skip to main content Return to: U of M Home | OIT Home
University of Minnesota. Home page. myU | One Stop | Directories | Search U of M  
Academic and Distributed Computing ServicesAcademic and Distributed Computing Services

What's inside

1-HELP       1-HELP logo

ADCS Services

Computers on Campus

Internet Accounts

Knowledge Base

Online Guides
 · E-mail
 · Internet connection

Software

Contact Us

ADCS Home
   

SSH and (vs.) VPN

[ Overview | Definitions | Why VPN/SSH? | The Dirty Details | More Resources ]
[ SSH for Windows | SSH for Macintosh ]

Overview

The University set up VPN (Virtual Private Network) in order to make connecting to the University network easier. VPN allows access to restricted resources at the University, which are available only through a connection to the University of Minnesota network. Examples of these resources are the abstracts, journals, periodicals, indexes and other research-related services that have been contracted by the University for the sole use of its student, faculty and staff community. VPN is used for accessing services on campus that require the user to be on-campus, such as PeopleSoft and some library resources. It is used to log in to the University network from off-campus, while making it appear that you are on campus. It is a bit like the modem pool for high-speed connections at home.

Information on how to download the necessary software, set up a VPN connection, and get support is located at http://vpn.umn.edu

SSH (Secure Shell) is used to connect directly to University servers and access files. It can be used in conjunction with the VPN, and is strongly encouraged as it does not send transmitted data in clear text format.

Definitions:

SSH: Secure Shell is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace telnet, ftp (fetch), rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network.

SSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, SSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods.

VPN: Virtual Private Network is a private network that is configured within (or to travel across) a public network in order to protect data or for other reasons. In this case, the University of Minnesota built a VPN to allow high-speed intelnet(SSH) access users (DSL and cablemodem users) access to University resources from their homes.

Encryption: a method of encoding data for security purposes by using complex mathemetical factoring techniques. See Cryptography.

Cryptography: The conversion of data into a secret code for transmission over a public network. The original text, or "plaintext," is converted into a coded equivalent called "ciphertext" via an encryption algorithm. The ciphertext is decoded(decrypted) at the receiving end and turned back into plaintext.

"Sniffing:"Reading data sent across the network from somewhere along the line. It's analogous to eavesdropping on a phonecall with a wiretap. Sniffing is trivially easy for those who know anything about how networks work. Therefore, anyone who wants to can get your passwords, read your e-mail, or check out your data. And this can be done anywhere along the path from your computer to the departmental computers.

Why?

Why VPN?

Many University users are now getting high speed internet access in their homes, through DSL or cablemodems. But with these high speed connections, you have to go through a different ISP (Internet Service Provider, like Visi.com or RoadRunner). So when you try to log into the University, the University thinks you're the internet in general. The University of Minnesota protects it's resources from the internet, and that includes you if you're coming in from a ISP. So the VPN was created to allow University people access from home.

That's all it was meant to do. Those who are familiar with VPNs might wonder why we can't use the University's VPN to connect to departmental computers. That was a design decision on the part of those who are in charge of the VPN. Basically, it comes down to the fact that designing a VPN to match all the needs of all of the departments on campus would have been a nightmare, and probably impossible.

The VPN does, however, encrypt the data being sent from your home computer, and decrypts it when it gets to campus. So it protects you from sniffing out on the internet. It does NOT protect you from sniffers on campus.

Why SSH?

Access is granted to many servers either on a machine by machine basis (based on the IP address, that 160.94.xxx.xxx number) or by a group of machines based on their domain names (like umn.edu). That can't be done for most people at home, for various reasons. Also, even here on campus, data that is sent across the network is competely insecure and visible. "Sniffing," or reading that data straight off of the network from another computer, is fairly easy for those who know anything about how networks work. Therefore, it is not difficult for sniffers to read your passwords, read your e-mail, or check out your data. And this can be done anywhere along the path from your computer to the departmental computers. To defeat that, and to confirm that you actually are who you say you are when you try to log in, we use encryption (see definitions.)

The Dirty Details

VPN: University of Minnesota built a VPN to allow high-speed internet access users (DSL and cablemodem users) access to University resources from off-campus. The VPN will encrypt data sent from home until it gets to the VPN server on campus, but after that, the data is unencrypted as it passes over the local University network.

VPN

This is a fine solution for accessing general University resources from specific machines off-campus, such as a home computer. However, it does not work over the modem pool and it doesn't work while traveling to other places very well. Securing an academic environment, especially one as large as the University of Minnesota, is still a daunting task..

This is where SSH comes in:

  • It's more flexible, easier to set up, more portable, works across the modem pool, and also protects data traveling across the U.'s network.

One small detail: if you're using SSH from across the network (say, from another university) and NOT coming in across the modem pool or the VPN, access will be denied the Library and other resources, because they don't see you as being on the University's campus, which both the modem pool and the VPN mimic.

Port Forwarding or Tunneling:

All of the data traveling into and out of your computer travels by one wire, either your modem cord (phone cord) or your network cord. However, in order to allow applications that need to access that data to ignore what it doesn't need, data travels through virtual "ports," which are assigned numbers. Therefore, your FTP/FETCH window can send and receive data just along specific ports, and is therefore much more efficent. This can be visualized like this:

Certain ports are assigned and recognized all across the internet. Port 23 is telnet, 80 is the basic Web (Netscape, Explorer) port, etc. Under normal circumstances, the data traveling across all of these ports in unencrypted, which is why it's in red.

The VPN software encrypts everything, going out all of the ports. But remember, all of the VPN data is unencrypted as soon as it hits the VPN server, and your data is essentially dumped on the University's network unencrypted.

What SSH allows us to do is to send data that normally goes out its own port, say, 21, to be redirected and encrypted, and sent out an encrypted port. This is known as "tunneling." It's important to remember that the "ports" are not real in any physical sense, so the fact that data is all getting shoved down one port will not cause a bottleneck. The encryption itself takes some time, but the "tunneling" does not slow down the data.

A separate tunnel has to be created for each application/port. How to do that is described in the individual pages:

SSH for Windows
SSH for Macintosh

More Resources:

SSH:

Cryptography/Encryption:

  • Defined at TechEncyclopedia.
  • If you really want to get into this, check out the book Applied Cryptography by Bruce Schneier. This is "the bible" of cryptography.
 
© Regents of the University of Minnesota. All rights reserved. Trouble seeing the text? | Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer.  

This document was last modified on Monday, 21-Oct-2002 17:06:43 CDT
The URL of this document is http://www1.umn.edu/adcs/help/sshvpn.html