Which more secure, VPN or SSH server?
 

I'm new to setting up a VPN server. I'm running Kanotix.

1. Is there any clear advantage with either of the VPN server alternatives: Openswan or Secureswan? Are these the best choices available?

I'll be connecting via MS Windows built in client.

Also,

2. Which is better for remote administration, a VPN or SSH server?

I'd like to use VNC to work on the remote Linux machine...
also I'd be transfering files through the tunnel (12meg each)

Thank you.

In my experience, the correct answer to a "what's better" question is almost invariably "It depends."

In this case, at least some of what it depends on is what you're administering and what kinds of applications you need to use to do that administration. If you're administering a single Linux box and you basically need terminal access, probably with file transfer, then SSH strikes me as a very straightforward way to go about it. If you also expect to want access for X11 applications, SSH is still quite straightforward.

OTOH, if what you're administering is a small (and internally secure) network where the individual boxes are not directly accessible from the outside (where you are), then a VPN may be more convenient. The biggest difference, IMHO, is that SSH gives you end-to-end encryption so you don't have any worries (well, far fewer worries :rolleyes: ) about your session being intercepted by an eavesdropper who might be able to pick up sensitive information like passwords. With a VPN, your encryption is effective only as far as the inner end of the VPN and not necessarily across the internal network, so you ought to think pretty skeptically about security within that network.

All this is, of course, somewhat oversimplified, but without a lot more information about exactly what you are trying to accomplish, I doubt that I can do much better in a reasonable amount of time or space. If you want to go into more detail, I'm sure someone (I or someone else) would have a better handle on how to give you a more specific answer.

Best of luck,
Paul

>>The biggest difference, IMHO, is that SSH gives you end-to-end encryption so you don't have any worries (well, far fewer worries :rolleyes: ) about your session being intercepted by an eavesdropper who might be able to pick up sensitive information like passwords. With a VPN, your encryption is effective only as far as the inner end of the VPN and not necessarily across the internal network, so you ought to think pretty skeptically about security within that network.>>

Sorry but I'm not clear... isn't the VPN tunnel encrypted? So, how can one sniff a VPN connection any easier than an SSH connection?

Aren't VPN connections more robust, faster and secure, that's why companies use them to connect remotely?

My intentions are to copy files 'to' a home box from overseas. The files are about 15mg each, and I'd be copying hundreds. I'd like to use something like TightVNC securely to manage the file system on the home machine.

My two cents...


I like to think of it like this. With SSH because it's not built into Windows, one needs to download an SSH client. Provided you're using SSHv2 for your tunnel it has to be safer than a native Windows VPN Connection. (opinion)

i'm not trying to 'steal' prn's thunder, but if i interpret his initial response correctly, what he's saying is that outside of either end of the tunnel, ie, across internal networks, there may be a security risk, as the tunnel has done it's job, and now you become reliant on the lan's security - this may, or may not, be an issue.

Perhaps more secure, depending on how it's setup. 'Robustness' may be in the eye of the beholder; the same also applies to speed. Again, these qualities depend on how the vpn and ssh tunnels are configured, but either can be just as fast and robust as the other.

Companies may use vpns because they, arguably, are more 'user friendly', ie, guis, machine-to-machine authentication (as opposed to the 'dreaded' cli), etc.

Personally, I'd go the VPN route, using OpenVPN (openvpn.sf.net), with certificate authority, etc., but since ssh comes right out of the box, you may prefer that.

How that for a not-so-definitive reply?

cheers,

I have seen several reports on the net that say Microsoft's implementation of PPTP is, at least, a poor implementation.

I has able to found one of this reports. I hope it can bring some information to help you make a position on this.

http://www.schneier.com/pptp-faq.html

cheers,

Exactly! That is just what I was trying to say. Whether I'm right or not is always debatable :D and you are certainly right that it may or may not be an issue for the specific case.

Exactly right again. It all depends. As for "robustness", VPNs and SSH use comparable encryption algorithms, so "robustness" will depend on implementation (see the Schneier link in marozsas' post) and on configuration.

Absolutely! The original question said that it would be used for "remote administration" and how "user friendly" one or the other is depends on what you want to do. SSH gives you a perfectly serviceable terminal and reasonable access to X applications (though you do have to have an X server on your remote box, but you probably need that anyway with a VPN). Depending on what you want to do, a VPN may or may not be more "user friendly". It all depends on you for that.

Just perfect! :D If the OP is planning on using a Windows box for the remote end, then something will have to be installed somewhere regardless, so you don't get right-out-of-the-box convenience either way. One or the other may (or may not) turn out to be easier. Personally, I tend to use terminal/cli for most administrative purposes anyway, so I've had plenty of experience with SSH. Someone else may have a strong preference for a convenient GUI that (may) become available trivially upon installation of a VPN (though, again, if the server is running LInux and the remote is running MS Windows, that may or may not be trivial).

Overall, I wouldn't expect it to be too difficult to set up a VPN server on the Linux box and the ssh server probably is there already, so I'd say try them both and see what makes the most sense for you. (Just don't use the MS VPN implementation.)

Good Luck,
Paul

Another point. VPN is preconfigured to use multiple protocols. SSH isn't; you have to establish a tunnel for each protocol you wish to use. This involves a lot more initial setup when you are configuring the tunnels to match your particular configuration.

I personally use SSH tunnels for just about everything; at this time I am writing this message on a Win XP wireless laptop as I sit in the family room watching 24. This laptop only supports WEP, which is enabled, but I am SSH tunneling my HTTP connection to a Linux box upstairs in the home office, and connecting to the internet through that box. So, I don't think that anyone listening in will be cracking my HTTP connection any time soon.

The downside is that if I want to check email from here, I have to set up another tunnel. Either that, or I establish an X Windows session on this laptop and SSH into the Linux box to run the email client that I normally use on that system (kmail).

Now, I travel with this laptop and as a matter of security I routinely SSH to my Linux system in order to browse no matter where I am when I connect via some unknown and presumably insecure wireless network.

SSH or VPN
 

Ok, software VPN's are hardly easy to set up, especially in a corporate environment. Microsoft's VPN is the worst example of that. VPN's have there place, but for remote management I will take SSH any day. What I do is set up an SSH tunnel and start VNCServer to only allow local logins. vncserver :1 -localhost It gives me encrypted traffic, a secure Gui and once logged in I can use whatever protocol I allow on the box. Easy to set up, easy to use.

A little more VPN vs. SSH...
 

Hi again.

In my remote Windows XP to home Linux scenario:

1. If I chose VPN which is better: Openswan or Secureswan?

2. Can't I use VNC or NXclient over a VPN connection in the same manner as an SSH?

3. Mentioned here: "it depends"... I'm wanting to transfer 12-15 meg files (many) from my remote XP to the home Linux machine. In this setup, is there any speed or other advantage using a VPN vs. a SSH connection?

Thanks for the help.

1.) Either should work
2.) You could use VNC, but NXclient needs ssh
3.) Generally I've found Microsoft's VPN connections to be slower than SSH connections, but your mileage may vary. I'd probably just connect using SFTP (ssh)

In my experience the SSH connection is a lot less work to set up than setting up a full blown VPN. There is no problem using a VPN if that is what you really want to do. But for what you describe, I'd personally just use SSH. On most of my boxes setting up SSH takes just a bit more than no work. Setting up a VPN takes a lot more. If you are behind a corporate firewall at work, my guess is that there is a greater chance of having SSH already open.

For the indicated configuration, I too would use SSH. In fact, I do use SSH. I also use TightVNC on Windows and I set it to only accept local connections, then tunnel into is via SSH.

Once you know how, setting up SSH is simple. But, if you want to use a VPN router, setting up a VPN is also simple.

For using SSH on Windows, I would recommend installing Cygwin. This gives a *nix environment on the Windows box, including sshd (which can be installed as a Windows service) and the standard ssh client.

To transfer lots of files, there is sftp, as was suggested, but I personally usually just use scp (secure copy).

Filezilla supports sftp.. makes it real easy. All it takes is a server running ssh to get to your files.

thanks so much...
 

You people are great here!
Thanks so much for your feedback.

Seems the general opinion is don't bother with VPN, SSH does the trick :)

I'm hoping this is the last question...

1. If I buy a 'hardware' VPN router, is it more secure and better vs. SSH if I wish to have more
than one have the ability to connect securely via remote?


Thanks again.
Akonbobot

Just make sure you keep up on firmware updates just as you would on software updates