Re: Shared drives through a firewall

Thu, 22 Mar 2007 12:40:55 -0800 

Bryan Ponnwitz wrote:

If you're worried about connection security, just use a VPN.  Or better
yet, if the servers are both Win2K or better, use IPSec.  IPSec is
Microsoft's recommended solution for extending domain communications to
another LAN across the Internet.  I've read the KB article on it, but
don't have time to look for it right now.



IPSec/VPN mitigates some of the security issues pertaining to this 
scenario, but it doesn't solve all of the issues, and it raises some of 
its own.



The OP mentioned performance issues - VPNs certainly don't resolve this 
issue, and would almost certainly make it worse, especially on a 
bad/latent connection. Depending upon who the users of this 
infrastructure are and how it's implemented, there are the obvious VPN 
NAT/reliability concerns too.



A badly implemented VPN, or one implemented with equipment not capable 
of packet filtering on VPN traffic (as is common in environments in 
which people consider such nasty things as opening SMB traffic up to the 
internet) would allow clients - albeit authenticated clients - access to 
the entire internal network. Again, depending upon the identity of the 
users of this infrastructure are, this might be highly undesirable.



A VPN or IPSec solution is also going to be harder to support, and 
potentially make you very unpopular with whoever supports third party 
clients when users don't have the rights necessary to configure a VPN, 
install certificates, or setup IPSec (SMB/HTTP/FTP all work as a limited 
user).



They're also very likely to be affected by outbound firewalling on third 
party LANs, too...



In short: I'm not saying that VPNs can't help, you just need to use them 
carefully; they're not a panacea, and they're far from ideal for a range 
of scenarios!


 - James

--
  James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

  "The universe is run by the complex interweaving of three
  elements: Energy, matter, and enlightened self-interest." - G'Kar

 https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to