[NTLUG:Discuss] Encrypted network traffic on a local network
Dennis Rice
dennis at dearroz.com
Thu Jul 5 14:13:04 CDT 2007
----------------------
On 5 July Leroy Tennison said:
Have been testing ipsec-tools and realized that it is for either
host-to-host encryption or an encrypted tunnel between two networks.
Is there a way to have data transmissions between all hosts on a given
network encrypted? To do this with IPSec it appears that you would have
to set up host-to-host SAs for every combination of source and
destination host.
----------------------
Leroy,
Although I have not yet gotten to the stage of playing around with the
problem yet as you have, there are a few requirements that need to be
set up.
First, to use IPSec, a VPN is set up between two agents. The next
question, who are the agents. Naturally, the agents can be the end
hosts, but this will require a separate encryption key for every link -
5 hosts means 10 different keys to allow everyone to talk to everyone
else in an encrypted mode. This provides total encryption of the
message, even on the local network. Difficult to manage but doable on a
small network.
The next step is to set up a gateway / router to perform the encryption
between LANs. This is important in that transmitting a file from a user
host to the VPN gateway will still be in clear-text, but the file
between VPN gateways will be encrypted. In this situation, the VPN is
established between the two Gateways, hence only one public key set must
be managed (much easier). Note that this is the system gateway, all
user hosts have to be pointed to this system as the default gateway. If
a VPN link is not available to the remote location, then the gateway
will just forward the message unencrypted. If this gateway is still
inside of the network and has another gateway to go through, then it
will forward accordingly (set up a static route from the VPN gateway to
the Internet router).
If a user host continues to point to the Internet router, there will be
no way for the data to be encrypted, the user host default gateway must
be the VPN gateway.
Unfortunately, I have not yet gotten to the stage of setting up a VPN on
Linux, but I am looking forward to it. Would always look forward to
your assistance for documenting and putting into my book.
Dennis
More information about the Discuss
mailing list