Author: Cory Buford
Vyatta offers hardware and open source software for enterprise-level network infrastructure. Vyatta can turn any 32-bit x86 machine with at least one network interface into a network appliance that handles routing, firewall, and VPN tasks. The company released Vyatta Community Edition 4 in April, with improved scalability and feature enhancements. Large enterprises now have a low-cost alternative to proprietary hardware like the Cisco 7200.
Most of the things that you can do with a Cisco box, you can do also with Vyatta software, and, unlike Cisco IOS, you don’t have to worry about a Vyatta software license, which saves you at least $1,000 compared to comparable Cisco equipment.
Vyatta supports several types of network interface hardware, such as the common 10/100/1000 NIC, T1/T3/E1 cards and, in this version, 10 Gigabit Ethernet, bringing Vyatta to the enterprise level. It supports standard network protocols such as RIPv2, OSPFv2, and BGPv4 for routing; PPP, 802.1Q, MLPPP, Frame Relay, HDLC, GRE, and PPPoE for encapsulation; IPSEC, L2TP, PPTP, and RADIUS for security; DHCP server/relay and NAT for IP management; VRRP and VPN clustering for high availability; MLPPP and ECMP for load balancing; priority and classful queuing for QOS; and a stateful inspection firewall. Because it uses standard protocols, Vyatta can interact with network devices from Cisco, Juniper, and any other vendor whose products also use network standards.
For administration, Vyatta includes an integrated command-line interface that can be accessed through Telnet and SSHv2. In previous versions, you could also manage the box through a Web GUI, and this will be available for version 4 in the third quarter of 2008. To ease network troubleshooting, the tcpdump and Wireshark packet sniffers are also included. To keep a record of log or monitor events, Vyatta offers Syslog and SNMPv2c support, but not the tools themselves. To gather information through syslog, you can easily use free syslog servers like Kiwi and use Nagios or MRTG to gather information via SNMPv2c.
The biggest change in the latest release is a redesigned shell called FusionCLI based on the bash command shell. It looks like the previous version’s XORP shell, but is more powerful and will simplify future development. FusionCLI is different from the Cisco IOS CLI, but will feel familiar to those using the Juniper OS CLI. Other features new to this release are remote access VPN, WAN link load balancing, ECMP, PPPoE, role-based user access, and tunnel interfaces. Improvements in this release include the routing protocols (RIP, OSPF, and BGP), DHCP client reliability, and additional QoS traffic shaping mechanisms. For complete details on its features, refer to the software datasheets.
All of these features are available for free in the community edition, but major bug fixes and updates are available only in six-month intervals. If you want priority updates and support, you can buy a subscription plan.
Configuring advanced features
To start configuring Vyatta Community Edition 4, you must first download it from the developer’s site. You can either download it in ISO format or as a VMware appliance version. I chose the ISO format and burned it to a CD.
You can deploy Vyatta as a live CD, install it on your hard drive, or make a bootable USB. I installed Vyatta on the disk, in a VMware virtual machine with an allocated disk space of 1024MB, 512MB of RAM, and two virtual NICs which are bridged by two physical NICs. The physical hardware is an Intel Core 2 Duo with 2GB of RAM. To install the software, boot the live CD, log in, and run the command install-system. In most cases, you can choose the default Auto option, then restart your computer after the installation.
After logging in after boot-up, enter the command configure to configure the router. If you need any help with the commands, as in Cisco IOS, type ? or press Tab for auto completion. I first test to see if Vyatta detects my network interfaces by using the command show interfaces. With the network interfaces detected properly, I configure the basic setup to include the IP address setting of the interfaces, NAT, and a simple static routing. Below, is a brief list of basic settings that I used. Those familiar with Juniper OS CLI will find that Vyatta CLI commands have almost the same pattern. All changes that you make in Vyatta must be enabled with the command commit. After you configure the settings, use the command save to store the configuration permanently.
vyatta@vyatta# edit interfaces ethernet eth0 vyatta@vyatta# set description outside vyatta@vyatta# set address 10.10.10.2/24 - IP address of eth0 vyatta@vyatta# edit interfaces ethernet eth1 vyatta@vyatta# set description internal vyatta@vyatta# set address 192.168.30.1/24 - IP address of eth1 vyatta@vyatta# set protocols static route 0.0.0.0/0 next-hop 10.10.10.1 - static route to access outside vyatta@vyatta# set service nat rule 1 vyatta@vyatta# edit service nat rule 1 vyatta@vyatta# set type masquerade vyatta@vyatta# set outbound-interface eth0 - indicates that all outbound traffic will use eth0 address vyatta@vyatta# set protocols all vyatta@vyatta# set source network 192.168.30.0/24 vyatta@vyatta# set destination address 0.0.0.0/0 vyatta@vyatta# commit
After setting up the basic configuration, we can proceed to Vyatta’s more advanced configuration. Since we’re concerned with security, we must set some firewall policies. To do that, first enable the firewall with the set firewall command. We can then create a firewall rule set with the name “test,” then add to it firewall policies or rules.
vyatta@vyatta# set firewall name test vyatta@vyatta# edit firewall name test vyatta@vyatta# set rule 1 vyatta@vyatta# edit rule 1 vyatta@vyatta# set source address 192.168.30.0/24 vyatta@vyatta# set protocol tcp vyatta@vyatta# set destination address 0.0.0.0/0 vyatta@vyatta# set destination port ftp vyatta@vyatta# set action reject vyatta@vyatta# commit vyatta@vyatta# edit firewall name test vyatta@vyatta# set rule 2 vyatta@vyatta# edit rule 2 vyatta@vyatta# set source address 192.168.30.0/24 vyatta@vyatta# set destination address 0.0.0.0/0 vyatta@vyatta# set action accept
The commands above construct a simple firewall policy in which any traffic from source address 192.168.30.0/24, which is our internal network, to any destination (indicated by 0.0.0.0/0) is allowed, but traffic with destination protocols accessing “ftp” is blocked or rejected. The firewall policy will be useless if we do not bind it to the appropriate network interface. In this case, since it is an internal network going to an outside network, the intended direction of the policy is outbound.
vyatta@vyatta# edit interfaces ethernet eth0 vyatta@vyatta# set firewall out name test vyatta@vyatta# commit
When testing the configuration, I tried accessing FTP sites using port 21 on the Internet — to no avail. This means that the firewall is working properly.
Now we can set up a simple site-to-site IPSec VPN. VPN connections consist of two levels, known as Phase 1 and Phase 2. Phase 1 establishes the security parameter agreement. Phase 2 utilizes these parameters to raise the VPN tunnel. In setting up VPN connections, all parameters in Phase 1 and Phase 2 should be the same as they are at the other end of the connection. Even a single dissimilar parameter will cause the VPN connection to fail.
vyatta@vyatta# set vpn ipsec vyatta@vyatta# edit vpn ipsec vyatta@vyatta# set ipsec-interfaces vyatta@vyatta#edit ipsec-interfaces vyatta@vyatta# set interface eth0 vyatta@vyatta# set ike-group p1 vyatta@vyatta# edit ike-group p1 vyatta@vyatta# set lifetime 7200 vyatta@vyatta# set ike-group p1 proposal 1 vyatta@vyatta# edit ike-group p1 proposal 1 vyatta@vyatta# set encryption 3des vyatta@vyatta# set hash md5 vyatta@vyatta# set dh-group 2 vyatta@vyatta# set esp-group p2 vyatta@vyatta# edit esp-group p2 vyatta@vyatta# set lifetime 1800 vyatta@vyatta# set esp-group p2 proposal 1 vyatta@vyatta# edit esp-group p2 proposal 1 vyatta@vyatta# set encryption 3des vyatta@vyatta# set hash md5 vyatta@vyatta# set site-to-site vyatta@vyatta# edit site-to-site vyatta@vyatta# set peer 10.10.10.1 - public address of the remote network vyatta@vyatta# edit peer 10.10.10.1 vyatta@vyatta# set authentification pre-shared-secret myvpn - using pre-shared key as authentication vyatta@vyatta# set ike-group p1 vyatta@vyatta# set local-ip 10.10.10.2 - public address of Vyatta vyatta@vyatta# set tunnel 1 vyatta@vyatta# edit tunnel 1 vyatta@vyatta# set local-subnet 192.168.30.0/24 - internal address of Vyatta vyatta@vyatta# set remote-subnet 192.168.40.0/24 - internal address of the remote network vyatta@vyatta# set esp-group p2 vyatta@vyatta# commit
Looking at the commands establishing IPSec VPN, the first thing to do is to configure the Phase 1 and Phase 2 parameters. To accomplish Phase 1, parameters like encryption algorithm (3des) for security, hash algorithm (md5) for integrity, and secured generation of shared secret (Diffie-Hellman Group 2) are needed. Encryption might include AES, DES, or 3DES in the case of Vyatta. Hash algorithm may be either MD5 or SHA-1. For Diffie-Hellman, group 2 and 5 are commonly used. So in this case, I used a combination of 3des-md5 dh-group2 as my Phase 1 parameters; though you could also use aes-md5 dh-group2. For more information on the whole VPN process in detail, read the National Institute of Standards and Technology’s Special Publication 800-77. There are other encryption and hash algorithms available, but as the number of key bits of the algorithm you use increases, so too does the overhead, consuming more bandwidth.
In Phase 2, we use the ESP protocol. Authentication Header is another Phase 2 protocol, but it is not supported in Vyatta, since AH provides only data integrity and authentication while ESP provides data integrity, authentication, and encryption, resulting in higher confidentiality of data. Although references will not directly state that ESP is better, the added encryption capability is really a great benefit. For more on the decline of AH, please read pages 30-36 of the NIST Special Publication 800-77 and “Securing Data in Transit with IPSec” on WindowsSecurity.com.
Returning to Phase 2, we use 3des-md5 here as well. You can choose a different algorithm if you wish, but be sure the same parameters, or settings, are applied on the other end of the VPN. After we’ve set the parameters, we bind them to a network interface — in most cases, to the public interface. Next, enter the peer address or the public address of the other side and configure its authentication. I chose pre-shared authentication and used the passphrase “myvpn.” Lastly, we indicate the local and remote private networks that will be tunneled through in the VPN connection. Enter commit, and we now have a working VPN.
The configurations discussed in this article are fairly simple. If you want a more comprehensive configuration, Vyatta’s documentation site offers a complete command reference for registered users.
Wrapping it up
Vyatta Community Edition 4 is a good low-cost alternative to proprietary network hardware. If you want to use Vyatta in compute-intensive applications like VPNs or multiple routing and firewall policies, follow Vyatta’s hardware guidelines. As a minimum, a machine with a 1GHz processor with 512MB of RAM and 1GB of disk space is recommended, allowing you to use a machine that today costs $100 or less for Vyatta’s basic features.
Vyatta shows promise in the enterprise arena. Although I’m a Cisco fan when it comes to big enterprise networks, using Vyatta on small and medium-sized networks and familiarizing yourself with it is a good idea for now and may give you a big advantage in the future.
Categories:
- Networking
- Security
