SSH Tunneling
From Computing and Software Wiki
| Line 1: | Line 1: | ||
| - | Tunneling refers to a packet, which is based on one protocol, being wrapped, or encapsulated, in a second packet that is based on another protocol. The encapsulating packet's protocol will be whatever differing protocol is needed in order for it to travel over an intermediary network. An SSH tunnel is an encrypted network tunnel created using an SSH connection. This type of tunnel allows you to transmit otherwise insecure TCP traffic in a secure fashion, as well as transfer packets with incompatible protocols over an intermediary network. When a tunneling protocol uses data encryption (SSH) to transport packets that are based on insecure protocols over the Internet, they are in essence providing VPN functionality. | + | Tunneling refers to a packet, which is based on one protocol, being wrapped, or encapsulated, in a second packet that is based on another protocol. The encapsulating packet's protocol will be whatever differing protocol is needed in order for it to travel over an intermediary network. An SSH tunnel is an encrypted network tunnel created using an SSH connection. This type of tunnel allows you to transmit otherwise insecure TCP traffic in a secure fashion, as well as transfer packets with incompatible protocols over an intermediary network. When a tunneling protocol uses data encryption (SSH) to transport packets that are based on insecure protocols over the Internet, they are in essence providing VPN functionality. In real-life terms, tunneling is comparable to "encapsulating" a present (the original packet) in a box (the capsule) for delivery through the postal system. | 
| + | |||
| == Components of a tunnel == | == Components of a tunnel == | ||
| Line 7: | Line 8: | ||
| '''The Tunnel -''' The series of networks that the packet must travel to go from the starting network to the destination network.   | '''The Tunnel -''' The series of networks that the packet must travel to go from the starting network to the destination network.   | ||
| - | '''Tunnel Interfaces -''' These are the points where the starting and destination networks  | + | '''Tunnel Interfaces -''' These are the points where the starting and destination networks come into contact with the tunnel. | 
| '''Passenger Protocol -''' This is the original data being transferred that may be either insecure or incompatible with the carrier protocol. | '''Passenger Protocol -''' This is the original data being transferred that may be either insecure or incompatible with the carrier protocol. | ||
| - | '''Encapsulating Protocol -''' This is the protocol that is wrapped around the original passenger protocol. This protocol must be understood by both tunnel interfaces and commonly come in the form of GRE, IPSec, L2F, PPTP & L2TP. | + | '''Encapsulating Protocol -''' This is the protocol that is wrapped around the original passenger protocol. This protocol must be understood by both tunnel interfaces and commonly come in the form of GRE, IPSec, L2F, PPTP & L2TP.\\ | 
| '''Carrier Protocol -''' This is the protocol use by the network that the encapsulated package is travelling over. | '''Carrier Protocol -''' This is the protocol use by the network that the encapsulated package is travelling over. | ||
| Line 17: | Line 18: | ||
| == The Tunneling Process == | == The Tunneling Process == | ||
| - | In  | + | In this example, we will create secure connection using SSH and local port fowarding. | 
| + | |||
| + | 1) First you launch the SSH client on the command line.  | ||
| + | |||
| + | 2) Use the SSH client to log into the remote machine using whatever authentication method is available, such as password, Pubkey, etc. | ||
| + | |||
| + | 3) The SSH client binds the local port you specified, on the loopback interface, 127.0.0.1.  | ||
| + | |||
| + | 4) When a process connects to 127.0.0.1 on the the client machine on the port you specified, SSH client program accepts the conection.  | ||
| + | |||
| + | 5) The SSH client informs the server, over the encrypted channel, to create a connection to the destination, such as a mailserver shown in the example below.   | ||
| + | |||
| + | 6) The client takes any bits sent to the port you specified on your machine and sends them to the server inside the encrypted SSH session, who decrypts them and then sends them in the clear to the destination (the mailserver).  | ||
| + | The server takes any bits received from the mailserver and sends them inside the SSH session back to the client, who decrypts and sends them in the clear to the process that connected to the client's bound port (the port you intially specified).  | ||
| + | |||
| + | 7) When the connection is closed by either endpoint, it is torn down inside the SSH session as well.   | ||
| == Application == | == Application == | ||
| Line 25: | Line 41: | ||
| To avoid this, instead of connecting directly, establish an SSH connection to the network of which the mail server is a part of. The SSH client software sets up a port forwarding mechanism, making the traffic heading to your home computer's POP be forwarded over the encrypted tunnel and end up at the mail server's POP port. You then direct your email client to your local POP port and it thinks that it is talking to the remote end, only this time, the entire session is encrypted. Anyone trying to listen in on the conversation between your home computer and work machine, will hear something resembling noise. | To avoid this, instead of connecting directly, establish an SSH connection to the network of which the mail server is a part of. The SSH client software sets up a port forwarding mechanism, making the traffic heading to your home computer's POP be forwarded over the encrypted tunnel and end up at the mail server's POP port. You then direct your email client to your local POP port and it thinks that it is talking to the remote end, only this time, the entire session is encrypted. Anyone trying to listen in on the conversation between your home computer and work machine, will hear something resembling noise. | ||
| - | To set this up, you'll need an SSH client capable of tunneling. OpenSSH is a free open source version of SSH connectivity tools. Under Windows, you'll need a client like SecureCRT, which is commercial software. Cygwin is a linux like environment for Windows that contains an SSH package. | + | To set this up, all you'll need an SSH client capable of tunneling. OpenSSH is a free open source version of SSH connectivity tools. Under Windows, you'll need a client like SecureCRT, which is commercial software. Cygwin is a linux like environment for Windows that contains an SSH package. | 
| Line 41: | Line 57: | ||
| 2) [http://computer.howstuffworks.com/vpn13.htm How Virtual Private Networks Work] | 2) [http://computer.howstuffworks.com/vpn13.htm How Virtual Private Networks Work] | ||
| + | |||
| + | 3) [http://3sp.com/kb/idx/73/203/article/What_is_Tunneling.html What is Tunneling?] | ||
| == External links == | == External links == | ||
Revision as of 03:29, 14 April 2008
Tunneling refers to a packet, which is based on one protocol, being wrapped, or encapsulated, in a second packet that is based on another protocol. The encapsulating packet's protocol will be whatever differing protocol is needed in order for it to travel over an intermediary network. An SSH tunnel is an encrypted network tunnel created using an SSH connection. This type of tunnel allows you to transmit otherwise insecure TCP traffic in a secure fashion, as well as transfer packets with incompatible protocols over an intermediary network. When a tunneling protocol uses data encryption (SSH) to transport packets that are based on insecure protocols over the Internet, they are in essence providing VPN functionality. In real-life terms, tunneling is comparable to "encapsulating" a present (the original packet) in a box (the capsule) for delivery through the postal system.
| Contents | 
Components of a tunnel
The Tunnel - The series of networks that the packet must travel to go from the starting network to the destination network.
Tunnel Interfaces - These are the points where the starting and destination networks come into contact with the tunnel.
Passenger Protocol - This is the original data being transferred that may be either insecure or incompatible with the carrier protocol.
Encapsulating Protocol - This is the protocol that is wrapped around the original passenger protocol. This protocol must be understood by both tunnel interfaces and commonly come in the form of GRE, IPSec, L2F, PPTP & L2TP.\\
Carrier Protocol - This is the protocol use by the network that the encapsulated package is travelling over.
The Tunneling Process
In this example, we will create secure connection using SSH and local port fowarding.
1) First you launch the SSH client on the command line.
2) Use the SSH client to log into the remote machine using whatever authentication method is available, such as password, Pubkey, etc.
3) The SSH client binds the local port you specified, on the loopback interface, 127.0.0.1.
4) When a process connects to 127.0.0.1 on the the client machine on the port you specified, SSH client program accepts the conection.
5) The SSH client informs the server, over the encrypted channel, to create a connection to the destination, such as a mailserver shown in the example below.
6) The client takes any bits sent to the port you specified on your machine and sends them to the server inside the encrypted SSH session, who decrypts them and then sends them in the clear to the destination (the mailserver). The server takes any bits received from the mailserver and sends them inside the SSH session back to the client, who decrypts and sends them in the clear to the process that connected to the client's bound port (the port you intially specified).
7) When the connection is closed by either endpoint, it is torn down inside the SSH session as well.
Application
A typical use would be to securely retrieve e-mail from work, while at home & using a POP client. By connecting to the machine directly, you would be sending your login and password in the open and risk having them stolen to be subsequently used to gain access to confidential information.
To avoid this, instead of connecting directly, establish an SSH connection to the network of which the mail server is a part of. The SSH client software sets up a port forwarding mechanism, making the traffic heading to your home computer's POP be forwarded over the encrypted tunnel and end up at the mail server's POP port. You then direct your email client to your local POP port and it thinks that it is talking to the remote end, only this time, the entire session is encrypted. Anyone trying to listen in on the conversation between your home computer and work machine, will hear something resembling noise.
To set this up, all you'll need an SSH client capable of tunneling. OpenSSH is a free open source version of SSH connectivity tools. Under Windows, you'll need a client like SecureCRT, which is commercial software. Cygwin is a linux like environment for Windows that contains an SSH package.
See Also
The Future of the Internet: IPv6
Refrences
2) How Virtual Private Networks Work
External links
--Partsea 22:31, 13 April 2008 (EDT)


