Re: Need VPN Firewall security advice
From: Anthony Ewell (aewell_at_gbis.com)
Date: 08/21/04
- Previous message: P Gentry: "Re: Need VPN Firewall security advice"
- In reply to: P Gentry: "Re: Need VPN Firewall security advice"
- Next in thread: P Gentry: "Re: Need VPN Firewall security advice"
- Reply: P Gentry: "Re: Need VPN Firewall security advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 21 Aug 2004 14:05:18 -0700
P Gentry wrote:
>> I am about to put a port forward in my IPTABLES
>>firewall to allow a remote Windows laptop to
>>run a VNC on a desktop inside my firewall.
>>
>> The port forward checks to remote end's IP address,
>>protocol type, and port before doing the forward.
>>the VPN required a password in addition to the key.
>>The user is very good about keeping the password
>>separate from the laptop, in case it gets stolen.
>>(The password is really, really nasty!) To break
>>in, a thief would need both the password and the IP
>>address of the distant end.
>>
>> Question: at this point in my description, do
>>you all feel comfortable with what I am planning?
>
>
> Probably not -- the VNC connect password is encrypted (barely) but all
> subsequent traffic passes unencrypted. Will compression be enough to
> discourage the bad guys? Your call. At least check into using SSH or
> SSL (stunnel) to provide end-to-end encryption of all traffic. SSL
> with certificates provides reasonable authentication security as well
> ;-)
Hi P.,
I should have made it more clear that TightVNC has to
transverse OpenVPN to make connection with the other end.
I am presuming that OpenVPN will provide enough (encrypted)
security. Does this change your evaluation?
As far as the floating IP's, I have complete control
over the firewall. I am a private contractor, not an
employee. My customer give me the final say on everything
to do with the network. They are dear people -- the ones
you want to take very, very good care of. Consequently, I
am very, very protective of them. I even have them off
of IE and OE (Firebird and Thunderbird are awesome).
They have only caught one virus in the seven years I have
worked for them! :-)
As I stated before, floating IP's through the firewall
give me the hives. Since they give all of you the hives as well,
they are out. If the other users want VPN access, I will arrange
with their ISP's for a fixed address. (My other remote
users will love any excuse to upgrade to DSL at
their homes. So, it is a win-win situation for me!)
I appreciate all of your wisdom and assistance in
this matter. :-)
--Tony
- Previous message: P Gentry: "Re: Need VPN Firewall security advice"
- In reply to: P Gentry: "Re: Need VPN Firewall security advice"
- Next in thread: P Gentry: "Re: Need VPN Firewall security advice"
- Reply: P Gentry: "Re: Need VPN Firewall security advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
