Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with others. This can be an expensive proposition, especially for small or medium sized businesses (SMBs) that want to expand without paying the high costs associated with enterprise-level, dedicated digital circuits.
Engineers have developed a cost-effective solution to this problem in the form of Virtual Private Networks (VPNs). Following the same functional principles as dedicated circuits, Virtual Private Networks allow for secured digital communication between two parties (or networks), creating a Wide Area Network (WAN) from existing LANs. Where it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP or datagram (UDP) layers, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard, open source encryption to further mask data in transit.
Some organizations employ hardware VPN solutions to augment security, while others use the software or protocol-based implementations. There are several vendors with hardware VPN solutions such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based VPN solution for Linux called FreeS/Wan that utilizes a standardized IPSec implementation. These VPN solutions act as specialized routers that sit between the IP connection from one office to another. When a packet is transmitted from a client, it sends it through the router or gateway, which then adds header information for routing and authentication called the Authentication Header (AH) and trailer information for CRC file integrity and security called the Encapsulation Security Payload (ESP).
With such a heightened level of security, a cracker must not only intercept a packet, but decrypt the packet as well (which, in the case of most VPNs, usually employ a triple Data Encryption Standard (3DES) 192-bit cypher). Intruders who employ a man-in-the-middle attack between server and client must also have access to the keys exchanged for authenticating sessions. VPNs are secure and effective means to connect multiple remote nodes to act as a unified Intranet.
Red Hat Linux users and administrators have various options in terms of implementing a software solution to secure their WAN. There are, however, two methods of implementing VPN and VPN-equivalent connections that currently ship with Red Hat Linux. One equivalent solution involves using OpenSSH as a tunnel between two remote nodes. This solution is a sound alternative to telnet, rsh, and other remote host communication protocols, but does not completely address the usability needs of all corporate telecommuters. Another solution that is more adherent to the de facto definition of a VPN is Crypto IP Encapsulation (CIPE), a method of connecting remote LANs to function as a unified network.