User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE

101

102

103

104

105

106

107

108

109

110

Chapter 3. Encryption

should also be protected when transmitted across a network. If the network session was encrypted

then you would not have to worry as much about the data being compromised while it is being

transmitted.

Data in motion is particularly vulnerable to attackers because the attacker does not have to be near

the computer in which the data is being stored rather they only have to be somewhere along the path.

Encryption tunnels can protect data along the path of communications.

3.5. Virtual Private Networks

Virtual Private Networks (VPN) provide encrypted tunnels between computers or networks of

computers across all ports. With a VPN in place, all network traffic from the client is forwarded to the

server through the encrypted tunnel. This means that the client is logically on the same network as the

server it is connected to via the VPN. VPNs are very common and are simple to use and setup.

3.6. Secure Shell

Secure Shell (SSH) is a powerful network protocol used to communicate with another system over

a secure channel. The transmissions over SSH are encrypted and protected from interception.

Cryptographic log-on can also be utilized to provide a better authentication method over traditional

usernames and passwords.

SSH is very easy to activate. By simply starting the sshd service, the system will begin to accept

connections and will allow access to the system when a correct username and password is provided

during the connection process. The standard TCP port for the SSH service is 22, however this can be

changed by modifying the configuration file /etc/ssh/sshd_config and restarting the service. This file

also contains other configuration options for SSH.

Secure Shell (SSH) also provides encrypted tunnels between computers but only using a single port.

Port forwarding can be done over an SSH tunnel

and traffic will be encrypted as it passes over that

tunnel but using port forwarding is not as fluid as a VPN.

3.7. OpenSSL PadLock Engine

The VIA PadLock Engine is available in some VIA C3 processors (Nehemia), and allows for extremely

fast hardware encryption and decryption.

To enable it, edit /etc/pki/tls/openssl.cnf and add the following at the beginning of the file:

openssl_conf = openssl_init

Then add the following to the end of the file:

[openssl_init]

engines = openssl_engines

[openssl_engines]

padlock = padlock_engine

[padlock_engine]

http://www.redhatmagazine.com/2007/11/27/advanced-ssh-configuration-and-tunneling-we-dont-need-no-stinking-vpn-software