Security Portal: Kurt's Closet: Linux and network encryptionSep 08, 1999, 05:02 (0 Talkback[s])
(Other stories by Kurt Seifried)
"And now for the last in my three part mini-series on Linux encryption; network encryption. We've covered the basics, and filesystem encryption, however these systems are absolutely no good if you log into your server via telnet, and then provide the password to mount your encrypted home directory. There are also several file encryption systems that do not lend themselves well to networking, and many file sharing methods that provide no encryption at all. Encrypting the data that moves across your network is a simple and effective answer (ok, it's probably not simple, but you get the idea)."
"There are several levels at which you can encrypt data in a network setting, so far we have only dealt with methods at the application and presentation layer. That is to say the encryption is provided by software and not really integrated with the network (TCFS being a notable exception). Encryption can be done at almost any layer of the OSI stack, with various benefits and drawbacks to each method."
"For this article we are concerned with network based encryption, which typically happens at the session, and / or transport layer (green). You typically don't encrypt the network (IP) layer as the routers/etc along the path must be able to view some data in the packet (like destination). Encryption can also be done at the application layer (PGP), presentation (X.509 integration with Netscape mailer) which was discussed in my previous article, or at the datalink layer (modems with pre-shared secrets and hardware encryption chips) which are in (blue)."