[kwlug-disc] OpenVPN (Was: Re: firewall question)

Bob Jonkman bjonkman at sobac.com
Wed Feb 18 23:24:54 EST 2009


So would it be better to run a VM as an endpoint to the VPN?  Every 
time the connection is established the VM is restarted from the same 
image, locked down by the Corporate IT overlords.  If the VPN can only 
connect to the VM virtual address, then is the corporate network safe 
from insecure remote hosts?

--Bob.



On 17 Feb 2009 at 23:49 unsolicited <kwlug-disc at kwlug.org> wrote
about "Re: [kwlug-disc] OpenVPN (Was: Re: [...]"

[...]

>I say VPN = BAD for a couple of reasons:
>(1) You are trusting clients to be good net citizens. Once connected, 
>they are an extension of your network. Typically internal networks 
>aren't as tightly controlled as, say, your internal/external 
>connections. Anyone who touches the keyboard is a risk. You have no 
>control over whom that will be. At least for internal computers, they 
>had to get past reception.

>(2) Typically, the remote access required is a far smaller subset than 
>the entire network. And it's much easier to secure those fewer 
>connections. e.g. Remote e-mail can be done via ssl ports. Frequently 
>that's all they really need. Some VNC's don't allow file transfer, and 
>may be sufficient, assuming a sufficiently small number of clients. 
>Terminal services offer very close to VPN functionality, and have the 
>client operating on your own secured session, not on their own 
>unsecured computer.
>
>But, whatever the client wants. And is easy to explain ... click this 
>icon ... voila.




More information about the kwlug-disc_kwlug.org mailing list