LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-12-2006, 02:21 PM   #1
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Rep: Reputation: 15
Which more secure, VPN or SSH server?


I'm new to setting up a VPN server. I'm running Kanotix.

1. Is there any clear advantage with either of the VPN server alternatives: Openswan or Secureswan? Are these the best choices available?

I'll be connecting via MS Windows built in client.

Also,

2. Which is better for remote administration, a VPN or SSH server?

I'd like to use VNC to work on the remote Linux machine...
also I'd be transfering files through the tunnel (12meg each)

Thank you.
 
Old 03-13-2006, 09:14 AM   #2
prn
Member
 
Registered: Apr 2005
Location: Muncie, IN, USA
Posts: 58

Rep: Reputation: 16
In my experience, the correct answer to a "what's better" question is almost invariably "It depends."

In this case, at least some of what it depends on is what you're administering and what kinds of applications you need to use to do that administration. If you're administering a single Linux box and you basically need terminal access, probably with file transfer, then SSH strikes me as a very straightforward way to go about it. If you also expect to want access for X11 applications, SSH is still quite straightforward.

OTOH, if what you're administering is a small (and internally secure) network where the individual boxes are not directly accessible from the outside (where you are), then a VPN may be more convenient. The biggest difference, IMHO, is that SSH gives you end-to-end encryption so you don't have any worries (well, far fewer worries ) about your session being intercepted by an eavesdropper who might be able to pick up sensitive information like passwords. With a VPN, your encryption is effective only as far as the inner end of the VPN and not necessarily across the internal network, so you ought to think pretty skeptically about security within that network.

All this is, of course, somewhat oversimplified, but without a lot more information about exactly what you are trying to accomplish, I doubt that I can do much better in a reasonable amount of time or space. If you want to go into more detail, I'm sure someone (I or someone else) would have a better handle on how to give you a more specific answer.

Best of luck,
Paul
 
Old 03-13-2006, 10:37 AM   #3
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
Wink

>>The biggest difference, IMHO, is that SSH gives you end-to-end encryption so you don't have any worries (well, far fewer worries ) about your session being intercepted by an eavesdropper who might be able to pick up sensitive information like passwords. With a VPN, your encryption is effective only as far as the inner end of the VPN and not necessarily across the internal network, so you ought to think pretty skeptically about security within that network.>>

Sorry but I'm not clear... isn't the VPN tunnel encrypted? So, how can one sniff a VPN connection any easier than an SSH connection?

Aren't VPN connections more robust, faster and secure, that's why companies use them to connect remotely?

My intentions are to copy files 'to' a home box from overseas. The files are about 15mg each, and I'd be copying hundreds. I'd like to use something like TightVNC securely to manage the file system on the home machine.
 
Old 03-13-2006, 11:27 AM   #4
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Rep: Reputation: 30
My two cents...


I like to think of it like this. With SSH because it's not built into Windows, one needs to download an SSH client. Provided you're using SSHv2 for your tunnel it has to be safer than a native Windows VPN Connection. (opinion)
 
Old 03-13-2006, 11:28 AM   #5
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware -current, 14.1
Posts: 1,030

Rep: Reputation: 160Reputation: 160
Quote:
Originally Posted by Akonbobot
Sorry but I'm not clear... isn't the VPN tunnel encrypted? So, how can one sniff a VPN connection any easier than an SSH connection?
i'm not trying to 'steal' prn's thunder, but if i interpret his initial response correctly, what he's saying is that outside of either end of the tunnel, ie, across internal networks, there may be a security risk, as the tunnel has done it's job, and now you become reliant on the lan's security - this may, or may not, be an issue.

Quote:
Aren't VPN connections more robust, faster and secure, that's why companies use them to connect remotely?
Perhaps more secure, depending on how it's setup. 'Robustness' may be in the eye of the beholder; the same also applies to speed. Again, these qualities depend on how the vpn and ssh tunnels are configured, but either can be just as fast and robust as the other.

Companies may use vpns because they, arguably, are more 'user friendly', ie, guis, machine-to-machine authentication (as opposed to the 'dreaded' cli), etc.

Personally, I'd go the VPN route, using OpenVPN (openvpn.sf.net), with certificate authority, etc., but since ssh comes right out of the box, you may prefer that.

How that for a not-so-definitive reply?

cheers,
 
Old 03-13-2006, 11:51 AM   #6
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
I have seen several reports on the net that say Microsoft's implementation of PPTP is, at least, a poor implementation.

I has able to found one of this reports. I hope it can bring some information to help you make a position on this.

http://www.schneier.com/pptp-faq.html

cheers,
 
Old 03-13-2006, 12:45 PM   #7
prn
Member
 
Registered: Apr 2005
Location: Muncie, IN, USA
Posts: 58

Rep: Reputation: 16
Quote:
Originally Posted by mrclisdue
i'm not trying to 'steal' prn's thunder, but if i interpret his initial response correctly, what he's saying is that outside of either end of the tunnel, ie, across internal networks, there may be a security risk, as the tunnel has done it's job, and now you become reliant on the lan's security - this may, or may not, be an issue.
Exactly! That is just what I was trying to say. Whether I'm right or not is always debatable and you are certainly right that it may or may not be an issue for the specific case.

Quote:
Originally Posted by mrclisdue
Perhaps more secure, depending on how it's setup. 'Robustness' may be in the eye of the beholder; the same also applies to speed. Again, these qualities depend on how the vpn and ssh tunnels are configured, but either can be just as fast and robust as the other.
Exactly right again. It all depends. As for "robustness", VPNs and SSH use comparable encryption algorithms, so "robustness" will depend on implementation (see the Schneier link in marozsas' post) and on configuration.

Quote:
Originally Posted by mrclisdue
Companies may use vpns because they, arguably, are more 'user friendly', ie, guis, machine-to-machine authentication (as opposed to the 'dreaded' cli), etc.
Absolutely! The original question said that it would be used for "remote administration" and how "user friendly" one or the other is depends on what you want to do. SSH gives you a perfectly serviceable terminal and reasonable access to X applications (though you do have to have an X server on your remote box, but you probably need that anyway with a VPN). Depending on what you want to do, a VPN may or may not be more "user friendly". It all depends on you for that.

Quote:
Originally Posted by mrclisdue
Personally, I'd go the VPN route, using OpenVPN (openvpn.sf.net), with certificate authority, etc., but since ssh comes right out of the box, you may prefer that.

How that for a not-so-definitive reply?
Just perfect! If the OP is planning on using a Windows box for the remote end, then something will have to be installed somewhere regardless, so you don't get right-out-of-the-box convenience either way. One or the other may (or may not) turn out to be easier. Personally, I tend to use terminal/cli for most administrative purposes anyway, so I've had plenty of experience with SSH. Someone else may have a strong preference for a convenient GUI that (may) become available trivially upon installation of a VPN (though, again, if the server is running LInux and the remote is running MS Windows, that may or may not be trivial).

Overall, I wouldn't expect it to be too difficult to set up a VPN server on the Linux box and the ssh server probably is there already, so I'd say try them both and see what makes the most sense for you. (Just don't use the MS VPN implementation.)

Good Luck,
Paul

Last edited by prn; 03-13-2006 at 12:47 PM.
 
Old 03-13-2006, 08:18 PM   #8
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Another point. VPN is preconfigured to use multiple protocols. SSH isn't; you have to establish a tunnel for each protocol you wish to use. This involves a lot more initial setup when you are configuring the tunnels to match your particular configuration.

I personally use SSH tunnels for just about everything; at this time I am writing this message on a Win XP wireless laptop as I sit in the family room watching 24. This laptop only supports WEP, which is enabled, but I am SSH tunneling my HTTP connection to a Linux box upstairs in the home office, and connecting to the internet through that box. So, I don't think that anyone listening in will be cracking my HTTP connection any time soon.

The downside is that if I want to check email from here, I have to set up another tunnel. Either that, or I establish an X Windows session on this laptop and SSH into the Linux box to run the email client that I normally use on that system (kmail).

Now, I travel with this laptop and as a matter of security I routinely SSH to my Linux system in order to browse no matter where I am when I connect via some unknown and presumably insecure wireless network.
 
Old 03-13-2006, 11:56 PM   #9
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
SSH or VPN

Ok, software VPN's are hardly easy to set up, especially in a corporate environment. Microsoft's VPN is the worst example of that. VPN's have there place, but for remote management I will take SSH any day. What I do is set up an SSH tunnel and start VNCServer to only allow local logins. vncserver :1 -localhost It gives me encrypted traffic, a secure Gui and once logged in I can use whatever protocol I allow on the box. Easy to set up, easy to use.
 
Old 03-14-2006, 12:54 AM   #10
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
A little more VPN vs. SSH...

Hi again.

In my remote Windows XP to home Linux scenario:

1. If I chose VPN which is better: Openswan or Secureswan?

2. Can't I use VNC or NXclient over a VPN connection in the same manner as an SSH?

3. Mentioned here: "it depends"... I'm wanting to transfer 12-15 meg files (many) from my remote XP to the home Linux machine. In this setup, is there any speed or other advantage using a VPN vs. a SSH connection?

Thanks for the help.
 
Old 03-14-2006, 01:03 AM   #11
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
1.) Either should work
2.) You could use VNC, but NXclient needs ssh
3.) Generally I've found Microsoft's VPN connections to be slower than SSH connections, but your mileage may vary. I'd probably just connect using SFTP (ssh)

In my experience the SSH connection is a lot less work to set up than setting up a full blown VPN. There is no problem using a VPN if that is what you really want to do. But for what you describe, I'd personally just use SSH. On most of my boxes setting up SSH takes just a bit more than no work. Setting up a VPN takes a lot more. If you are behind a corporate firewall at work, my guess is that there is a greater chance of having SSH already open.
 
Old 03-14-2006, 02:38 PM   #12
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
For the indicated configuration, I too would use SSH. In fact, I do use SSH. I also use TightVNC on Windows and I set it to only accept local connections, then tunnel into is via SSH.

Once you know how, setting up SSH is simple. But, if you want to use a VPN router, setting up a VPN is also simple.

For using SSH on Windows, I would recommend installing Cygwin. This gives a *nix environment on the Windows box, including sshd (which can be installed as a Windows service) and the standard ssh client.

To transfer lots of files, there is sftp, as was suggested, but I personally usually just use scp (secure copy).
 
Old 03-14-2006, 06:09 PM   #13
Flyen
LQ Newbie
 
Registered: Apr 2004
Distribution: Fedora 5 and CentOS 4
Posts: 21

Rep: Reputation: 15
Filezilla supports sftp.. makes it real easy. All it takes is a server running ssh to get to your files.
 
Old 03-14-2006, 08:29 PM   #14
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
thanks so much...

You people are great here!
Thanks so much for your feedback.

Seems the general opinion is don't bother with VPN, SSH does the trick

I'm hoping this is the last question...

1. If I buy a 'hardware' VPN router, is it more secure and better vs. SSH if I wish to have more
than one have the ability to connect securely via remote?


Thanks again.
Akonbobot
 
Old 03-14-2006, 08:35 PM   #15
Flyen
LQ Newbie
 
Registered: Apr 2004
Distribution: Fedora 5 and CentOS 4
Posts: 21

Rep: Reputation: 15
Just make sure you keep up on firmware updates just as you would on software updates
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure remote desktop with Linux? VNC? SSH? VPN? sauce Linux - Security 3 12-16-2005 01:24 PM
Secure VPN XaViaR Suse/Novell 3 08-30-2005 03:52 PM
VPN: linux VPN server behind Linksys router hamish Linux - Networking 14 08-25-2005 08:42 PM
VPN Question Win98->internet->Router->Linux VPN Server->Win2k Server patrickrea Linux - Networking 1 08-10-2004 02:09 AM
How do i connect Ciscos VPN client to Checkpoint VPN server Klas Linux - Networking 1 11-29-2003 08:00 AM


All times are GMT -5. The time now is 04:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration