LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Cisco Set to Dominate Linux Market? (InternetNews)

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 13, 2008 16:55 UTC (Sun) by drag (subscriber, #31333)
In reply to: Cisco Set to Dominate Linux Market? (InternetNews) by simlo
Parent article: Cisco Set to Dominate Linux Market? (InternetNews) 

Are you saying that they are trying to use a kernel module to by-pass root user? 

That's insane...

Because otherwise I don't understand the problem, because what I think your talking about is
easy done.

Say your on a network 192.168.1.0 with a gateway 192.168.1.1 and you want to connect to a VPN
on a mystical internet address 10.1.1.2 with the vpn network being 172.16.23.0 and the gateway
on 172.16.23.1.. So..

(this is with openvpn with it's client-to-client and topology subnet)
> openvpn --config client.conf
> read -p 'press enter when connected'

> ip route del default dev eth0
> ip route del 192.168.1.0/24 dev eth0
> ip route add 192.168.1.1/32 dev eth0
> ip route add 10.1.1.2 via 192.168.0.254 dev eth0
> ip route add default via 172.16.32.1 dev tun0


Then setup a simple iptables firewall to block all traffic coming in and out of eth0, except
for the vpn traffic.

Then, viola, no information going in or out into the local ethernet network.

(Log in to post comments)

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 13, 2008 16:57 UTC (Sun) by drag (subscriber, #31333) [Link] 

oops 
 ip route add 10.1.1.2 via 192.168.0.254 dev eth0
should be 
 ip route add 10.1.1.2 via 192.168.1.1 dev eth0

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 13, 2008 22:04 UTC (Sun) by dan_linder (guest, #88) [Link] 

You're right, it is insane but they wanted to make sure they could advertise that their VPN
module would nearly completely isolate the workstation from the local LAN traffic.

In my case, many of my customers have policies that require the workstation VPN software limit
the client OS from talking with the local network for anything other than VPN traffic (makes
it a real pain to print locally).

Since I'm an outside contractor with VPN permissions and use Linux as my primary workstation
OS, if Cisco relied on running iproute commands to limit the connectivity, then I (as root)
could un-do that and break the security policy.

Sure, there are ways around it, but I'm too lazy to implement some of them, especially when
bypassing them could end up in job termination.

Dan

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 14, 2008 2:03 UTC (Mon) by drag (subscriber, #31333) [Link] 

That's just... er 'WOW'. 

This though, I know now, is the normal sort of BS that you have to go through to meet bizzare
requirements that certifications place on you. So I understand.  I understand very very very
well. And sadly I am understanding this more week by week.

I wonder how long before regular people realize that these layers of bureaucracy  and insane
certification requirements makes things _WORSE_ instead of better? That these things have the
net effect of making things _more_ expensive and _less_ secure as well as dramatically
reducing accountability (I followed the rules, your honor. How was I suppose to know...)?

(I mean, seriously, depending on Cisco for security is about the same level of insanity as
depending on Microsoft to produce a truly open document format)

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 14, 2008 18:06 UTC (Mon) by madscientist (subscriber, #16861) [Link] 

Nortel's VPN solution is the same way: they have a kernel module as well.  That version does
allow the server to allow the client to use split tunneling, where only the VPN-bound traffic
goes through the VPN but all "public" traffic uses the native network interface.  This allows
for a much faster and more reliable user experience, at the sacrifice of some security (since
now that host becomes an unsecured gateway onto the private network).

Nortel's solution also does something else which I'm not sure Cisco does, to mitigate this:
while the VPN is running they disable all incoming connections to privileged ports (ports
<1024).  That means that, while the VPN is running, no incoming connection to your printer
service, ssh, HTTP, SMTP, etc. etc. is allowed.  If you use your home system as a server for a
local network, this completely shuts down all services unless you've done the work to move
them to unprivileged ports.

However, it provides slightly better security since it disallows most of the connections that
could be compromised to enter the private network through that system.  Obviously you could
start your SSH server on a different port but the attacker would have to know that port... and
presumably someone knowledgeable enough to move the service would also be better at securing
the system against attack (yes, I know... but the alternative, to disallow split tunneling, is
even less palatable).

Now here's the real trick, that requires a kernel module: if you change your routing tables in
ANY WAY or try to re-enable those ports, then the VPN is automatically, immediately shut down.

I understand where drag's frustration comes from, but I don't see any proof that these
facilities REDUCE security.  They definitely reduce productivity of an individual, insofar as
they have to work within this restricted environment.  As always, these things are a
compromise: it will certainly reduce a LOT of peoples' productivity if a nasty virus or worm
gets loose on the private network.  I certainly don't like kernel modules: when I used
Nortel's solution it was always a huge pain since they didn't support Debian (my distro at the
time) and support for new kernels was very slow to come.

If you don't want anything like that, you can get Juniper's VPN solution.  Theirs is
user-space only and does support split tunneling but doesn't provide the guarantees that Cisco
and Nortel's solutions do.

The big bummer with Juniper's solution is their install/startup scripting is truly horrible.
It works, just barely, on Red Hat Enterprise Linux systems, but refuses to work on most other
systems for no reason except that the person who wrote it didn't know what they were doing.
Very frustrating.  However, since it's a script and the solution is userspace it is possible to
work around it: I've written a simple alternative script that works pretty well.

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 17, 2008 21:16 UTC (Thu) by nicku (subscriber, #777) [Link]

Nortel's VPN solution is the same way: they have a kernel module as well.
Do you know if vpnc can work with Nortel VPNs? If so, are there particular differences in setup? I need to connect to a Nortel VPN, but am not keen to buy their $95 proprietary software with kernel module and use that.

Cisco Set to Dominate Linux Market? (InternetNews)

Posted Apr 18, 2008 0:56 UTC (Fri) by madscientist (subscriber, #16861) [Link] 

Sorry, I don't know.  And at my new job (well, not that new: I've been there over 18 months
now) we don't use Nortel VPN anymore.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds