top"
|
|
>www.openssh.com</A
|
|
>. It maintains the high security standards of the OpenBSD team and the
|
|
IETF specifications for Secure Shell (see the
|
|
<A
|
|
HREF="http://www.ietf.org/ids.by.wg/secsh.html"
|
|
TARGET="_top"
|
|
>Secure Shell IETF drafts</A
|
|
>,
|
|
except it uses free public domain algorithms. SSH is
|
|
becoming a standard for remote login administration. It has become so popular that there are many
|
|
ports of ssh to various platforms and there are free clients available to login to an ssh server from
|
|
many platforms as well. See
|
|
<A
|
|
HREF="http://linuxmafia.com/pub/linux/security/ssh-clients"
|
|
TARGET="_top"
|
|
>http://linuxmafia.com/pub/linux/security/ssh-clients</A
|
|
>
|
|
for a list of clients
|
|
and Securityportal.com has an excellent two-part article on ssh and links to ports for different
|
|
platforms available at
|
|
<A
|
|
HREF="http://www.securityportal.com/research/ssh-part1.html"
|
|
TARGET="_top"
|
|
>http://www.securityportal.com/research/ssh-part1.html</A
|
|
>.
|
|
There are programs
|
|
that also use an ssh utility called Secure Copy (scp) in the background that provide the same
|
|
functionality of a full ftp client, like
|
|
<A
|
|
HREF="http://winscp.vse.cz"
|
|
TARGET="_top"
|
|
>WinSCP</A
|
|
> and the
|
|
<A
|
|
HREF="http://www.isnetworks.com/ssh/"
|
|
TARGET="_top"
|
|
>Java SSH/SCP Client</A
|
|
>,
|
|
which has a modified scp interface for MindTerm. Please read the
|
|
licenses carefully to determine if you are legally allowed to download ssh in your country. SSH is free
|
|
for academic institutions please. Please read the licenses available at the ssh.com website. </P
|
|
><P
|
|
>MindTerm is an ssh client written entirely in Java by MindBright Technology. One of the key
|
|
practices of developing security software is proper implementation of the underlying algorithms and
|
|
protocols it uses. MindBright Technology has implemented the ssh protocol very well in this small
|
|
application file. It is a self-contained archive that only needs to be unzipped into a directory of your
|
|
choice and it is ready to be used. It can be used as a standalone program or as a web page applet or both.
|
|
It is available at:
|
|
<A
|
|
HREF="http://www.mindbright.se/download/"
|
|
TARGET="_top"
|
|
>http://www.mindbright.se/download/</A
|
|
>.
|
|
MindTerm is an excellent and inexpensive
|
|
client to secure communication to and from a local and remote location. The MindTerm program
|
|
located at the download address above is available free for non-commercial and academic use,
|
|
commercial use is available on a case to case basis. However, the modifications made by the
|
|
<A
|
|
HREF="http://www.isnetworks.net"
|
|
TARGET="_top"
|
|
>ISNetwork</A
|
|
>
|
|
<EM
|
|
>"is based on the MindTerm 1.21 codebase, which MindBright released
|
|
under the GPL [General Public License -- see
|
|
<A
|
|
HREF="http://www.gnu.org"
|
|
TARGET="_top"
|
|
>
|
|
http://www.gnu.org</A
|
|
>].
|
|
Since our version is released
|
|
under the GPL you can use it commercially for free" (Eckels)</EM
|
|
>. ISNetwork's implementation has all the
|
|
features of MindBright's MindTerm except it has a nicer scp interface for more user-friendly file
|
|
transfers. MindTerm does have some drawbacks in that it doesn't support UDP tunneling. In order to
|
|
secure UDP traffic, a program called Zebedee (
|
|
<A
|
|
HREF="http://www.winton.org.uk/zebedee/"
|
|
TARGET="_top"
|
|
>http://www.winton.org.uk/zebedee/</A
|
|
>)
|
|
will work nicely.
|
|
Zebedee's server and client program is available for Windows and Linux platforms. It is freely
|
|
distributed under the GPL License too. You can connect to either Windows or Linux machines using
|
|
Zebedee. MindTerm will not check to see if your system is secure. It is up to the administrators and
|
|
users to take care of securing the computer systems. It is easy to implement and it is very effective at
|
|
maintaining the high level of security implemented in the ssh protocol. This paper will show how easy
|
|
it is to set up and establish secure communication channels for almost any user and by almost any user.
|
|
Documents, email, and other data communication can be easily and securely sent to users a few feet
|
|
away or around the world.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="MINDTERM-WORK"
|
|
>2.3. How MindTerm and SSH work together</A
|
|
></H2
|
|
><P
|
|
>SSH and MindTerm will work together to use a technique called port forwarding. Port forwarding is
|
|
forwarding traffic from one host and a given port to another host and port. In other words, the
|
|
MindTerm application will open a port on the client's machine (local machine) and any connection to
|
|
that local port is forwarded to the remote host and its listening port over an encrypted ssh session.
|
|
Whether or not the connection is accepted depends on the type of request you are sending to the
|
|
remote host. For example, you wouldn't forward POP requests to a remote host listening on port 21
|
|
because port 21 is reserved for ftp requests. Port forwarding is also used to allow connections to a
|
|
server that is behind a firewall and/or has a private IP address. Essentially this is creating a Virtual
|
|
Private Network (VPN). A VPN is <EM
|
|
>"a private data network that makes use of the public
|
|
telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and
|
|
security procedures"</EM
|
|
> (
|
|
<A
|
|
HREF="http://www.whatis.com"
|
|
TARGET="_top"
|
|
>www.whatis.com</A
|
|
>
|
|
). The port-forwarding can only be done with TCP services.</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="intro.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="software-install.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Introduction</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Software Installation</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |