Which more secure, VPN or SSH server?
I'm new to setting up a VPN server. I'm running Kanotix.
1. Is there any clear advantage with either of the VPN server alternatives: Openswan or Secureswan? Are these the best choices available? I'll be connecting via MS Windows built in client. Also, 2. Which is better for remote administration, a VPN or SSH server? I'd like to use VNC to work on the remote Linux machine... also I'd be transfering files through the tunnel (12meg each) Thank you. |
In my experience, the correct answer to a "what's better" question is almost invariably "It depends."
In this case, at least some of what it depends on is what you're administering and what kinds of applications you need to use to do that administration. If you're administering a single Linux box and you basically need terminal access, probably with file transfer, then SSH strikes me as a very straightforward way to go about it. If you also expect to want access for X11 applications, SSH is still quite straightforward. OTOH, if what you're administering is a small (and internally secure) network where the individual boxes are not directly accessible from the outside (where you are), then a VPN may be more convenient. The biggest difference, IMHO, is that SSH gives you end-to-end encryption so you don't have any worries (well, far fewer worries :rolleyes: ) about your session being intercepted by an eavesdropper who might be able to pick up sensitive information like passwords. With a VPN, your encryption is effective only as far as the inner end of the VPN and not necessarily across the internal network, so you ought to think pretty skeptically about security within that network. All this is, of course, somewhat oversimplified, but without a lot more information about exactly what you are trying to accomplish, I doubt that I can do much better in a reasonable amount of time or space. If you want to go into more detail, I'm sure someone (I or someone else) would have a better handle on how to give you a more specific answer. Best of luck, Paul |
>>The biggest difference, IMHO, is that SSH gives you end-to-end encryption so you don't have any worries (well, far fewer worries :rolleyes: ) about your session being intercepted by an eavesdropper who might be able to pick up sensitive information like passwords. With a VPN, your encryption is effective only as far as the inner end of the VPN and not necessarily across the internal network, so you ought to think pretty skeptically about security within that network.>>
Sorry but I'm not clear... isn't the VPN tunnel encrypted? So, how can one sniff a VPN connection any easier than an SSH connection? Aren't VPN connections more robust, faster and secure, that's why companies use them to connect remotely? My intentions are to copy files 'to' a home box from overseas. The files are about 15mg each, and I'd be copying hundreds. I'd like to use something like TightVNC securely to manage the file system on the home machine. |
My two cents...
I like to think of it like this. With SSH because it's not built into Windows, one needs to download an SSH client. Provided you're using SSHv2 for your tunnel it has to be safer than a native Windows VPN Connection. (opinion) |
Quote:
Quote:
Companies may use vpns because they, arguably, are more 'user friendly', ie, guis, machine-to-machine authentication (as opposed to the 'dreaded' cli), etc. Personally, I'd go the VPN route, using OpenVPN (openvpn.sf.net), with certificate authority, etc., but since ssh comes right out of the box, you may prefer that. How that for a not-so-definitive reply? cheers, |
I have seen several reports on the net that say Microsoft's implementation of PPTP is, at least, a poor implementation.
I has able to found one of this reports. I hope it can bring some information to help you make a position on this. http://www.schneier.com/pptp-faq.html cheers, |
Quote:
Quote:
Quote:
Quote:
Overall, I wouldn't expect it to be too difficult to set up a VPN server on the Linux box and the ssh server probably is there already, so I'd say try them both and see what makes the most sense for you. (Just don't use the MS VPN implementation.) Good Luck, Paul |
Another point. VPN is preconfigured to use multiple protocols. SSH isn't; you have to establish a tunnel for each protocol you wish to use. This involves a lot more initial setup when you are configuring the tunnels to match your particular configuration.
I personally use SSH tunnels for just about everything; at this time I am writing this message on a Win XP wireless laptop as I sit in the family room watching 24. This laptop only supports WEP, which is enabled, but I am SSH tunneling my HTTP connection to a Linux box upstairs in the home office, and connecting to the internet through that box. So, I don't think that anyone listening in will be cracking my HTTP connection any time soon. The downside is that if I want to check email from here, I have to set up another tunnel. Either that, or I establish an X Windows session on this laptop and SSH into the Linux box to run the email client that I normally use on that system (kmail). Now, I travel with this laptop and as a matter of security I routinely SSH to my Linux system in order to browse no matter where I am when I connect via some unknown and presumably insecure wireless network. |
SSH or VPN
Ok, software VPN's are hardly easy to set up, especially in a corporate environment. Microsoft's VPN is the worst example of that. VPN's have there place, but for remote management I will take SSH any day. What I do is set up an SSH tunnel and start VNCServer to only allow local logins. vncserver :1 -localhost It gives me encrypted traffic, a secure Gui and once logged in I can use whatever protocol I allow on the box. Easy to set up, easy to use.
|
A little more VPN vs. SSH...
Hi again.
In my remote Windows XP to home Linux scenario: 1. If I chose VPN which is better: Openswan or Secureswan? 2. Can't I use VNC or NXclient over a VPN connection in the same manner as an SSH? 3. Mentioned here: "it depends"... I'm wanting to transfer 12-15 meg files (many) from my remote XP to the home Linux machine. In this setup, is there any speed or other advantage using a VPN vs. a SSH connection? Thanks for the help. |
1.) Either should work
2.) You could use VNC, but NXclient needs ssh 3.) Generally I've found Microsoft's VPN connections to be slower than SSH connections, but your mileage may vary. I'd probably just connect using SFTP (ssh) In my experience the SSH connection is a lot less work to set up than setting up a full blown VPN. There is no problem using a VPN if that is what you really want to do. But for what you describe, I'd personally just use SSH. On most of my boxes setting up SSH takes just a bit more than no work. Setting up a VPN takes a lot more. If you are behind a corporate firewall at work, my guess is that there is a greater chance of having SSH already open. |
For the indicated configuration, I too would use SSH. In fact, I do use SSH. I also use TightVNC on Windows and I set it to only accept local connections, then tunnel into is via SSH.
Once you know how, setting up SSH is simple. But, if you want to use a VPN router, setting up a VPN is also simple. For using SSH on Windows, I would recommend installing Cygwin. This gives a *nix environment on the Windows box, including sshd (which can be installed as a Windows service) and the standard ssh client. To transfer lots of files, there is sftp, as was suggested, but I personally usually just use scp (secure copy). |
Filezilla supports sftp.. makes it real easy. All it takes is a server running ssh to get to your files.
|
thanks so much...
You people are great here!
Thanks so much for your feedback. Seems the general opinion is don't bother with VPN, SSH does the trick :) I'm hoping this is the last question... 1. If I buy a 'hardware' VPN router, is it more secure and better vs. SSH if I wish to have more than one have the ability to connect securely via remote? Thanks again. Akonbobot |
Just make sure you keep up on firmware updates just as you would on software updates
|
All times are GMT -5. The time now is 08:10 AM. |