Re: Need VPN Firewall security advice

From: Anthony Ewell (aewell_at_gbis.com)
Date: 08/22/04 

Date: Sun, 22 Aug 2004 14:29:35 -0700

P Gentry wrote:
> Anthony Ewell <aewell@gbis.com> wrote in message news:<2opro7Fdcjj4U1@uni-berlin.de>...
> [snip]
>
>>Hi P.,
>>
>> I should have made it more clear that TightVNC has to
>>transverse OpenVPN to make connection with the other end.
>>I am presuming that OpenVPN will provide enough (encrypted)
>>security. Does this change your evaluation?
>
>
> IMO, for the average (and even above) scenario, it doesn't get much
> better than OpenVPN ;-)
>
>
>> As far as the floating IP's, I have complete control
>>over the firewall. I am a private contractor, not an
>>employee. My customer give me the final say on everything
>>to do with the network. They are dear people -- the ones
>>you want to take very, very good care of. Consequently, I
>>am very, very protective of them. I even have them off
>>of IE and OE (Firebird and Thunderbird are awesome).
>>They have only caught one virus in the seven years I have
>>worked for them! :-)
>>
>> As I stated before, floating IP's through the firewall
>>give me the hives. Since they give all of you the hives as well,
>>they are out. If the other users want VPN access, I will arrange
>>with their ISP's for a fixed address. (My other remote
>>users will love any excuse to upgrade to DSL at
>>their homes. So, it is a win-win situation for me!)
>>
>> I appreciate all of your wisdom and assistance in
>>this matter. :-)
>>
>>--Tony
>
>
> OK, you're already far down the road to setting up a secure solution
> via OpenVPN ;-)
>
> This setup is about as secure as you can reasonably get and will not
> _require_ static IPs for the remote clients -- all authentication is
> user based, not host based. That's the nice benefit of SSL/TLS
> encryption/authentication ;-)
>
> The biggest hassle is the initial setup -- to be expected -- and the
> "ongoing" certificate management. For a reasonably small office this
> shouldn't be too bad.
>

My major concern is theft of the laptop, the key being on
it and all. To cope with this, I am using the password feature
on OpenVPN. (The user is well trained to keep the password
seperated from the laptop. The password is also one of
those "nasty" ones, no guessing will break it.)

The idea behind a fixed IP is that a thief would
have to have that exact IP to break in. This would presume he
managed to somehow get the password, as in looking over my
user's shoulder when he is entering it -- most thefts are
from someone you would recognize.

If I was to have IPTABLES allow all VPN IP traffic in, I would
be defeating this safe guard.

But, I may be going to extremes. What is your opinion?

> The setup on your end should give you some idea what sort of
> problems/questions the clients will have when first using the service
> -- after a few goes most people have a good enough grasp to make it
> work just fine ;-)
>
> One nice thing I noticed about the the 2.0.x (still beta) version is
> the scalabilty -- the code layering is much improved. And a benfit
> for you and your client is that cert revocation will allow you to
> disenable a user's cert wehnever the need arises.
>
> Try this for a quick/concise overview of the security features then go
> on from there:
> http://www.inyotech.com/vpn_infrastructure.php
> the OpenVPN site has lots of goodies.
>
> Also check the net/Google to find some examples of people using
> OpenVPN to tunnel TightVNC -- best to know beforehand before
> travleling to far down that road. And keep in mind that OpenVPN will
> give the remote client and you more "options" than using TightVNC with
> stunnel, say. That may or may not be what you want, but it does
> provide for greater flexibility.
>
> hth,
> prg
> email above disabled
> 

-- 
-------------------------
I Fish.  Therefore, I am.
-------------------------

Relevant Pages

  • Configuring iptables for Openvpn 2.0.7 on fc3 for remote subnets
    ... I have installed OpenVPN 2.0.7 on FC3 through rpm. ... Having a static public ip address and a LAN ... VPN Server: 192.168.5.20 and this is also a server on LAN ... running few more services for the clients on LAN. ...
    (Fedora)
  • Re: DHCP unsicher?
    ... Was macht denn OpenVPN? ... eigene Adressvergabefunktion, ... DHCP-Pakete nur von einer bestimmten IP-Adresse akzeptiert werden ... gleich die Clients per Hand einstellt. ...
    (de.comp.security.misc)
  • Re: net use mit VPN-Verbindung
    ... danach von einem anderen Netzwerkrechner Verbindung ... > Netzlaufwerke sichtbar. ... > Muss ich möglicherweise OpenVPN beibringen, die Clients am WINS-Server ...
    (microsoft.public.de.german.win2000.networking)
  • =?iso-8859-1?q?ebtables_f=FCr?= openvpn bridge
    ... Um nun unnötigen Traffic zu vermeiden, will ich Broadcasts, Multicasts und ... Managementprotokolle in Richtung VPN Clients so weit es geht blockieren. ... Die Openvpn Clients stellen selbst keine Dienste zur Verfügung. ...
    (de.comp.security.firewall)
  • Re: net use mit VPN-Verbindung
    ... >> an um auf das Netzlaufwerk zugreifen zu können. ... > OpenVPN meldet die Clients nicht an, ... wenn OpenVPN die IP-Adresse des WINS-Servers an den ... Next by Date: ...
    (microsoft.public.de.german.win2000.networking)