Cryptographic IP Encapsulation (CIPE)

The primary goal of this software is to provide a facility for secure (against eavesdropping,
including traffic analysis, and faked message injection) subnetwork interconnection
across an insecure packet network such as the Internet.
CIPE encrypts the data at the network level. Packets traveling between hosts on the
network are encrypted. The encryption engine is placed near the driver which sends
and receives packets.
This is unlike SSH, which encrypts the data by connection, at the socket level. A
logical connection between programs running on different hosts is encrypted.

CIPE can be used in tunnelling, in order to create a Virtual Private Network. Lowlevel
encryption has the advantage that it can be made to work transparently between
the two networks connected in the VPN, without any change to application software.
Summarized from the CIPE documentation:
“The IPSEC standards define a set of protocols which can be used (among other
things) to build encrypted VPNs. However, IPSEC is a rather heavyweight and complicated
protocol set with a lot of options, implementations of the full protocol set
are still rarely used and some issues (such as key management) are still not fully resolved.
CIPE uses a simpler approach, in which many things which can be parameterized
(such as the choice of the actual encryption algorithm used) are an install-time
fixed choice. This limits flexibility, but allows for a simple (and therefore efficient,
easy to debug...) implementation.”
Further information can be found at http://www.inka.de/~bigred/devel/cipe.html
As with other forms of cryptography, it is not distributed with the kernel by default
due to export restrictions.
Kerberos
Kerberos is an authentication system developed by the Athena Project at MIT. When
a user logs in, Kerberos authenticates that user (using a password), and provides the
user with a way to prove her identity to other servers and hosts scattered around the
network.
This authentication is then used by programs such as rlogin to allow the user to
login to other hosts without a password (in place of the .rhosts file). This authentication
method can also used by the mail system in order to guarantee that mail is
delivered to the correct person, as well as to guarantee that the sender is who he
claims to be.
Kerberos and the other programs that come with it, prevent users from "spoofing"
the system into believing they are someone else. Unfortunately, installing Kerberos
is very intrusive, requiring the modification or replacement of numerous standard
programs.
You can find more information about kerberos by looking at the kerberos FAQ42, and
the code can be found at http://nii.isi.edu/info/kerberos/.
[From: Stein, Jennifer G., Clifford Neuman, and Jeffrey L. Schiller. "Kerberos: An Authentication
Service for Open Network Systems." USENIX Conference Proceedings,
Dallas, Texas, Winter 1998.]
Kerberos should not be your first step in improving security of your host. It is quite
involved, and not as widely used as, say, SSH.
Shadow Passwords.
Shadow passwords are a means of keeping your encrypted password information
secret from normal users. Recent versions of both Red Hat and Debian Linux use
shadow passwords by default, but on other systems, encrypted passwords are stored
in /etc/passwd file for all to read. Anyone can then run password-guesser programs
on them and attempt to determine what they are. Shadow passwords, by contrast,
are saved in /etc/shadow, which only privileged users can read. In order to use
shadow passwords, you need to make sure all your utilities that need access to password
information are recompiled to support them. PAM (above) also allows you
to just plug in a shadow module; it doesn’t require re-compilation of executables.
You can refer to the Shadow-Password HOWTO for further information if necessary.
It is available at http://metalab.unc.edu/LDP/HOWTO/Shadow-Password-
HOWTO.html It is rather dated now, and will not be required for distributions supporting
PAM.