From...

April 30, 1999
Web posted at: 11:03 a.m. EDT (1503 GMT)

by Ann Harrison

(IDG) -- Free Linux-based software released this month could make it easier for companies to inexpensively guard against online eavesdroppers.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Computerworld's home page
Computerworld Year 2000 resource center
Computerworld's online subscription center
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Computerworld Minute
	Fusion audio primers

The software, called FreeS/WAN, uses strong encryption to create secure data tunnels between any two points on the Internet.

It is one of the latest tools to use the proposed Internet Protocol Security (IPSec) protocols, an eagerly awaited interoperable global standard for securing IP connections.

FreeS/WAN, which runs on an ordinary PC, automatically encrypts data packets as they traverse the Internet. It allows network administrators to build secure gateways in a virtual private network (VPN) without having to modify their operating systems or application software. A PC running FreeS/WAN can set up a secure tunnel in less than a second, its developers said.

The software encrypts 6 megabits of packets per second, easily handling the entire available bandwidth at most Internet sites. FreeS/WAN, which is open source code, is available for downloading at http://www.xs4all.nl/~freeswan/.

The software was designed to protect against "quiet" eavesdropping techniques such as packet sniffing and attacks based on IP spoofing, which attempt to impersonate a computer involved in a communication.

The S/WAN, or Secure Wide Area Network, initiative was originally launched by RSA Data Security Inc. for implementing IPSec to ensure interoperability among firewall and TCP/IP products. Because FreeS/WAN runs on an ordinary PC, it could offer a free alternative to costly VPN gateway boxes and proprietary VPN software.

Michael Zboray, vice president and research director for network security at Gartner Group Inc., said that although IPSec is an effective security protocol, corporate information technology managers may want to wait until a vendor incorporates FreeS/WAN into a commercial release. "I love Linux and IPSec, but there is enough trouble integrating this into a kernel and recompiling the kernel that this is just not a no-brainer," Zboray said. He added that commercial VPN products may be better suited for neophyte users who may compromise security by making mistakes configuring the software.

John Denker, division manager for information services research at AT&T Labs Research in Florham Park, N.J., has been using FreeS/WAN to secure Internet communications over cable modems. He said he's had no problems installing or configuring FreeS/WAN and noted that it is already well integrated into the Linux 2.0.36 kernel.

According to developers, FreeS/WAN 1.0 has been tested to install in the Red Hat 5.2 Linux release with a 2.0.36 kernel. "If you have a clue about administering a Linux box, the incremental clue that you need to do IPSec is not very large," Denker said.

He said that although it took a few days to test FreeS/WAN, the investment paid off in a secure tunneling system that is more stable and scalable than those produced by commercial IPSec products.

"I don't want a point-and-click interface. I want a database, I want open file formats, I want scripts that will go through and bang these puppies out in somewhere between the dozens and the thousands," he said.

Henry Spencer, technical lead for FreeS/WAN development, said that although eavesdroppers may be able to tell which VPN gateways are talking to each other, the identities of the machines behind them will remain hidden. "The long-term objective of this project is to get a significant chunk of the Internet encrypted, and obviously things like wiretapping are going to be much more difficult once that happens," Spencer said.

FreeS/WAN was built and released in Toronto, allowing users to avoid U.S. export restrictions on IPSec products that use strong encryption.

It includes an automated encryption key exchange method, Internet Key Exchange, which authenticates each party in an IPSec transaction, negotiates security policy and handles the exchange of ephemeral session keys. FreeS/WAN uses the Diffie-Hellman key structure with 1,024-bit keys. Each packet of data is also secured with 168-bit Triple Data Encryption Standard (DES) encryption.

The Internet Engineering Task Force (IETF), which manages the proposed IPSec standard, is expected to discuss implementation of the specification at the next meeting of its IP Security Working Group in Oslo, Norway. The International Computer Security Association (ICSA) in Reston, Va., has been running IPSec interoperability tests for an industry extranet, the Automotive Industry Action Group's Automotive Network Exchange Project. In preliminary tests, the developers said FreeS/WAN is interoperable with Triple DES IPSec products from OpenBSD, PGP, Cisco, Raptor, Xedia and Secure Shell.

However, Zboray said vendors have yet to develop interoperability for all features of their products, which may require multiple levels of compliance. He added that both vendors and the IETF also lack firm strategies for multiprotocol IPSec that support network protocols such as IPX for remote access. "It's still a homogeneous vendor game for somewhere between six months and another year," Zboray said.

Newark, Calif.-based Red Creek Communications Inc., which develops VPN hardware and software, last week announced support for Red Hat Linux 6.0 for its Ravlin IPSec Card for 2.0x and 2.2x kernels. The driver is included in the latest Linux kernel tree and will be available on the Red Hat Linux 6.0 Application CD and at its Web site.

Red Creek's IPSec VPN card lets Linux customers use IPSec-based security to build secure VPN gateways. Agnes Imregh, the company's senior vice president of marketing, said although IPSec-based VPN hardware from various vendors has few interoperability problems, proprietary software clients aren't interoperable. She noted that management, configuration and monitoring of VPN boxes aren't covered by standards. ``ICSA testing does not speak to that,'' Imregh said.