First page Back Continue Last page Overview Graphics
Communications and Data Encryption
FreeS/WAN IPSEC stack:
- WWW site: www.freeswan.org
- X.509 certificate support: www.strongsec.com/freeswan/
- The leading free open source Linux IPSEC stack, commercial IPSEC stacks available for network appliance developers available from for example SSH Communications, SecGo, (F-Secure?)
- Advantages: free, open source, available for all, (cheap), interoperable
- Disadvantages: no management software, only 3DES encryption, limited hardware encryption and modern IP technologies support
International Crypto API for GNU/Linux:
- WWW site: sourceforge.net/projects/cryptoapi/
- Provides kernel modules for creating encrypted loopback devices to encrypt for example your home partition
- Based on international crypto patch for GNU/Linux
- Advantages: free, open source, available for all, cheap, several encryption algorithms implemented (blowfish, AES etc.)
- Disadvantages: documentation, encryption of whole disk/swap is not possible
Notes:
FreeS/WAN IPSEC stack:
- kernel patch (KLIPS) and utilities (PLUTO etc.)
- probably the cheapiest way to do quickly and with limited budget an IPSEC gateway connecting two networks, tested it and it worked
- with X.509 certificate support works with SSH Sentinel very nicely and has interoperability configurations against several other VPN boxes available in the web
- often these interoperability configurationshowever fall back to pre-shared key authentication which is not scalable
- AES or Blowfish encryption algorithms would be faster
- problems start when certificate or other large scale management, scalability (SMP, multiple VPN terminators), throughput and uncommon routing like 0.0.0.0/0 is needed
- a lot of manual tuning needed
International Crypto API for GNU/Linux:
- a file, patched mount (util-linux-package) is needed, no kernel patch needed nowadays
- tested and works very nicely when used to encrypt /home on laptop, the performance loss is not noticeable (at least to author)
- several different encryption choices possible (Mars, AES, Blowfish, Twofish)
- unfortunately cannot encrypt swap, root or whole disk, which creates a possible security vulnerability
– often /home is enough and its possible to secure the loopback file so that if its transferred to different place on disk or on another disk, it's not possible to decrypt the data anymore