CentOS - Aug 2008 - establish a 128 bit encrypted tunnel between centos 5.2 boxes

Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
between a handful of centos 5.2 boxes?

I am not familiar with this at all.

Jerry

On Tue, 26 Aug 2008 16:04:21 -0400
Jerry Geis <geisj at pagestation.com> wrote:
> Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
> between a handful of centos 5.2 boxes?
ssh

-- 
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com

Jerry Geis wrote:
> Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
> between a handful of centos 5.2 boxes?
>
> I am not familiar with this at all.
either ssh tunnels, or for more flexiblity, you might look into OpenVPN 
which supports routed or bridged virtual networks over an SSL socket.

with a 'handful', you'll need to determine what topology you want,
most
VPNs are built in a 'star' fashion where 1 central server acts as the 
VPN router and all other systems connect to it.   you COULD do a fully 
meshed topology, this would just require createing more tunnels and 
routes (for instance, with 6 hosts, a star would require 5 tunnels, 
while fully meshed would be 15 tunnels.

Jerry Geis wrote:
> 
> Is there an easy way or anyway to establish a 128 bit 
> encrypted tunnel between a handful of centos 5.2 boxes?
> 
> I am not familiar with this at all.
If it's just shell access, then ssh of course!

If it's HTTP use HTTPS!

If it's SMTP use TLS.

And so on...

If it's for all network traffic whether it support's encrypted
communications or not, use IPSec.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

Jerry Geis wrote:
> Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
> between a handful of centos 5.2 boxes?
> 
> I am not familiar with this at all.
If you just need to forward a port or two, ssh is probably fine.

If you need true IP-to-IP connectivity, that's called VPN. There are a 
few different VPN solutions - probably the easiest complete one is OpenVPN.

Enable the EPEL repository:

http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

Then do "yum install openvpn"
Plenty of documentation here:

http://openvpn.net/

There are also IPSec-based VPN solutions, but they are more complex.

-- 
Florin Andrei

http://florin.myip.org/

On Tue, Aug 26, 2008 at 04:04:21PM -0400, Jerry Geis
wrote:
> Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
> between a handful of centos 5.2 boxes?
In addition the rest of the good info others already posted for you,
please remember that "128 bit encryption" doesn't mean anything 
unless you also specify the encryption scheme being used.

A 128 bit encryption scheme may or may not be easily broken depending on
which one it is. (Pick a good!)

Jeff Kinz
--

Jerry Geis wrote:
> Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
> between a handful of centos 5.2 boxes?
>
> I am not familiar with this at all. 
The newest 'player' in this is HIP.

Code and docs at http://infrahip.hiit.fi/.

But HIP is NOT tunneling in the 'classic' IPnIP sense. It does not do 
port mapping like SSH. But it does mobility and multihoming that they do 
not do.

Jeff Kinz wrote:
> On Tue, Aug 26, 2008 at 04:04:21PM -0400, Jerry Geis wrote:
>   
>> Is there an easy way or anyway to establish a 128 bit encrypted tunnel 
>> between a handful of centos 5.2 boxes?
>>     
>
> In addition the rest of the good info others already posted for you,
> please remember that "128 bit encryption" doesn't mean
anything
> unless you also specify the encryption scheme being used.
>
> A 128 bit encryption scheme may or may not be easily broken depending on
> which one it is. (Pick a good!)
Actually 'we' (crypto community) talk about crypto-suites, as you have 
to look at all the pieces involved. If everything is not disclosed (like 
with Skype), then you just don't know where the weakness may be.

SSH, IPsec (watch out for the 'Null' cipher :) ), TLS (some of the 
suites are too weak to talk about), and HIP are all well-rounded 
security protocols. I have worked on all of them.

Ric Moore wrote:
> On Tue, 2008-08-26 at 18:55 -0400, Robert Moskowitz wrote:
>   
>> Jeff Kinz wrote:
>>     
>>> On Tue, Aug 26, 2008 at 04:04:21PM -0400, Jerry Geis wrote:
>>>   
>>>       
>>>> Is there an easy way or anyway to establish a 128 bit encrypted
tunnel
>>>> between a handful of centos 5.2 boxes?
>>>>     
>>>>         
>>> In addition the rest of the good info others already posted for
you,
>>> please remember that "128 bit encryption" doesn't
mean anything
>>> unless you also specify the encryption scheme being used.
>>>
>>> A 128 bit encryption scheme may or may not be easily broken
depending on
>>> which one it is. (Pick a good!)
>>>       
>> Actually 'we' (crypto community) talk about crypto-suites, as
you have
>> to look at all the pieces involved. If everything is not disclosed
(like
>> with Skype), then you just don't know where the weakness may be.
>>
>> SSH, IPsec (watch out for the 'Null' cipher :) ), TLS (some of
the
>> suites are too weak to talk about), and HIP are all well-rounded 
>> security protocols. I have worked on all of them.
>>     
>
> Whatever happened to cipe?? Ric
Has it kept up with the known attacks?  It predates a lot of work we did 
in IETF on IPsec, for example.  For example I had to axe the implicite 
IV mode for DES-CBC due to the hamming distance attack.  "But schnier 
lists counters as a valid method of generating IVs....".  Sheesh, there 
is such a thing as new attacks (even if they are old to the NSA) as 
being reasons NOT to site old texts.