[aquaclear]

I am a little confused as to what VPN does as well as SSH. I know SSH is the secure version of telnet and telnet is what I used to use to access the computers at school. So what is the difference between SSH and VPN? Does VPN use SSH? Do I even need VPN if I can manipulate SSH? I just don't want to have redundant programs on my machine.

[Camelot]

Originally posted by aquaclear:
I am a little confused as to what VPN does as well as SSH. I know SSH is the secure version of telnet and telnet is what I used to use to access the computers at school. So what is the difference between SSH and VPN? Does VPN use SSH? Do I even need VPN if I can manipulate SSH? I just don't want to have redundant programs on my machine.

At its simplest level the full name of SSH gives you a clue... Secure Shell. It's designed as a secure (encrypted) way to log into a remote system.

VPN, on the other hand, typically connects networks rather than individual hosts. Using a VPN you can establish one connection that will securely tunnel traffic to an entire network (say, one connection to a server at your office, giving you entire access to all office network resources).

SSH has been extended over the years to support additional services such as scp (secure copy) and sftp (secure ftp) which basically encrypt the cp or ftp connection in an ssh session. It's also possible to use port forwarding via ssh to create specific secure tunnels for specific services, but you need to specifiy these individually for each port.

So, on a 10,000 ft view, ssh secures shell logins and specific ports on a one-to-one basis. VPNs secure entire networks.

On a more technical view, VPN works at a lower-level on the TCP/IP stack - VPN works at the network level and can secure all network traffic. SSH works at the port level and can secure individual connections.

For many users, though, SSH provides a good enough level of security and can be used as a "poor-man's VPN"

[rantweasel]

Originally posted by aquaclear:
I am a little confused as to what VPN does as well as SSH. I know SSH is the secure version of telnet and telnet is what I used to use to access the computers at school. So what is the difference between SSH and VPN? Does VPN use SSH? Do I even need VPN if I can manipulate SSH? I just don't want to have redundant programs on my machine.

SSH has nothing to do with telnet. It was designed to be a replacement for RSH (remote shell), although both function similarly to telnet from a user point of view.</pedantic>

VPNs are virtual private networks - the idea is to build an encrypted tunnel between two network segments, and send all traffic between those two segments through the tunnel. VPNs are useful for filesharing from home with folks at the office. Most VPNs use some form of IPSec, but there are many VPN implementations and not all of them play nicely together and there is not a single, unified standard VPN. SSH is a single standardized protocol.

Even if you're using a VPN to connect, you should still use SSH for remote terminal connections - if there is a comprimised machine connected to the VPN, then SSH will provide you with additional layers of protection. It's like using a seatbelt and airbags.

mathias

[alien]

I sometimes connect to my university with Cisco VPN, after connecting to my ISP the regular way. This gives me an IP address that is recognized as belonging to the university, which I need to connect to some supercomputing servers.

So I'm physically at home, connected to the internet through an 3rd party ISP, but VPN makes me part of the closed university network.

OTOH, I still need to use ssh and scp to log in and transfer files to the servers.

Clarifying?

[aquaclear]

So to get it straight, I would use vpn to connect to the networks at lets say work and then use ssh to connect to my computer. Could I not just try and connect directly to my computer vs. using vpn? Or am I just not getting it.

[Camelot]

Originally posted by aquaclear:
So to get it straight, I would use vpn to connect to the networks at lets say work and then use ssh to connect to my computer. Could I not just try and connect directly to my computer vs. using vpn? Or am I just not getting it.

You're not quite getting it.

VPN works at a different network 'layer' than SSH.

SSH runs at what's called the applcation layer. This means that it works on a specific port (typically 22) using defined protocols for communication and is an end-to-end solution (i.e. your machine connected to port 22 on another machine). In general, think of it as a single-task connection - open a shell on the remote machine.

VPN, on the other hand, works at the transport layer. This means it handles ALL communciation between two points on the network. It doesn't care about what kind of traffic you're handling (http, ftp, ping, nfs, dns, and yes, even ssh) - ALL communcation between the two points is encrypted across the connection. VPN has no concept of what any of the higher-level protocols actually do. It just knows that it encrypts this packet, sends it on its way and decrypts it at the other end.

So even if you had a VPN tunnel established between two points, so what? You still need to use ssh to open a shell on the remote machine, or use a web browser to access a web site, or use an ftp client to up/download files. The difference is that the VPN adds a layer of security to otherwise non (or, at least, less) secure protocols.

So think of a VPN as a general-purpose, multi-tasking encryption system that will handle any protocol.

[voodoo]

Why are there many versions of VPN? I know OS X supports some ut not all versions, like the Cisco VPN.

[absmiths]

Originally posted by voodoo:
Why are there many versions of VPN? I know OS X supports some ut not all versions, like the Cisco VPN.

I think primarily because Microsoft and other vendors wanted to be the first out the door with an enterprise VPN and in that situation you end up with many competing "standards." Remember DHTML, PPP, 56K modems, Component technologies, DVDs, CD-R, etc?

[Alex Duffield]

VPN will make it so your computer is just like it is on the network at the remote location.

So if you have your Mac at home, you can connect to the office via VPN and you will see all the printers, you can browse all the other computers on the network (all the computers in the office) You would be able to see other mac users shared iTunes music... You could use Rendezvous in iChat... You would be able to connect to all servers or network devices in your office just as if you where really there.

SSH will let you make a secure connection from one computer to another. I use this all the time to edit config files on my web-server. It will not (by itself) let you browse the remote network or print to the printers in the office location.

[bens1901]

If you would like a very detailed explanation of SSH or VPN, refer to the Comer's book "TCP/IP" (ISBN 0-13-216987-8). It covers all TCP/IP protocols with tremendous details. I took it in graduate school and learned a bunch.

[sbjordal]

Originally posted by aquaclear:
So to get it straight, I would use vpn to connect to the networks at lets say work and then use ssh to connect to my computer. Could I not just try and connect directly to my computer vs. using vpn? Or am I just not getting it.

SSH will encrypt only your terminal session from your computer to the computer you're SSH'd into. All other internet activity will remain the same.

A VPN connection will, by default, encrypt ALL communication between your computer the network you VPN'd into. It will encrypt the servers you connect to, it will encrypt the internal webpages you view, it'll let you connect to servers with IP addresses of 10.x.x.x and 192.168.x.x

How?

When you VPN to a network, you're computer is assigned an IP address from the network you're VPN'd into. This is how (or why) you can do theoretically everything you can from a computer at the physical location you're vpn'd into.

There are two major protocols, IPSec and L2TP. Mac OS X supports IPSec for now

For more info, visit www.vpn.org and you'll find tons of info there