[kwlug-disc] OpenVPN (Was: Re: firewall question)
unsolicited at swiz.ca
Tue Feb 17 23:49:00 EST 2009
L.D. Paniak wrote, On 02/17/2009 7:19 PM:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> unsolicited wrote:
>> e.g. Suppose you set up VPN for a laptop user. And the laptop gets
>> stolen. The issues around the technology become much bigger than the
>> technology itself.
> In OpenVPN, if someone steals a laptop, you just revoke the
> corresponding key (for key-based access) and restart the daemon
> (http://openvpn.net/index.php/documentation/howto.html#quick )
You presume the laptop user lets the admin know in microseconds. Not
likely. Hmm, perhaps I left it in the hotel room. Oh look, it's not
there. Maybe at the conference center? Lost and found?
> Since each user has their own key, you can selectively 'turn off' access
> without disrupting the whole system. Just make sure your user lets you
> know the laptop is missing in a timely manner!
> OpenVPN is easy to install: It is packaged for any reasonable distro and
> there is a customizable Windows system for producing installers that any
> MS user would be comfortable with.
> I'm sure you will find plenty of automation goodness to talk about when
> you give your OpenVPN talk :)
Never used it. Never used VPN under Linux. Sorry.
And, at the risk of starting a war ... VPN = BAD.
Mind you ... my earlier comments centered around individuals, not site
to site VPNs, which are good.
I say VPN = BAD for a couple of reasons:
(1) You are trusting clients to be good net citizens. Once connected,
they are an extension of your network. Typically internal networks
aren't as tightly controlled as, say, your internal/external
connections. Anyone who touches the keyboard is a risk. You have no
control over whom that will be. At least for internal computers, they
had to get past reception.
(2) Typically, the remote access required is a far smaller subset than
the entire network. And it's much easier to secure those fewer
connections. e.g. Remote e-mail can be done via ssl ports. Frequently
that's all they really need. Some VNC's don't allow file transfer, and
may be sufficient, assuming a sufficiently small number of clients.
Terminal services offer very close to VPN functionality, and have the
client operating on your own secured session, not on their own
But, whatever the client wants. And is easy to explain ... click this
icon ... voila.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> -----END PGP SIGNATURE-----
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
More information about the kwlug-disc