Re: Need VPN Firewall security advice

From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 08/22/04 

Date: 22 Aug 2004 09:53:52 -0700

Anthony Ewell <aewell@gbis.com> wrote in message news:<2opro7Fdcjj4U1@uni-berlin.de>...
[snip]
>
> Hi P.,
>
> I should have made it more clear that TightVNC has to
> transverse OpenVPN to make connection with the other end.
> I am presuming that OpenVPN will provide enough (encrypted)
> security. Does this change your evaluation?

IMO, for the average (and even above) scenario, it doesn't get much
better than OpenVPN ;-)

> As far as the floating IP's, I have complete control
> over the firewall. I am a private contractor, not an
> employee. My customer give me the final say on everything
> to do with the network. They are dear people -- the ones
> you want to take very, very good care of. Consequently, I
> am very, very protective of them. I even have them off
> of IE and OE (Firebird and Thunderbird are awesome).
> They have only caught one virus in the seven years I have
> worked for them! :-)
>
> As I stated before, floating IP's through the firewall
> give me the hives. Since they give all of you the hives as well,
> they are out. If the other users want VPN access, I will arrange
> with their ISP's for a fixed address. (My other remote
> users will love any excuse to upgrade to DSL at
> their homes. So, it is a win-win situation for me!)
>
> I appreciate all of your wisdom and assistance in
> this matter. :-)
>
> --Tony

OK, you're already far down the road to setting up a secure solution
via OpenVPN ;-)

This setup is about as secure as you can reasonably get and will not
_require_ static IPs for the remote clients -- all authentication is
user based, not host based. That's the nice benefit of SSL/TLS
encryption/authentication ;-)

The biggest hassle is the initial setup -- to be expected -- and the
"ongoing" certificate management. For a reasonably small office this
shouldn't be too bad.

The setup on your end should give you some idea what sort of
problems/questions the clients will have when first using the service
-- after a few goes most people have a good enough grasp to make it
work just fine ;-)

One nice thing I noticed about the the 2.0.x (still beta) version is
the scalabilty -- the code layering is much improved. And a benfit
for you and your client is that cert revocation will allow you to
disenable a user's cert wehnever the need arises.

Try this for a quick/concise overview of the security features then go
on from there:
http://www.inyotech.com/vpn_infrastructure.php
the OpenVPN site has lots of goodies.

Also check the net/Google to find some examples of people using
OpenVPN to tunnel TightVNC -- best to know beforehand before
travleling to far down that road. And keep in mind that OpenVPN will
give the remote client and you more "options" than using TightVNC with
stunnel, say. That may or may not be what you want, but it does
provide for greater flexibility.

hth,
prg
email above disabled