Tuesday, November 23, 2010

VPN VS SSH.... what's the difference?

DaveHowe:SSH *as* ssh is just a replacement for telnet - its encrypted, it uses serverside (and optionally, clientside) PKI, but its basically just telnet.

Where SSH overlaps into VPN's duty space is in its support for tunnelling - effectively, you can open a port on one end of the ssh link, and have the other end automatically connect to a port and IP address visible to that end of the link.

lets take an example. you are on your lan, at address (say)

you connect using ssh to a server on another lan across the internet, whose local (not internet) address is

you have on your network a webserver on, and they have one on

you can do the following:

you can open a port (say, 8080) on your machine, to connect to the remote webserver. the command would be -L 8080:

anyone who connects to port 8080 on your machine actually connects to the remote webserver

second, you can open a port (say, 8080) on the REMOTE server, and connect to the local webserver. the command would be -R 8080:

THIS tunnel would allow users on the remote lan to connect to 8080 on the remote server, and they would actually connect to YOUR webserver.

finally, you can open a dynamic tunnel, say on port 8080; this will act like a web proxy server, of type "socks 4a". the command would be -D 8080

anyone on your lan who configures their web browser to use a proxy on port 8080 on your machine, will be able to surf the web, however all the network traffic will appear to come from the remote server. consider however a type -D tunnel to be a set of arbitrary tunnels of type -L or -R on-demand; further, software that is "socks aware" knows which port is being opened at the remote site, so provided it also knows what the IP of the remote server is, it can instruct connections back to use the tunnel that gets to itself. socks is the most powerful mode of the three, but is difficult to configure properly so is least used (apart from anonymizing web browsing :)

Now, vpn is a different technology, and works at the router (packet) level not the port level. in essence, it inspects every network packet as it goes past to see if it matches a list of traffic it has been told to pass down the vpn; if it does, it wrappers that one packet in an encrypted "envelope" and sends that envelope to the vpn endpoint where it is decrypted and treated as any other outbound packet from that machine. the main difference is that the packet that leaves the remote vpn endpoint will still have as its source IP the original sender machine, not the endpoint (which is the case with ssh) so any replies to that packet will need to have been told how to route back to the vpn endpoint, or they can't be encrypted to be returned to the original machine.

open a tunn

Reference: http://www.experts-exchange.com/Security/Vulnerabilities/Q_24174061.html

No comments: