Link to home
Start Free TrialLog in
Avatar of bubuko
bubukoFlag for Canada

asked on

VPN VS SSH.... what's the difference?

Is SSH like VPN tunneling ? what's the difference? which one is more secure?
Avatar of DMTechGrooup
DMTechGrooup
Flag of United States of America image

SSH is like using a secured version of Telnet.. VPN is a encrypted tunnel.. it's like being local but from a different location so all traffic is encrypted over the internet.
SOLUTION
Avatar of DMTechGrooup
DMTechGrooup
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bubuko

ASKER

>>anyone who connects to port 8080 on your machine actually connects to the remote webserver
Do you mean the machine becomes a proxy server at 192.168.1.x ? and when I open port, the port can be any numbers? here your example is 8080, I can just put anything?

>>the main difference is that the packet that leaves the remote vpn endpoint will still have as its source IP the original sender machine, not the endpoint

So vpn client still has the local ip as source and SSH will have the SSH server's local IP as source?

Either SSH or VPN, the path between client to server are the same? tunneling as VPN? because it seems both are encrypted over internet to me...

Which one is more secure? when compare SSH with PPTP?





>> Do you mean the machine becomes a proxy server at 192.168.1.x ? and when I open port, the port can be any numbers? here your example is 8080, I can just put anything?

yes.

>> So vpn client still has the local ip as source and SSH will have the SSH server's local IP as source?

yes.

>> Either SSH or VPN, the path between client to server are the same? tunneling as VPN? because it seems both are encrypted over internet to me...

pretty much - with ssh, you have a single encrypted TCP connection to port 22 (usually) which carries all the traffic this is a lot like how HTTPS works - "inside" it is still the base protocol (telnet or http) but with an added operation at each end to encrypt and decrypt the traffic.

with vpn (and this is a simplification, but not much of one) each packet is encrypted individually, and sent as UDP - even if it was originally a TCP packet.
Avatar of bubuko

ASKER

>> So vpn client still has the local ip as source and SSH will have the SSH server's local IP as source? yes.

It sounds like SSH just like a regular incoming traffic through NAT...

I am not sure if you know DD-WRT. I setup my VPN and SSH there. But I am not sure if SSH setting is secure enough there. Because I didn't use any certificate or any public/private key... I don't know if the encrption method is same as VPN or not. Please refer to the screenshot.

The other thing I wonder if ssh can do.....
Let's say I am outside in a cafe, I have wireless connection to a AP, but no internet... because they want people to pay to use. So now I have been assign private ip, do you think trough Putty and entering proxy setting in browser, I am able to connect to my home SSH server and access to internet?


ssh.JPG
not really. a nat rewrites packets, wheras ssh tunnels explicitly are used as a relay point - think of it more like using a proxy server than traversing a nat.

serverside of DD-WRT will have a key, as it generates one. you can iirc require a clientside certificate too, but it isn't required - a username and password will do. and yes, putty is able to be used as such a proxy (you just set the "dynamic" tunnel type, then tell your browser to use that as a socks proxy), although obviously you shouldn't use it to steal service you would otherwise not be entitled to.
Avatar of bubuko

ASKER

Really?!! it can do it from that way?!! But I will not abuse it, I am just doing it for my educational purpose. But how do I know ehich port they are open? I have to guess?

I read from this article http://www.goelweb.com/software/secure_web_browsing/index.html

let's say I am at a free wifi-spot, i don't think it's particle to use SSH. If I am doing banking online, if I ssh home and then internet, I think it's same as I do it without ssh and free wifi-spot. Either way I still have to go though Internet which is not secure.

Or what's the situation you think it's more secure by doign SSH home and then Internet than directly to Internet from hotspot?
Avatar of bubuko

ASKER

one more thing, i noticed there is a proxy setting in Putty where I can enter username and password..... but in DD-wrt where can I setup this?
On the first point - no way of knowing, other than that ssh runs on 22 so many services will block that. In fact, I thought most services would block all the common ports (ssh, smtp, pop3, imap, voip -skype/sip, that sort of thing) until you authenticated but not having tried I couldn't say for sure :)

On the second point, you misunderstand the purpose of the setting. That setting is for *putty* to use a proxy to reach the ssh server, not for the ssh server to act as a proxy. the proxy setting for THAT is to use a dynamic (-D) tunnel.
Avatar of bubuko

ASKER

>> That setting is for *putty* to use a proxy to reach the ssh server, not for the ssh server to act as a proxy. the proxy setting for THAT is to use a dynamic (-D) tunnel.

It sounds complicated... SSH server is already a proxy server... why use another proxy server to reach my proxy server?

I think you missed one of my question above...
"let's say I am at a free wifi-spot, i don't think it's particlal to use SSH. If I am doing banking online, if I ssh home and then internet, I think it's same as I do it without ssh and free wifi-spot. Either way I still have to go though Internet which is not secure.
It's like the diagram below.

Or what's the situation you think it's more secure by doign SSH home and then Internet than directly to Internet from hotspot?"
proxydiagram1.JPG
its not a case of "it makes sense to do that" as "some places only allow internet access via a proxy server, so putty supports that if needed". If you aren't using a proxy server to reach the internet from where you are, leave that setting alone.

on the second point, to go to a banking site *which uses https or some other secure protocol* via ssh is pointless.

to go to a site *that uses http or any other insecure protocol* via ssh could mean that instead of your traffic being trivially sniff able by anyone with a wifi card and a copy of airpcap, someone needs to hack a router between your home server and the target site, a much harder task.

you may also have access to filtered resources (ie, sites that you can access via your home server that a random hotspot can't use, such as an smtp smarthost at your isp, or email spooled locally on your pc at home which is reachable via imap (or indeed, you can leave VNC running on a home pc and get an entire virtual desktop)

another factor is that ssh tunnels can be compressed - so you can save bandwidth if that is restricted, and get "more" traffic per mb from the fatter pipe of your home service.

finally, you may not wish random web proxy logs at the hotspot to log where you are going or what you are doing.

so there *are* good reasons to do this, other than simply to protect a https connection that is already secure.
Avatar of bubuko

ASKER

Thanx DaveHowe. I am learning a lot from you.

>> to go to a site *that uses http or any other insecure protocol* via ssh could mean that instead of your traffic being trivially sniff able by anyone with a wifi card and a copy of airpcap...

>>you may not wish random web proxy logs at the hotspot to log where you are going or what you are doing.

This point I have been wondering for a long time, why some people wants to do that? I can understand if they want to steal your credit card info or username/password, but nowaday it's impossible, it's all https secure protocol. All they can grab is just which sites I have been visited, right? what can the do with that? what they want?
well, there are lots of cases where https security applied only to the login - so (for example) you log into webmail, and it hands you back a session cookie plus a http webpage. when you click the link for an email, it sends you the text of that email *in plain text* and you send it the session cookie - which can be used to access other emails unless you log out from mail when you are done (rather than just closing the window, like most people do)

by default, normal email (pop3, imap, smtp) isn't encrypted either, so if you use (say) outlook to get your email, the attacker gets you logon password, plus any email you send/receive.

even if you aren't logging into anything at all, you might want to keep your browsing history private - say, if you were looking at STD sites....
Avatar of bubuko

ASKER

>> there are lots of cases where https security applied only to the login

>>by default, normal email (pop3, imap, smtp) isn't encrypted either, so if you use (say) outlook to get your email, the attacker gets you logon password

Do you mean normal mail doesn't have security applied to the login?
if they do, hacker can only retrieve content right? not password..

I just noticed Gmail only has login is Https, after I login is like you say http.
Avatar of bubuko

ASKER

by the way.. what does STD stand for?
Normal mail doesn't have security applied to the login - for example, pop3 and imap do not by default encrypt *anything* not even the passsword. pop3/imap often support TLS (encryption after-the-fact) and have an encrypted form (pop3s/imaps - I am sure you "get" what those are by analogy from http/https) but they are rarely used. See if your provider offers either or both, and if so, turn it on - most mail clients support it (even outlook express) but the default is not to bother.

its easily seen for youself. get the application "trivialproxy" from http://www.xrayapp.com/trivialproxy/ and point it at your pop3 server. then tell your email client to get pop3 from "localhost" - you should see the entire thing scroll past on the screen, including the user and pass commands - in plaintext.

email is a holdover from a more trusting age, hence the fact spam is now like 85% of all email . . .

gmail has a flag to *stay* in https mode - settings, general page, browser mode - but it isn't the default.

and STD is "sexually transmitted disease" - the sort of page you don't want  your mom catching you reading :)
Avatar of bubuko

ASKER

I see.. but just try out the app, but not sure how to use it. I will check out their website. Do you know any good capture soft besides airpcap? That's is only used for wireless and too expensive. I want to test the SSH security in my LAN too see if I don't capture data.

I read this article http://www.schumi.ch/partner/SSHvsVPN.htm . I think it's well written. but at one point I don't understand. If a manager want to send secure data over SSH to his desktop, he needs to run SSH server at his desktop? if they are 2 managers, run 2 different ssh servers? or just simply a SSH server and all secure data all goes there? and whenever they want to retrieve or send, they connect tot hat server?
Unfortunately, almost all *wifi* capture software is either

1) commercial

-or-

2) runs on linux

if you want to give #2 a try, I believe the "backtrack 3" bootable dvd contains most of the major wifi capture/hacking tools without requiring you to learn or install linux.

the app I recommended is a special sort of proxy server - consider it like a ssh non-dynamic tunnel, with the exceptions that:

1) it just relays, it doesn't connect to another machine first and

2) it logs everything it does to a file, the screen or both

it is a *very* useful diagnostic tool for a number of reasons, and an important part of my diagnostic toolkit.  I have successfully resolved problems even vendors have been unable to resolve by using that and a bit of understanding of how the underlying protocols work (for most of what you use it for, that requires that you read and understand the official document for that protocol, usually an RFC. for example, the current rfc for Pop3 is http://www.faqs.org/rfcs/rfc1939.html )

that said, often you can pick up the gist of how a given protocol works just by reading a working capture.

the free windows tools "wireshark" and "microsoft network monitor 3.2" are essential parts of any packet analysis toolkit - and can read captures taken using the backtrack disc mentioned earlier. For your *own* traffic only, the latter can capture wifi traffic - it isn't able to put the wifi card into "promiscuous" (sniffing) mode. I suspect we are wandering fairly far afield from what the question is supposed to be here though :)
Avatar of bubuko

ASKER

So do you mean wireshark is able to capture LAN data?

By the way, you missed one of my question above if you don't mind...
>> So do you mean wireshark is able to capture LAN data?

Yes; on windows (with winpcap) this doesn't include wifi data, as winpcap doesn't support wifi - you need airpcap for that. On linux, pcap can capture both types of data, hence no issues

>> By the way, you missed one of my question above if you don't mind...

not seeing one I missed.
Avatar of bubuko

ASKER

Wincap is the same as wireshark?

Here is the question:
I read this article http://www.schumi.ch/partner/SSHvsVPN.htm . I think it's well written. but at one point I don't understand. If a manager want to send secure data over SSH to his desktop, he needs to run SSH server at his desktop? if they are 2 managers, run 2 different ssh servers? or just simply a SSH server and all secure data all goes there? and whenever they want to retrieve or send, they connect to that server?
no. pcap (and its windows pcap, the windows port) is the Packet CAPture library - p-cap.  the windows port doesn't support wifi, and a version that does (airpcap) is commercial software.

wireshark started out life as Etherial - a unix based package, using the pcap library. the windows version uses the windows port, hence the dependency.

ssh is point-to-point crypto - but then, so is vpn.

if a manager wants to send secure data to his workstation, the choices are:

a) run sshd on that workstation and connect to it directly or indirectly.

b) run sshd on some accessible server on the same network, and connect to that, and live with the fact that the link from accessible server to workstation is insecure. this is usually what vpn would give you (given it is usually an edge device service, not a service you run per-target)

c) connect in advance to the accessible server *from the workstation* to establish tunnel #1; leave this running. connect again to the accessible server from the client machine and establish tunnel #2 connected to tunnel #1; the traffic passes though #2 to the sshd, then back down #1 to the manager's workstation. this is more work, and only worthwhile if you cant' trust your own network

there are other variations on c) (such as using vnc or rdp to control the workstation over a ssh tunnel) but they amount to the same idea - using the sshd as a hopping point, not an end node.
Avatar of bubuko

ASKER

I think the easiest method is to setup SSH server on each manager's desktop pc (If not many) and open corresponding port on firewall to those ssh server. So manager can send their data to their own pc safely either from external or internal. This make sense?
that will work fine if each manager can be trusted to manage their own user/pass to a level consistent with internet security - otherwise, you are probably better off having a "remote access" machine you can control yourself.

RDP isn't *that* bad a protocol for a lan - it isn't at all easy to crack, and runs on a single TCP port (3389)

so for a typical manager you could set up as follows:

ssh server: <internet address of ssh server>
ssh user:  <manager's usual login>
ssh pass: <password just for remote access>
ssh tunnel: -L 3389:<manager's lan IP>:3389

manager then connects using microsoft terminal services client as "localhost" and can both remote-control their LAN pc (running software installed there directly, no need for it to be installed to "home" pcs) and "see" the shared drives from the home pc, and so copy files back and forth if needed, simply by dragging and dropping in explorer.

while exposing RDP directly to the internet can be problematic (there are plenty of script kiddies who will try and brute-force any rdp ports they find open) reaching it via ssh is very secure.
Avatar of bubuko

ASKER

I see. I think you are talking something like this in the diagram. VNC can also be implemented by this fashion.
But how about if I want to access folder? I tried with filezilla, but it seems I can only access those files on SSH server. Is there any way I can achieve something like VNC/RDP does? for example, remote user Bob can only access his own pc's folder...

- Sorry to ask you another stupid question... i know with ssh it's point to point all the way secure from the remote user pc to the end desktop. With VPN, it should also be secure from my laptop to my vpn server. But either with VPN or SSH, if the remote pc is not well protected by firewall, for ex, someone on the lan hack into my laptop. Then I think at this point, eith ssh or vpn is not helpful right?

multiple-vnc.png
RDP contains some drive sharing ability - but really, you want to move files, you can tunnel anything that has file transfer as part of its protocol - ultravnc for example

http://www.uvnc.com

note you need not use a compressed form of vnc - as the ssh tunnel itself includes compression.

and you are right, ssh and vpn are both examples of encrypted *link* technologies - they don't provide end point security as such.

however, a vpn can be "full tunnel" in which case, all traffic (other than the vpn traffic itself) is sent down the vpn tunnel. in that case, it is not possible for the endpoint machine to be accessed other than over the vpn, as it is impossible to set up a tcp link to it or send udp packets from it, other than to/over the tunnel.

in that case, there is noticably more security with a full tunnel vpn *when the vpn is in place*. there is nothing to stop your machine being hacked while the vpn is not running. Really though, you should secure the endpoint, and not rely on a routing trick to keep it secure for you (as an attacker could compromise the endpoint, wait for the vpn to come up, then run code to attempt to "escape" the vpn by either bypassing the client and sending/receiving traffic directly (using a raw packet transfer driver like sn0w1ng or pcap) or looking for an outbound web proxy on the remote network to connect out via.
Avatar of bubuko

ASKER

>>a vpn can be "full tunnel" in which case, all traffic (other than the vpn traffic itself) is sent down the vpn tunnel.

Do you mean to use default gateway on remote netwok ?
Win2k-defGW.png
No, split tunnel and full tunnel have specific meanings in the vpn world - sometimes the vpn is presented as another network card, in which case a default route (0.0.0.0/0) is set to that card. in others, the vpn integrates into the tcp stack as a LSP and "grabs" traffic from the stack, which means it doesn't show up in your networking control panel. the native microsoft solution (pptp or ipsec) appears to be a dialup connector, as do most ADSL or other modems, despite not actually dialing anything.

split tunnel means that only specific traffic is sent to the vpn - for a network card, this means adding non-default routes to the routing table ("netstat -nr" or "route print" will show you those) and for an LSP, that means inspecting tcp traffic as it passes, and removing from the stack only those packets destined for the remote network (replacing them with vpn packets) while letting other traffic pass.
Avatar of bubuko

ASKER

DaveHowe, you level is too high. I will have to study more to understand. And my concern now is if I leave the box ( DG) unchecked, do you think VPN still safe? Or it's more secure I have the box checked?
Its more secure with the box checked, but *all* traffic will be sent down the vpn - so you will be unable to (for example) web browse unless the remote site you are connected to is willing to let you do that.
Avatar of bubuko

ASKER

Thank you and sorry for keeping you long here. but why if I have the box checked it's more secure? if not, is it because if I got hacked from the other end(DG to local router), hacker is able to get into my pc and then find a way through vpn tunnel?

And if I have the box checked, traffic is only coming back and forth from remote DG through VPN tunnel, so it's more secure?
yes. you can't be "hacked" while your default route is via the remote site, as responses to packets from the hacker will be sent down the vpn, where they will not be permitted out from the network (even if this is allowed, the rules for NAT insist that packets are "new" traffic, not responses).

However, if your machine is hacked first, the running code can easily reconnect to its master on the internet via the remote network, if that network allows you outbound to the internet (either directly or via a proxy)