[kwlug-disc] firewall question
Dave Cramer
davec at visibleassets.com
Wed Feb 18 06:42:15 EST 2009
On Wed, Feb 18, 2009 at 12:03 AM, unsolicited <unsolicited at swiz.ca> wrote:
> Raul Suarez wrote, On 02/17/2009 6:45 PM:
>
>> --- On Tue, 2/17/09, unsolicited <unsolicited at swiz.ca> wrote:
>>
>> From: unsolicited <unsolicited at swiz.ca>
>>> e.g. Suppose you set up VPN for a laptop user. And the
>>> laptop gets stolen. The issues around the technology become
>>> much bigger than the technology itself.
>>>
>>
>> The thief would need to know the password for the remote box
>>
>
> Assuming there is one.
>
> Could be, and probably is, just a certificate.
>
> And if they yank the hard drive out and over-ride permissions ...
>
> This is what I meant by my earlier comment about the (VPN) technology being
> the least of your concerns.
>
> To work around some vulnerabilities, now you encrypt your laptop hard
> drive, or teach or enforce password aging and complexity, and staff up to
> take the additional support calls that will result when they forget either
> password.
>
> So many times technology gets thrown in as the magic bullet, neglecting the
> more significant problem that you're probably more likely to be damaged from
> within than without.
>
> It's hard enough to secure an enterprise without remote users. Best
> practices and all that, always more that can be done, and never enough hours
> in the day. For an attack that will probably never come, but since it's a
> 'bet the business' risk, there's no such thing as too much security. Checked
> your logs today - would you know if you've been hacked? Tested your backup?
>
> Remote users just multiply the complexity by a more than exponential
> amount. If the first line of defence is physical security, that just got
> thrown out the window.
>
> I'm not suggesting the value isn't worth it, just that it's hard to
> convince people to not minimize or forget the increased time and effort
> required on the human end.
>
> Job security, I suppose.
Well there are other interesting uses for OpenVPN.
I use it for embedded devices. OpenVPN is particularly adept at getting out
of firewall's It can piggy back on port 443 for instance. So we put it in
our embedded devices and when the device attaches to the network I can then
control it.
There's fairly good scripting for doing some firewall rules once the client
connects. I think if you were careful you could safely use it.
Dave
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20090218/d8fd32f7/attachment.htm>
More information about the kwlug-disc
mailing list