[kwlug-disc] OpenVPN (Was: Re: firewall question)

unsolicited unsolicited at swiz.ca
Tue Feb 17 23:49:00 EST 2009 

L.D. Paniak wrote, On 02/17/2009 7:19 PM:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> unsolicited wrote:
> 
>> e.g. Suppose you set up VPN for a laptop user. And the laptop gets
>> stolen. The issues around the technology become much bigger than the
>> technology itself.
> 
> In OpenVPN, if someone steals a laptop, you just revoke the
> corresponding key (for key-based access) and restart the daemon
> (http://openvpn.net/index.php/documentation/howto.html#quick )

You presume the laptop user lets the admin know in microseconds. Not 
likely. Hmm, perhaps I left it in the hotel room. Oh look, it's not 
there. Maybe at the conference center? Lost and found?

> Since each user has their own key, you can selectively 'turn off' access
> without disrupting the whole system. Just make sure your user lets you
> know the laptop is missing in a timely manner!
> 
> OpenVPN is easy to install: It is packaged for any reasonable distro and
> there is a customizable Windows system for producing installers that any
> MS user would be comfortable with.
> 
> I'm sure you will find plenty of automation goodness to talk about when
> you give your OpenVPN talk :)

(-:

Never used it. Never used VPN under Linux. Sorry.

And, at the risk of starting a war ... VPN = BAD.

Mind you ... my earlier comments centered around individuals, not site 
to site VPNs, which are good.

I say VPN = BAD for a couple of reasons:
(1) You are trusting clients to be good net citizens. Once connected, 
they are an extension of your network. Typically internal networks 
aren't as tightly controlled as, say, your internal/external 
connections. Anyone who touches the keyboard is a risk. You have no 
control over whom that will be. At least for internal computers, they 
had to get past reception.
(2) Typically, the remote access required is a far smaller subset than 
the entire network. And it's much easier to secure those fewer 
connections. e.g. Remote e-mail can be done via ssl ports. Frequently 
that's all they really need. Some VNC's don't allow file transfer, and 
may be sufficient, assuming a sufficiently small number of clients. 
Terminal services offer very close to VPN functionality, and have the 
client operating on your own secured session, not on their own 
unsecured computer.

But, whatever the client wants. And is easy to explain ... click this 
icon ... voila.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFJm1QV8h2PnOHbiQcRAg9qAJ0UKjvmpk6De2iC+R1GOURscuO+HgCaA/wj
> k8PKLnJhrhlD1IipczVbbQI=
> =qsHM
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list