“And now for the last in my three part mini-series on Linux
encryption; network encryption. We’ve covered the basics, and
filesystem encryption, however these systems are absolutely no good
if you log into your server via telnet, and then provide the
password to mount your encrypted home directory. There are also
several file encryption systems that do not lend themselves well to
networking, and many file sharing methods that provide no
encryption at all. Encrypting the data that moves across your
network is a simple and effective answer (ok, it’s probably not
simple, but you get the idea).”
“There are several levels at which you can encrypt data in a
network setting, so far we have only dealt with methods at the
application and presentation layer. That is to say the encryption
is provided by software and not really integrated with the network
(TCFS being a notable exception). Encryption can be done at almost
any layer of the OSI stack, with various benefits and drawbacks to
each method.”
“For this article we are concerned with network based
encryption, which typically happens at the session, and / or
transport layer (green). You typically don’t encrypt the network
(IP) layer as the routers/etc along the path must be able to view
some data in the packet (like destination). Encryption can also be
done at the application layer (PGP), presentation (X.509
integration with Netscape mailer) which was discussed in my
previous article, or at the datalink layer (modems with pre-shared
secrets and hardware encryption chips) which are in (blue).”