Security/vpn: New VPN Fasttrack Presentation

This new VPN Fasttrack covers an overview and the basics of VPN. Some
frames can be reused for the main presentation.

Signed-off-by: Holger Dengler <dengler@linutronix.de>

16 files changed, 311 insertions, 5 deletions

diff --git a/security/TODO b/security/TODO
index deb59a1..60818db 100644
--- a/security/TODO
+++ b/security/TODO
@@ -9,18 +9,18 @@ Firewall section
   - validation
 
 VPN section
-- Fasttrack
+- Fasttrack					(done)
 - Presentation (full)
   - How VPNs work (done)
-  - Protokol and Authentication Overview
+  - Protokol and Authentication Overview	(done)
   - foreach(Protocol)
     - Authentication
-    - Products
+    - Products					(done)
     - Pros and Cons
     - examples
   - Use case dependant solutions
-    - Central VPN Server
-    - Distributed VPN Server
+    - Central VPN Server			(done)
+    - Distributed VPN Server			(done)
     - Company-wide infrastructure
     - dynamic VPNs
     - Cross-Company boundaries
diff --git a/security/vpn/Makefile b/security/vpn/Makefile
new file mode 100644
index 0000000..7d530a5
--- /dev/null
+++ b/security/vpn/Makefile
@@ -0,0 +1,9 @@
+all:
+	for pdf in `ls -1 handout_*.tex pres_*.tex` ; do \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+	done
+
+clean:
+	rm -f *.aux *.log *.pdf *.log *.snm *.toc *.vrb *.nav *.out
+
diff --git a/security/vpn/frm_product-openl2tp.tex b/security/vpn/frm_product-openl2tp.tex
new file mode 100644
index 0000000..6afc9b9
--- /dev/null
+++ b/security/vpn/frm_product-openl2tp.tex
@@ -0,0 +1,17 @@
+\begin{frame}[fragile]
+\frametitle{openL2TP}
+\begin{itemize}
+\item configurable to use Internet Protocol Security (IPsec)
+\item Pros:
+  \begin{itemize}
+  \item easy configuration
+  \item integration in existing Network infrastructures (e.g. NAT)
+  \item good security level (depends on configuration)
+  \end{itemize}
+\item Cons:
+  \begin{itemize}
+  \item scalability
+  \item not recommended for Infrastructure installations
+  \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_product-openvpn.tex b/security/vpn/frm_product-openvpn.tex
new file mode 100644
index 0000000..9804aee
--- /dev/null
+++ b/security/vpn/frm_product-openvpn.tex
@@ -0,0 +1,23 @@
+\begin{frame}[fragile]
+\frametitle{openVPN}
+\begin{itemize}
+\item based on Transport Layer Security (TLS/SSL)
+\item support Routing and Bridging
+\item Authentication:
+  \begin{itemize}
+  \item Pre-shared Keys (PSK)
+  \item Username/Password
+  \item Based on certificates
+  \end{itemize}
+\item Pros:
+  \begin{itemize}
+  \item flexible configuration
+  \item easy integration in existing Network infrastructures (e.g. NAT)
+  \item high security level
+  \end{itemize}
+\item Cons:
+  \begin{itemize}
+  \item None
+  \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_product-overview.tex b/security/vpn/frm_product-overview.tex
new file mode 100644
index 0000000..3f1be31
--- /dev/null
+++ b/security/vpn/frm_product-overview.tex
@@ -0,0 +1,26 @@
+\begin{frame}[fragile]
+\frametitle{VPN Product Overview}
+\begin{itemize}
+\item Internet Protocol Security (IPsec)
+  \begin{itemize}
+  \item openSWAN
+  \item strongSWAN
+  \item openL2TP
+  \item Mac OS X (built-in)
+  \end{itemize}
+\item Transport Layer Security (TLS/SSL)
+  \begin{itemize}
+  \item openVPN
+  \end{itemize}
+\item Point-to-Point Tunneling Protocol (PPTP)
+  \begin{itemize}
+  \item Poptop (pptpd)
+  \item Microsoft Windows XP and later (built-in)
+  \end{itemize}
+\item Commercial Products
+  \begin{itemize}
+  \item various Closed Source Software Solutions (e.g. Cisco)
+  \item various Hardware-based Solutions (e.g. Juniper, Sophos)
+  \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_product-swan.tex b/security/vpn/frm_product-swan.tex
new file mode 100644
index 0000000..925c147
--- /dev/null
+++ b/security/vpn/frm_product-swan.tex
@@ -0,0 +1,20 @@
+\begin{frame}[fragile]
+\frametitle{free/open/strongSWAN}
+\begin{itemize}
+\item most flexible product: strongSWAN
+\item based on Internet Protocol Security (IPsec)
+\item support for IKEv1/v2, L2TP, and XAuth
+\item Pros:
+  \begin{itemize}
+  \item flexible configuration
+  \item support for nearly all authentication methods described in standard
+  \item very high security level
+  \end{itemize}
+\item Cons:
+  \begin{itemize}
+  \item complex configuration
+  \item setup requires knowledge of underlying Network topology
+  \item problems with IKEv1 in NAT topologies
+  \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_protocol-gre.tex b/security/vpn/frm_protocol-gre.tex
new file mode 100644
index 0000000..d6c6c7c
--- /dev/null
+++ b/security/vpn/frm_protocol-gre.tex
@@ -0,0 +1,11 @@
+\begin{frame}[fragile]
+\frametitle{Generic Routing Encapsulation (GRE)}
+\begin{itemize}
+\item packet encapsulation in OSI Layer 3
+\item base encapsulation protocol for PPTP
+\item easy configuration
+\item easy integration in existing corporate-wide Network infrastructure and NAT
+\item \emph{Warning}: security rating only sufficient with EAP
+\item Please see: \url{http://www.heise.de/security/artikel/Der-Todesstoss-fuer-PPTP-1701365.html}
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_protocol-ipsec.tex b/security/vpn/frm_protocol-ipsec.tex
new file mode 100644
index 0000000..7f6a9c3
--- /dev/null
+++ b/security/vpn/frm_protocol-ipsec.tex
@@ -0,0 +1,15 @@
+\begin{frame}[fragile]
+\frametitle{IPsec}
+\begin{itemize}
+\item packet encapsulation in OSI Layer 2
+\item Linux Kernel provides IPsec implementation
+\item exploit Cryptographic Framework in Kernel
+\item supported modes:
+  \begin{itemize}
+  \item Transport: only the payload is encrypted (IP header is left unchanged)
+  \item Tunneling: IP header and payload is encrypted
+  \end{itemize}
+\item very high security rating
+\item basis for large network-infrastructures
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_protocol-overview.tex b/security/vpn/frm_protocol-overview.tex
new file mode 100644
index 0000000..1efd5ce
--- /dev/null
+++ b/security/vpn/frm_protocol-overview.tex
@@ -0,0 +1,22 @@
+\begin{frame}[fragile]
+\frametitle{VPN Protocol Overview}
+\begin{itemize}
+\item Internet Protocol Security (IPsec)
+  \begin{itemize}
+  \item Internet Key Exchange (IKEv1, IKEv2)
+  \item Layer 2 Tunneling Protocol (L2TP)
+  \item XAUTH
+  \end{itemize}
+\item Transport Layer Security (TLS/SSL)
+  \begin{itemize}
+  \item TLS/SSL Authentication Methods
+  \end{itemize}
+\item Proprietary Protocols
+  \begin{itemize}
+  \item Generic Routing Encapsulation (GRE)
+    \begin{itemize}
+    \item Point-to-Point Tunneling Protocol (PPTP)
+    \end{itemize}
+  \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_protocol-tls.tex b/security/vpn/frm_protocol-tls.tex
new file mode 100644
index 0000000..e806d23
--- /dev/null
+++ b/security/vpn/frm_protocol-tls.tex
@@ -0,0 +1,14 @@
+\begin{frame}[fragile]
+\frametitle{Transport Layer Security (TLS/SSL)}
+\begin{itemize}
+\item packet encapsulation in OSI Layer 6
+\item use userspace libraries for encryption (openSSL)
+\item easy integration in existing corporate-wide Network infrastructure and NAT
+\item flexible solution
+\item high security rating
+\item loosely coupled with Operating Systems
+\item single-port configuration possible
+\end{itemize}
+
+\emph{Note: TLS v1.0 is also known as SSL v3.1}
+\end{frame}
diff --git a/security/vpn/frm_rec-adhoc.tex b/security/vpn/frm_rec-adhoc.tex
new file mode 100644
index 0000000..240ffa9
--- /dev/null
+++ b/security/vpn/frm_rec-adhoc.tex
@@ -0,0 +1,11 @@
+\begin{frame}[fragile]
+\frametitle{ad-hoc VPN Solution}
+openVPN
+
+Reasons:
+\begin{itemize}
+\item Ease-of-Use
+\item Best Effort-Benefit ratio
+\item Security
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_rec-dont-use.tex b/security/vpn/frm_rec-dont-use.tex
new file mode 100644
index 0000000..7e4b986
--- /dev/null
+++ b/security/vpn/frm_rec-dont-use.tex
@@ -0,0 +1,13 @@
+\begin{frame}[fragile]
+\frametitle{Be careful!}
+PPTP (pppd or OS built-in)
+
+Reasons:
+\begin{itemize}
+\item only a few configuration comply with the security requirements
+\end{itemize}
+
+Once again:
+
+\url{http://www.heise.de/security/artikel/Der-Todesstoss-fuer-PPTP-1701365.html}
+\end{frame}
diff --git a/security/vpn/frm_rec-infratructure.tex b/security/vpn/frm_rec-infratructure.tex
new file mode 100644
index 0000000..6730652
--- /dev/null
+++ b/security/vpn/frm_rec-infratructure.tex
@@ -0,0 +1,11 @@
+\begin{frame}[fragile]
+\frametitle{VPN Infrastructure Solution}
+strongSWAN or openSWAN
+
+Reasons:
+\begin{itemize}
+\item Configuration
+\item Scalability
+\item Security
+\end{itemize}
+\end{frame}
diff --git a/security/vpn/frm_scene-a.tex b/security/vpn/frm_scene-a.tex
new file mode 100644
index 0000000..485c8ba
--- /dev/null
+++ b/security/vpn/frm_scene-a.tex
@@ -0,0 +1,12 @@
+\begin{frame}[fragile]
+\frametitle{Central VPN Server}
+\begin{enumerate}
+\item Control Unit connects to VPN Server
+\item Service Laptop connects to VPN Server
+\item Establish routing from VPN1 to VPN2 on Server 
+\end{enumerate}
+\begin{figure}[h]
+\centering
+\includegraphics[width=7cm]{images/security-vpn-scenario-a.png}
+\end{figure}
+\end{frame}
diff --git a/security/vpn/frm_scene-b.tex b/security/vpn/frm_scene-b.tex
new file mode 100644
index 0000000..c589940
--- /dev/null
+++ b/security/vpn/frm_scene-b.tex
@@ -0,0 +1,11 @@
+\begin{frame}[fragile]
+\frametitle{Distributed VPN Server}
+\begin{enumerate}
+\item Service Laptop connects to Device 
+\item Service Laptop establish VPN to Device
+\end{enumerate}
+\begin{figure}[h]
+\centering
+\includegraphics[width=7cm]{images/security-vpn-scenario-b.png}
+\end{figure}
+\end{frame}
diff --git a/security/vpn/pres_vpn-fasttrack_en.tex b/security/vpn/pres_vpn-fasttrack_en.tex
new file mode 100644
index 0000000..0e831e5
--- /dev/null
+++ b/security/vpn/pres_vpn-fasttrack_en.tex
@@ -0,0 +1,91 @@
+\def\lximg{/usr/share/lx/icons/fueller.png}
+
+\input{configpres}
+
+\subsection{Virtual Private Network}
+
+\title{VPN Fasttrack}
+\maketitle
+
+\def\lximg{none}
+
+\begin{frame}
+\frametitle{Contents}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\subsubsection{Fundamentals}
+
+\begin{frame}[fragile]
+\frametitle{How VPNs work}
+\begin{itemize}
+\item Use existing network connections between devices
+\item Encapsulate VPN network traffic
+\item Transparent for applications and user
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/security-vpn-base.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Protocols}
+
+\input{security/vpn/frm_protocol-overview}
+\input{security/vpn/frm_protocol-ipsec}
+\input{security/vpn/frm_protocol-tls}
+\input{security/vpn/frm_protocol-gre}
+
+% ----------------------------
+\subsubsection{Products}
+
+\input{security/vpn/frm_product-overview}
+\input{security/vpn/frm_product-swan}
+\input{security/vpn/frm_product-openl2tp}
+\input{security/vpn/frm_product-openvpn}
+
+% ----------------------------
+\subsubsection{Recommendations}
+\input{security/vpn/frm_rec-dont-use}
+\input{security/vpn/frm_rec-infratructure}
+\input{security/vpn/frm_rec-adhoc}
+
+% ----------------------------
+\subsubsection{Use Cases}
+\input{security/vpn/frm_scene-a}
+\input{security/vpn/frm_scene-b}
+
+% ----------------------------
+\subsubsection{Related Links}
+
+\begin{frame}
+Starting point on Wikipedia 
+\begin{itemize}
+\item \url{http://en.wikipedia.org/wiki/Virtual_private_network}
+\end{itemize}
+VPN Background articles (in german) 
+\begin{itemize}
+\item \url{http://heise.de/-270796}
+\item \url{http://heise.de/-270056} 
+\end{itemize}
+Documentation
+\begin{itemize}
+\item \url{http://www.linuxtopia.org/online_books/linux_administrators_security_guide/index.html}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+Products:
+\begin{itemize}
+\item \url{http://www.strongswan.org/}
+\item \url{http://www.openswan.org/}
+\item \url{http://openvpn.net}
+\item \url{http://www.openl2tp.org/}
+\item \url{http://poptop.sourceforge.net/}
+\end{itemize}
+\end{frame}
+
+\subsection{}
+\input{tailpres}