diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-01-30 12:25:57 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-01-30 12:25:57 +0000 |
| commit | 9790537d64272aed35fda336ef18fac1fccd960d (patch) | |
| tree | 4954aeddf9e8d7c2a3b282b686e9c7d764dc6ec2 /doc/src/web.html | |
| parent | dd191aff56ffe1b3fc996a6ca94d829eaff9762b (diff) | |
| download | vyos-strongswan-9790537d64272aed35fda336ef18fac1fccd960d.tar.gz vyos-strongswan-9790537d64272aed35fda336ef18fac1fccd960d.zip | |
- New upstream release.
Diffstat (limited to 'doc/src/web.html')
| -rw-r--r-- | doc/src/web.html | 905 |
1 files changed, 0 insertions, 905 deletions
diff --git a/doc/src/web.html b/doc/src/web.html deleted file mode 100644 index 19df6ffa6..000000000 --- a/doc/src/web.html +++ /dev/null @@ -1,905 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> - <meta http-equiv="Content-Type" content="text/html"> - <title>FreeS/WAN web links</title> - <meta name="keywords" - content="Linux, IPsec, VPN, security, FreeSWAN, links, web"> - <!-- - - Written by Sandy Harris for the Linux FreeS/WAN project - Freely distributable under the GNU General Public License - - More information at www.freeswan.org - Feedback to users@lists.freeswan.org - - CVS information: - RCS ID: $Id: web.html,v 1.1 2004/03/15 20:35:24 as Exp $ - Last changed: $Date: 2004/03/15 20:35:24 $ - Revision number: $Revision: 1.1 $ - - CVS revision numbers do not correspond to FreeS/WAN release numbers. - --> -</head> - -<body> -<h1><a name="weblink">Web links</a></h1> - -<h2><a name="freeswan">The Linux FreeS/WAN Project</a></h2> - -<p>The main project web site is <a -href="http://www.freeswan.org/">www.freeswan.org</a>.</p> - -<p>Links to other project-related <a href="intro.html#sites">sites</a> are -provided in our introduction section.</p> - -<h3><a name="patch">Add-ons and patches for FreeS/WAN</a></h3> - -<p>Some user-contributed patches have been integrated into the FreeS/WAN -distribution. For a variety of reasons, those listed below have not.</p> - -<p>Note that not all patches are a good idea.</p> -<ul> - <li>There are a number of "features" of IPsec which we do not implement - because they reduce security. See this <a - href="compat.html#dropped">discussion</a>. We do not recommend using - patches that implement these. One example is aggressive mode.</li> - <li>We do not recommend adding "features" of any sort unless they are - clearly necessary, or at least have clear benefits. For example, - FreeS/WAN would not become more secure if it offerred a choice of 14 - ciphers. If even one was flawed, it would certainly become less secure - for anyone using that cipher. Even with 14 wonderful ciphers, it would be - harder to maintain and administer, hence more vulnerable to various human - errors.</li> -</ul> - -<p>This is not to say that patches are necessarily bad, only that using them -requires some deliberation. For example, there might be perfectly good -reasons to add a specific cipher in your application: perhaps GOST to comply -with government standards in Eastern Europe, or AES for performance -benefits.</p> - -<h4>Current patches</h4> - -<p>Patches believed current::</p> -<ul> - <li>patches for <a href="http://www.strongsec.com/freeswan/">X.509 - certificate support</a>, also available from a <a - href="http://www.twi.ch/~sna/strongsec/freeswan/">mirror site</a></li> - <li>patches to add <a href="http://www.irrigacion.gov.ar/juanjo/ipsec">AES - and other ciphers</a>. There is preliminary data indicating AES gives a - substantial <a href="performance.html#perf.more">performance - gain</a>.</li> -</ul> - -<p>There is also one add-on that takes the form of a modified FreeS/WAN -distribution, rather than just patches to the standard distribution:</p> -<ul> - <li><a href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6 - support</a></li> -</ul> - -<p>Before using any of the above,, check the <a href="mail.html">mailing -lists</a> for news of newer versions and to see whether they have been -incorporated into more recent versions of FreeS/WAN.</p> - -<h4>Older patches</h4> -<ul> - <li><a href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware - acceleration</a></li> - <li>a <a href="http://tzukanov.narod.ru/">series</a> of patches that - <ul> - <li>provide GOST, a Russian gov't. standard cipher, in MMX - assembler</li> - <li>add GOST to OpenSSL</li> - <li>add GOST to the International kernel patch</li> - <li>let FreeS/WAN use International kernel patch ciphers</li> - </ul> - </li> - <li>Neil Dunbar's patches for <a - href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">certificate - support</a>, using code from <a href="http://www.openssl.org">Open - SSL</a>.</li> - <li>Luc Lanthier's <a - href="ftp://ftp.netwinder.org/users/f/firesoul/">patches</a> for <a - href="glossary.html#PKIX">PKIX</a> support.</li> - <li><a href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</a> - to add <a href="glossary.html#blowfish">Blowfish</a>, <a - href="glossary.html#IDEA">IDEA</a> and <a - href="glossary.html#CAST128">CAST-128</a> to FreeS/WAN</li> - <li>patches for FreeS/WAN 1.3, Pluto support for <a - href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">external - authentication</a>, for example with a smartcard or SKEYID.</li> - <li><a href="http://www.zengl.net/freeswan/download/">patches and - utilities</a> for using FreeS/WAN with PGPnet</li> - <li><a - href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">Blowfish - encryption and Tiger hash</a></li> - <li><a - href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">patches</a> - for aggressive mode support</li> -</ul> - -<p>These patches are for older versions of FreeS/WAN and will likely not work -with the current version. Older versions of FreeS/WAN may be available on -some of the <a href="intro.html#sites">distribution sites</a>, but we -recommend using the current release.</p> - -<h4><a name="VPN.masq">VPN masquerade patches</a></h4> - -<p>Finally, there are some patches to other code that may be useful with -FreeS/WAN:</p> -<ul> - <li>a <a - href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">patch</a> - to make IPsec, PPTP and SSH VPNs work through a Linux firewall with <a - href="glossary.html#masq">IP masquerade</a>.</li> - <li><a href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">Linux - VPN Masquerade HOWTO</a></li> -</ul> - -<p>Note that this is not required if the same machine does IPsec and -masquerading, only if you want a to locate your IPsec gateway on a -masqueraded network. See our <a href="firewall.html#NAT">firewalls</a> -document for discussion of why this is problematic.</p> - -<p>At last report, this patch could not co-exist with FreeS/WAN on the same -machine.</p> - -<h3><a name="dist">Distributions including FreeS/WAN</a></h3> - -<p>The introductory section of our document set lists several <a -href="intro.html#distwith">Linux distributions</a> which include -FreeS/WAN.</p> - -<h3><a name="used">Things FreeS/WAN uses or could use</a></h3> -<ul> - <li><a href="http://openpgp.net/random">/dev/random</a> support page, - discussion of and code for the Linux <a - href="glossary.html#random">random number driver</a>. Out-of-date when we - last checked (January 2000), but still useful.</li> - <li>other programs related to random numbers: - <ul> - <li><a href="http://www.mindrot.org/audio-entropyd.html">audio entropy - daemon</a> to gather noise from a sound card and feed it into - /dev/random</li> - <li>an <a href="http://www.lothar.com/tech/crypto/">entropy-gathering - daemon</a></li> - <li>a driver for the random number generator in recent <a - href="http://sourceforge.net/projects/gkernel/">Intel chipsets</a>. - This driver is included as standard in 2.4 kernels.</li> - </ul> - </li> - <li>a Linux <a href="http://www.marko.net/l2tp/">L2TP Daemon</a> which - might be useful for communicating with Windows 2000 which builds L2TP - tunnels over its IPsec connections</li> - <li>to use opportunistic encryption, you need a recent version of <a - href="glossary.html#BIND">BIND</a>. You can get one from the <a - href="http://www.isc.org">Internet Software Consortium</a> who maintain - BIND.</li> -</ul> - -<h3><a name="alternatives">Other approaches to VPNs for Linux</a></h3> -<ul> - <li>other Linux <a href="#linuxipsec">IPsec implementations</a></li> - <li><a href="http://www.tik.ee.ethz.ch/~skip/">ENskip</a>, a free - implementation of Sun's <a href="glossary.html#SKIP">SKIP</a> - protocol</li> - <li><a href="http://sunsite.auc.dk/vpnd/">vpnd</a>, a non-IPsec VPN daemon - for Linux which creates tunnels using <a - href="glossary.html#Blowfish">Blowfish</a> encryption</li> - <li><a href="http://www.winton.org.uk/zebedee/">Zebedee</a>, a simple GPLd - tunnel-building program with Linux and Win32 versions. The name is from - <strong>Z</strong>lib compression, <strong>B</strong>lowfish encryption - and <strong>D</strong>iffie-Hellman key exchange.</li> - <li>There are at least two PPTP implementations for Linux - <ul> - <li>Moreton Bay's <a - href="http://www.moretonbay.com/vpn/pptp.html">PoPToP</a></li> - <li><a - href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</a></li> - </ul> - </li> - <li><a href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</a> - (crypto IP encapsulation) project, using their own lightweight protocol - to encrypt between routers</li> - <li><a href="http://tinc.nl.linux.org/">tinc</a>, a VPN Daemon</li> -</ul> - -<p>There is a list of <a -href="http://www.securityportal.com/lskb/10000000/kben10000005.html">Linux -VPN</a> software in the <a -href="http://www.securityportal.com/lskb/kben00000001.html">Linux Security -Knowledge Base</a>.</p> - -<h2><a name="ipsec.link">The IPsec Protocols</a></h2> - -<h3><a name="general">General IPsec or VPN information</a></h3> -<ul> - <li>The <a href="http://www.vpnc.org">VPN Consortium</a> is a group for - vendors of IPsec products. Among other things, they have a good - collection of <a href="http://www.vpnc.org/white-papers.html">IPsec white - papers</a>.</li> - <li>A VPN mailing list with a <a - href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">home page</a>, a FAQ, - some product comparisons, and many links.</li> - <li><a href="http://www.opus1.com/vpn/index.html">VPN pointer page</a></li> - <li>a <a href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</a> of - VPN links, and some explanation</li> -</ul> - -<h3><a name="overview">IPsec overview documents or slide sets</a></h3> -<ul> - <li>the FreeS/WAN <a href="ipsec.html">document section</a> on these - protocols</li> -</ul> - -<h3><a name="otherlang">IPsec information in languages other than -English</a></h3> -<ul> - <li><a - href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">German</a></li> - <li><a href="http://www.kame.net/index-j.html">Japanese</a></li> - <li>Feczak Szabolcs' thesis in <a - href="http://feczo.koli.kando.hu/vpn/">Hungarian</a></li> - <li>Davide Cerri's thesis and some presentation slides <a - href="http://www.linux.it/~davide/doc/">Italian</a></li> -</ul> - -<h3><a name="RFCs1">RFCs and other reference documents</a></h3> -<ul> - <li><a href="rfc.html">Our document</a> listing the RFCs relevant to Linux - FreeS/WAN and giving various ways of obtaining both RFCs and Internet - Drafts.</li> - <li><a href="http://www.vpnc.org/vpn-standards.html">VPN Standards</a> page - maintained by <a href="glossary.html#VPNC">VPNC</a>. This covers both - RFCs and Drafts, and classifies them in a fairly helpful way.</li> - <li><a href="http://www.rfc-editor.org">RFC archive</a></li> - <li><a href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</a> - related to IPsec</li> - <li>US government <a href="http://www.itl.nist.gov/div897/pubs"> site</a> - with their <a href="glossary.html#FIPS">FIPS</a> standards</li> - <li>Archives of the ipsec@tis.com mailing list where discussion of drafts - takes place. - <ul> - <li><a href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern - Canada</a></li> - <li><a href="http://www.vpnc.org/ietf-ipsec">California</a>.</li> - </ul> - </li> -</ul> - -<h3><a name="analysis">Analysis and critiques of IPsec protocols</a></h3> -<ul> - <li>Counterpane's <a - href="http://www.counterpane.com/ipsec.pdf">evaluation</a> of the - protocols</li> - <li>Simpson's <a - href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">IKE - Considered Dangerous</a> paper. Note that this is a link to an archive of - our mailing list. There are several replies in addition to the paper - itself.</li> - <li>Fate Labs <a href="http://www.fatelabs.com/loki-vpn.pdf">Virual Private - Problems: the Broken Dream</a></li> - <li>Catherine Meadows' paper <cite>Analysis of the Internet Key Exchange - Protocol Using the NRL Protocol Analyzer</cite>, in <a - href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">PDF</a> - or <a - href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">Postscript</a>.</li> - <li>Perlman and Kaufmnan - <ul> - <li><a - href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">Key - Exchange in IPsec</a></li> - <li>a newer <a - href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">PDF - paper</a>, <cite>Analysis of the IPsec Key Exchange - Standard</cite>.</li> - </ul> - </li> - <li>Bellovin's <a - href="http://www.research.att.com/~smb/papers/index.html">papers</a> page - including his: - <ul> - <li><cite>Security Problems in the TCP/IP Protocol Suite</cite> - (1989)</li> - <li><cite>Problem Areas for the IP Security Protocols</cite> (1996)</li> - <li><cite>Probable Plaintext Cryptanalysis of the IP Security - Protocols</cite> (1997)</li> - </ul> - </li> - <li>An <a href="http://www.lounge.org/ike_doi_errata.html">errata list</a> - for the IPsec RFCs.</li> -</ul> - -<h3><a name="IP.background">Background information on IP</a></h3> -<ul> - <li>An <a href="http://ipprimer.windsorcs.com/">IP tutorial</a> that seems - to be written mainly for Netware or Microsoft LAN admins entering a new - world</li> - <li><a href="http://www.iana.org">IANA</a>, Internet Assigned Numbers - Authority</li> - <li><a href="http://public.pacbell.net/dedicated/cidr.html">CIDR</a>, - Classless Inter-Domain Routing</li> - <li>Also see our <a href="biblio.html">bibliography</a></li> -</ul> - -<h2><a name="implement">IPsec Implementations</a></h2> - -<h3><a name="linuxprod">Linux products</a></h3> - -<p>Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in -our <a href="intro.html#turnkey">introduction</a>.</p> - -<p>Other vendors have Linux IPsec products which, as far as we know, do not -use FreeS/WAN</p> -<ul> - <li><a href="http://www.redcreek.com/products/shareware.html">Redcreek</a> - provide an open source Linux driver for their PCI hardware VPN card. This - card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more specialised - crypto chips, and claimed encryption performance of 45 Mbit/sec. The PC - sees it as an Ethernet board.</li> - <li><a href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</a> - offer a Linux-based VPN with hardware encryption</li> - <li><a href="http://www.watchguard.com/">Watchguard</a> use Linux in their - Firebox product.</li> - <li><a href="http://www.entrust.com">Entrust</a> offer a developers' - toolkit for using their <a href="glossary.html#PKI">PKI</a> for IPsec - authentication</li> - <li>According to a report on our mailing list, <a - href="http://www.axent.com">Axent</a> have a Linux version of their - product.</li> -</ul> - -<h3><a name="router">IPsec in router products</a></h3> - -<p>All the major router vendors support IPsec, at least in some models.</p> -<ul> - <li><a href="http://www.cisco.com/warp/public/707/16.html">Cisco</a> IPsec - information</li> - <li>Ascend, now part of <a href="http://www.lucent.com/">Lucent</a>, have - some IPsec-based products</li> - <li><a href="http://www.nortelnetworks.com/">Bay Networks</a>, now part of - Nortel, use IPsec in their Contivity switch product line</li> - <li><a href="http://www.3com.com/products/enterprise.html">3Com</a> have a - number of VPN products, some using IPsec</li> -</ul> - -<h3><a name="fw.web">IPsec in firewall products</a></h3> - -<p>Many firewall vendors offer IPsec, either as a standard part of their -product, or an optional extra. A few we know about are:</p> -<ul> - <li><a href="http://www.borderware.com/">Borderware</a></li> - <li><a href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley - Laurent</a></li> - <li><a href="http://www.watchguard.com">Watchguard</a></li> - <li><a href="http://www.fx.dk/firewall/ipsec.html">Injoy</a> for OS/2</li> -</ul> - -<p>Vendors using FreeS/WAN in turnkey firewall products are listed in our <a -href="intro.html#turnkey">introduction</a>.</p> - -<h3><a name="ipsecos">Operating systems with IPsec support</a></h3> - -<p>All the major open source operating systems support IPsec. See below for -details on <a href="#BSD">BSD-derived</a> Unix variants.</p> - -<p>Among commercial OS vendors, IPsec players include:</p> -<ul> - <li><a - href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">Microsoft</a> - have put IPsec in their Windows 2000 and XP products</li> - <li><a - href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</a> - announce a release of OS390 with IPsec support via a crypto - co-processor</li> - <li><a - href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">Sun</a> - include IPsec in Solaris 8</li> - <li><a - href="http://www.hp.com/security/products/extranet-security.html">Hewlett - Packard</a> offer IPsec for their Unix machines</li> - <li>Certicom have IPsec available for the <a - href="http://www.certicom.com/products/movian/movianvpn_tech.html">Palm</a>.</li> - <li>There were reports before the release that Apple's Mac OS X would have - IPsec support built in, but it did not seem to be there when we last - checked. If you find, it please let us know via the <a - href="mail.html">mailing list</a>.</li> -</ul> - -<h3>IPsec on network cards</h3> - -<p>Network cards with built-in IPsec acceleration are available from at least -Intel, 3Com and Redcreek.</p> - -<h3><a name="opensource">Open source IPsec implementations</a></h3> - -<h4><a name="linuxipsec">Other Linux IPsec implementations</a></h4> - -<p>We like to think of FreeS/WAN as <em>the</em> Linux IPsec implementation, -but it is not the only one. Others we know of are:</p> -<ul> - <li><a href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</a>, a - lightweight implementation of IPsec for Linux. Does not require kernel - recompilation.</li> - <li>Petr Novak's <a href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</a>, based - on the OpenBSD IPsec code and using <a - href="glossary.html#photuris">Photuris</a> for key management</li> - <li>A now defunct project at <a - href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">U of - Arizona</a> (export controlled)</li> - <li><a href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</a> (export - controlled)</li> -</ul> - -<h4><a name="BSD">IPsec for BSD Unix</a></h4> -<ul> - <li><a href="http://www.kame.net/project-overview.html">KAME</a>, several - large Japanese companies co-operating on IPv6 and IPsec</li> - <li><a href="http://web.mit.edu/network/isakmp">US Naval Research Lab</a> - implementation of IPv6 and of IPsec for IPv4 (export controlled)</li> - <li><a href="http://www.openbsd.org">OpenBSD</a> includes IPsec as a - standard part of the distribution</li> - <li><a href="http://www.r4k.net/ipsec">IPsec for FreeBSD</a></li> - <li>a <a href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</a> - on NetBSD's IPsec implementation</li> -</ul> - -<h4><a name="misc">IPsec for other systems</a></h4> -<ul> - <li><a href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of - Technolgy</a> have implemented IPsec for Solaris, Java and Macintosh</li> -</ul> - -<h3><a name="interop.web">Interoperability</a></h3> - -<p>The IPsec protocols are designed so that different implementations should -be able to work together. As they say "the devil is in the details". IPsec -has a lot of details, but considerable success has been achieved.</p> - -<h4><a name="result">Interoperability results</a></h4> - -<p>Linux FreeS/WAN has been tested for interoperability with many other IPsec -implementations. Results to date are in our <a -href="interop.html">interoperability</a> section.</p> - -<p>Various other sites have information on interoperability between various -IPsec implementations:</p> -<ul> - <li><a href="http://www.opus1.com/vpn/atl99display.html">interop - results</a> from a bakeoff in Atlanta, September 1999.</li> - <li>a French company, HSC's, <a - href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">interoperability</a> - test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint, - Red Creek Ravlin, and Cisco IOS</li> - <li><a href="http://www.icsa.net/">ICSA</a> offer certification programs - for various security-related products. See their list of <a - href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml"> - certified IPsec</a> products. Linux FreeS/WAN is not currently on that - list, but several products with which we interoperate are.</li> - <li>VPNC have a page on why they are not yet doing <a - href="http://www.vpnc.org/interop.html">interoperability</a> testing and - a page on the <a href="http://www.vpnc.org/conformance.html">spec - conformance</a> testing that they are doing</li> - <li>a <a href="http://www.commweb.com/article/COM20000912S0009">review</a> - comparing a dozen commercial IPsec implemetations. Unfortunately, the - reviewers did not look at Open Source implementations such as FreeS/WAN - or OpenBSD.</li> - <li><a - href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">results</a> - from interoperability tests at a conference. FreeS/WAN was not tested - there.</li> - <li>test results from the <a - href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">IPSEC - 2000</a> conference</li> -</ul> - -<h4><a name="test1">Interoperability test sites</a></h4> -<ul> - <li><a href="http://www.tahi.org/">TAHI</a>, a Japanese IPv6 testing - project with free IPsec validation software</li> - <li><a href="http://ipsec-wit.antd.nist.gov">National Institute of - Standards and Technology</a></li> - <li><a href="http://isakmp-test.ssh.fi/">SSH Communications - Security</a></li> -</ul> - -<h2><a name="linux.link">Linux links</a></h2> - -<h3><a name="linux.basic">Basic and tutorial Linux information</a></h3> -<ul> - <li>Linux <a - href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">Getting - Started</a> HOWTO document</li> - <li>A getting started guide from the <a - href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">U of - Oregon</a></li> - <li>A large <a href="http://www.herring.org/techie.html">link - collection</a> which includes a lot of introductory and tutorial material - on Unix, Linux, the net, . . .</li> -</ul> - -<h3><a name="general">General Linux sites</a></h3> -<ul> - <li><a href="http://www.freshmeat.net">Freshmeat</a> Linux news</li> - <li><a href="http://slashdot.org">Slashdot</a> "News for Nerds"</li> - <li><a href="http://www.linux.org">Linux Online</a></li> - <li><a href="http://www.linuxhq.com">Linux HQ</a></li> - <li><a href="http://www.tux.org">tux.org</a></li> -</ul> - -<h3><a name="docs.ldp">Documentation</a></h3> - -<p>Nearly any Linux documentation you are likely to want can be found at the -<a href="http://metalab.unc.edu/LDP">Linux Documentation Project</a> or -LDP.</p> -<ul> - <li><a href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</a> - guide to Linux information sources</li> - <li>The LDP's HowTo documents are a standard Linux reference. See this <a - href="http://www.linuxdoc.org/docs.html#howto">list</a>. Documents there - most relevant to a FreeS/WAN gateway are: - <ul> - <li><a href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel - HOWTO</a></li> - <li><a - href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">Networking - Overview HOWTO</a></li> - <li><a - href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">Security - HOWTO</a></li> - </ul> - </li> - <li>The LDP do a series of Guides, book-sized publications with more detail - (and often more "why do it this way?") than the HowTos. See this <a - href="http://www.linuxdoc.org/guides.html">list</a>. Documents there most - relevant to a FreeS/WAN gateway are: - <ul> - <li><a href="http://www.tml.hut.fi/~viu/linux/sag/">System - Administrator's Guide</a></li> - <li><a href="http://www.linuxdoc.org/LDP/nag2/index.html">Network - Adminstrator's Guide</a></li> - <li><a href="http://www.seifried.org/lasg/">Linux Administrator's - Security Guide</a></li> - </ul> - </li> -</ul> - -<p>You may not need to go to the LDP to get this material. Most Linux -distributions include the HowTos on their CDs and several include the Guides -as well. Also, most of the Guides and some collections of HowTos are -available in book form from various publishers.</p> - -<p>Much of the LDP material is also available in languages other than -English. See this <a href="http://www.linuxdoc.org/links/nenglish.html">LDP -page</a>.</p> - -<h3><a name="advroute.web">Advanced routing</a></h3> - -<p>The Linux IP stack has some new features in 2.4 kernels. Some HowTos have -been written:</p> -<ul> - <li>several HowTos for the <a - href="http://netfilter.samba.org/unreliable-guides/">netfilter</a> - firewall code in newer kernels</li> - <li><a - href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">2.4 - networking</a> HowTo</li> - <li><a - href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">2.4 - routing</a> HowTo</li> -</ul> - -<h3><a name="linsec">Security for Linux</a></h3> - -<p>See also the <a href="#docs.ldp">LDP material</a> above.</p> -<ul> - <li><a - href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity - OS guide to setting up Linux</a></li> - <li><a href="http://www.deter.com/unix">Unix security</a> page</li> - <li><a href="http://linux01.gwdg.de/~alatham/">PPDD</a> encrypting - filesystem</li> - <li><a href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption - HowTo</a> (outdated when last checked, had an Oct 2000 revision date in - March 2002)</li> -</ul> - -<h3><a name="firewall.linux">Linux firewalls</a></h3> - -<p>Our <a href="firewall.html">FreeS/WAN and firewalls</a> document includes -links to several sets of <a href="firewall.html#examplefw">scripts</a> known -to work with FreeS/WAN.</p> - -<p>Other information sources:</p> -<ul> - <li><a href="http://ipmasq.cjb.net/">IP Masquerade resource page</a></li> - <li><a href="http://netfilter.samba.org/unreliable-guides/">netfilter</a> - firewall code in 2.4 kernels</li> - <li>Our list of general <a href="#firewall.web">firewall references</a> on - the web</li> - <li><a href="http://users.dhp.com/~whisper/mason/">Mason</a>, a tool for - automatically configuring Linux firewalls</li> - <li>the web cache software <a href="http://www.squid-cache.org/">squid</a> - and <a href="http://www.squidguard.org/">squidguard</a> which turns Squid - into a filtering web proxy</li> -</ul> - -<h3><a name="linux.misc">Miscellaneous Linux information</a></h3> -<ul> - <li><a href="http://lwn.net/current/dists.php3">Linux distribution - vendors</a></li> - <li><a href="http://www.linux.org/groups/">Linux User Groups</a></li> -</ul> - -<h2><a name="crypto.link">Crypto and security links</a></h2> - -<h3><a name="security">Crypto and security resources</a></h3> - -<h4><a name="std.links">The standard link collections</a></h4> - -<p>Two enormous collections of links, each the standard reference in its -area:</p> -<dl> - <dt>Gene Spafford's <a - href="http://www.cerias.purdue.edu/coast/hotlist/">COAST hotlist</a></dt> - <dd>Computer and network security.</dd> - <dt>Peter Gutmann's <a - href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Encryption and - Security-related Resources</a></dt> - <dd>Cryptography.</dd> -</dl> - -<h4><a name="FAQ">Frequently Asked Question (FAQ) documents</a></h4> -<ul> - <li><a href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography - FAQ</a></li> - <li><a href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</a></li> - <li><a href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix - Programming FAQ</a></li> - <li>FAQs for specific programs are listed in the <a href="#tools">tools</a> - section below.</li> -</ul> - -<h4><a name="cryptover">Tutorials</a></h4> -<ul> - <li>Gary Kessler's <a - href="http://www.garykessler.net/library/crypto.html">Overview of - Cryptography</a></li> - <li>Terry Ritter's <a - href="http://www.ciphersbyritter.com/LEARNING.HTM">introduction</a></li> - <li>Peter Gutman's <a - href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">cryptography</a> - tutorial (500 slides in PDF format)</li> - <li>Amir Herzberg of IBM's sildes for his course <a - href="http://www.hrl.il.ibm.com/mpay/course.html">Introduction to - Cryptography and Electronic Commerce</a></li> - <li>the <a href="http://www.gnupg.org/gph/en/manual/c173.html">concepts - section</a> of the <a href="glossary.html#GPG">GNU Privacy Guard</a> - documentation</li> - <li>Bruce Schneier's self-study <a - href="http://www.counterpane.com/self-study.html">cryptanalysis</a> - course</li> -</ul> - -<p>See also the <a href="#interesting">interesting papers</a> section -below.</p> - -<h4><a name="standards">Crypto and security standards</a></h4> -<ul> - <li><a href="http://csrc.nist.gov/cc">Common Criteria</a>, new - international computer and network security standards to replace the - "Rainbow" series</li> - <li>AES <a href="http://csrc.nist.gov/encryption/aes/aes_home.htm"> - Advanced Encryption Standard </a> which will replace DES</li> - <li><a href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key - standard</a></li> - <li>our collection of links for the <a href="#ipsec.link">IPsec</a> - standards</li> - <li>history of <a - href="http://www.visi.com/crypto/evalhist/index.html">formal - evaluation</a> of security policies and implementation</li> -</ul> - -<h4><a name="quotes">Crypto quotes</a></h4> - -<p>There are several collections of cryptographic quotes on the net:</p> -<ul> - <li><a href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</a></li> - <li><a href="http://www.samsimpson.com/cquotes.php">Sam Simpson</a></li> - <li><a href="http://www.amk.ca/quotations/cryptography/page-1.html">AM - Kutchling</a></li> -</ul> - -<h3><a name="policy">Cryptography law and policy</a></h3> - -<h4><a name="legal">Surveys of crypto law</a></h4> -<ul> - <li>International survey of <a - href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm"> crypto - law</a>.</li> - <li>International survey of <a - href="http://rechten.kub.nl/simone/ds-lawsu.htm"> digital signature - law</a></li> -</ul> - -<h4><a name="oppose">Organisations opposing crypto restrictions</a></h4> -<ul> - <li>The <a href="glossary.html#EFF">EFF</a>'s archives on <a - href="http://www.eff.org/pub/Privacy/">privacy</a> and <a - href="http://www.eff.org/pub/Privacy/ITAR_export/">export - control</a>.</li> - <li><a href="http://www.gilc.org">Global Internet Liberty Campaign</a></li> - <li><a href="http://www.cdt.org/crypto">Center for Democracy and - Technology</a></li> - <li><a href="http://www.privacyinternational.org/">Privacy - International</a>, who give out <a - href="http://www.bigbrotherawards.org/">Big Brother Awards</a> to snoopy - organisations</li> -</ul> - -<h4><a name="other.policy">Other information on crypto policy</a></h4> -<ul> - <li><a href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</a>, the <a - href="glossary.html#IAB">IAB</a> and <a - href="glossary.html#IESG">IESG</a> Statement on Cryptographic Technology - and the Internet.</li> - <li>John Young's collection of <a href="http://cryptome.org/">documents</a> - of interest to the cryptography, open government and privacy movements, - organized chronologically</li> - <li>AT&T researcher Matt Blaze's Encryption, Privacy and Security <a - href="http://www.crypto.com">Resource Page</a></li> - <li>A good <a href="http://cryptome.org/crypto97-ne.htm">overview</a> of - the issues from Australia.</li> -</ul> - -<p>See also our documentation section on the <a href="politics.html">history -and politics</a> of cryptography.</p> - -<h3><a name="crypto.tech">Cryptography technical information</a></h3> - -<h4><a name="cryptolinks">Collections of crypto links</a></h4> -<ul> - <li><a href="http://www.counterpane.com/hotlist.html">Counterpane</a></li> - <li><a href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter - Gutman's links</a></li> - <li><a href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI - links</a></li> - <li><a href="http://crypto.yashy.com/www/">Robert Guerra's links</a></li> -</ul> - -<h4><a name="papers">Lists of online cryptography papers</a></h4> -<ul> - <li><a href="http://www.counterpane.com/biblio">Counterpane</a></li> - <li><a - href="http://www.cryptography.com/resources/papers">cryptography.com</a></li> - <li><a href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</a></li> -</ul> - -<h4><a name="interesting">Particularly interesting papers</a></h4> - -<p>These papers emphasize important issues around the use of cryptography, -and the design and management of secure systems.</p> -<ul> - <li><a href="http://www.counterpane.com/keylength.html">Key length - requirements for security</a></li> - <li><a href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why - Cryptosystems Fail</a></li> - <li><a href="http://www.cdt.org/crypto/risks98/">Risks of escrowed - encryption</a></li> - <li><a href="http://www.counterpane.com/pitfalls.html">Security pitfalls in - cryptography</a></li> - <li><a href="http://www.acm.org/classics/sep95">Reflections on Trusting - Trust</a>, Ken Thompson on Trojan horse design</li> - <li><a href="http://www.apache-ssl.org/disclosure.pdf">Security against - Compelled Disclosure</a>, how to maintain privacy in the face of legal or - other coersion</li> -</ul> - -<h3><a name="compsec">Computer and network security</a></h3> - -<h4><a name="seclink">Security links</a></h4> -<ul> - <li><a href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</a></li> - <li>DMOZ open directory project <a - href="http://dmoz.org/Computers/Security/">computer security</a> - links</li> - <li><a href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</a></li> - <li>Mike Fuhr's <a - href="http://www.fuhr.org/~mfuhr/computers/security.html">link - collection</a></li> - <li><a href="http://www.networkintrusion.co.uk/">links</a> with an emphasis - on intrusion detection</li> -</ul> - -<h4><a name="firewall.web">Firewall links</a></h4> -<ul> - <li><a href="http://www.cs.purdue.edu/coast/firewalls">COAST - firewalls</a></li> - <li><a href="http://www.zeuros.co.uk">Firewalls Resource page</a></li> -</ul> - -<h4><a name="vpn">VPN links</a></h4> -<ul> - <li><a href="http://www.vpnc.org">VPN Consortium</a></li> - <li>First VPN's <a href="http://www.firstvpn.com/research/rhome.html">white - paper</a> collection</li> -</ul> - -<h4><a name="tools">Security tools</a></h4> -<ul> - <li>PGP -- mail encryption - <ul> - <li><a href="http://www.pgp.com/">PGP Inc.</a> (part of NAI) for - commercial versions</li> - <li><a href="http://web.mit.edu/network/pgp.html">MIT</a> distributes - the NAI product for non-commercial use</li> - <li><a href="http://www.pgpi.org/">international</a> distribution - site</li> - <li><a href="http://gnupg.org">GNU Privacy Guard (GPG)</a></li> - <li><a href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</a></li> - </ul> - A message in our mailing list archive has considerable detail on <a - href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">available - versions</a> of PGP and on IPsec support in them. - <p><strong>Note:</strong> A fairly nasty bug exists in all commercial PGP - versions from 5.5 through 6.5.3. If you have one of those, - <strong>upgrade now</strong>.</p> - </li> - <li>SSH -- secure remote login - <ul> - <li><a href="http://www.ssh.fi">SSH Communications Security</a>, for - the original software. It is free for trial, academic and - non-commercial use.</li> - <li><a href="http://www.openssh.com/">Open SSH</a>, the Open BSD team's - free replacement</li> - <li><a href="http://www.freessh.org/">freessh.org</a>, links to free - implementations for many systems</li> - <li><a href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</a></li> - <li><a - href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</a>, - an SSH client for Windows</li> - </ul> - </li> - <li>Tripwire saves message digests of your system files. Re-calculate the - digests and compare to saved values to detect any file changes. There are - several versions available: - <ul> - <li><a href="http://www.tripwiresecurity.com/">commercial - version</a></li> - <li><a href="http://www.tripwire.org/">Open Source</a></li> - </ul> - </li> - <li><a href="http://www.snort.org">Snort</a> and <a - href="http://www.lids.org">LIDS</a> are intrusion detection system for - Linux</li> - <li><a href="http://www.fish.com/~zen/satan/satan.html">SATAN</a> System - Administrators Tool for Analysing Networks</li> - <li><a href="http://www.insecure.org/nmap/">NMAP</a> Network Mapper</li> - <li><a href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse - Venema's page</a> with various tools</li> - <li><a href="http://ita.ee.lbl.gov/index.html">Internet Traffic - Archive</a>, various tools to analyze network traffic, mostly scripts to - organise and format tcpdump(8) output for specific purposes</li> - <li><a name="ssmail">ssmail -- sendmail patched to do</a> <a - href="glossary.html#carpediem">opportunistic encryption</a> - <ul> - <li><a href="http://www.home.aone.net.au/qualcomm/">web page</a> with - links to code and to a Usenix paper describing it, in PDF</li> - </ul> - </li> - <li><a href="http://www.openca.org/">Open CA</a> project to develop a - freely distributed <a href="glossary.html#CA">Certification Authority</a> - for building a open <a href="glossary.html#PKI">Public Key - Infrastructure</a>.</li> -</ul> - -<h3><a name="people">Links to home pages</a></h3> - -<p>David Wagner at Berkeley provides a set of links to <a -href="http://www.cs.berkeley.edu/~daw/people/crypto.html">home pages</a> of -cryptographers, cypherpunks and computer security people.</p> -</body> -</html> |