<br><br><div class="gmail_quote">On Wed, Feb 18, 2009 at 12:03 AM, unsolicited <span dir="ltr"><<a href="mailto:unsolicited@swiz.ca">unsolicited@swiz.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Raul Suarez wrote, On 02/17/2009 6:45 PM:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
--- On Tue, 2/17/09, unsolicited <<a href="mailto:unsolicited@swiz.ca" target="_blank">unsolicited@swiz.ca</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
From: unsolicited <<a href="mailto:unsolicited@swiz.ca" target="_blank">unsolicited@swiz.ca</a>><br>
e.g. Suppose you set up VPN for a laptop user. And the<br>
laptop gets stolen. The issues around the technology become<br>
much bigger than the technology itself.<br>
</blockquote>
<br>
The thief would need to know the password for the remote box<br>
</blockquote>
<br>
Assuming there is one.<br>
<br>
Could be, and probably is, just a certificate.<br>
<br>
And if they yank the hard drive out and over-ride permissions ...<br>
<br>
This is what I meant by my earlier comment about the (VPN) technology being the least of your concerns.<br>
<br>
To work around some vulnerabilities, now you encrypt your laptop hard drive, or teach or enforce password aging and complexity, and staff up to take the additional support calls that will result when they forget either password.<br>
<br>
So many times technology gets thrown in as the magic bullet, neglecting the more significant problem that you're probably more likely to be damaged from within than without.<br>
<br>
It's hard enough to secure an enterprise without remote users. Best practices and all that, always more that can be done, and never enough hours in the day. For an attack that will probably never come, but since it's a 'bet the business' risk, there's no such thing as too much security. Checked your logs today - would you know if you've been hacked? Tested your backup?<br>
<br>
Remote users just multiply the complexity by a more than exponential amount. If the first line of defence is physical security, that just got thrown out the window.<br>
<br>
I'm not suggesting the value isn't worth it, just that it's hard to convince people to not minimize or forget the increased time and effort required on the human end.<br>
<br>
Job security, I suppose.</blockquote><div><br><br>Well there are other interesting uses for OpenVPN.<br><br>I use it for embedded devices. OpenVPN is particularly adept at getting out of firewall's It can piggy back on port 443 for instance. So we put it in our embedded devices and when the device attaches to the network I can then control it.<br>
<br>There's fairly good scripting for doing some firewall rules once the client connects. I think if you were careful you could safely use it.<br><br>Dave <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<br>
_______________________________________________<br>
<a href="http://kwlug-disc_kwlug.org" target="_blank">kwlug-disc_kwlug.org</a> mailing list<br>
<a href="http://kwlug-disc_kwlug.org" target="_blank">kwlug-disc_kwlug.org</a>@<a href="http://kwlug.org" target="_blank">kwlug.org</a><br>
<a href="http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
<br>
</blockquote></div><br>