On 08/03/2007, at 10:05 AM, Greg Twyford wrote:
Peter,
It's a hardware-based IPSEC VPN I'm talking about. The tunnel is
set-up to allow access from the remote to the practice and no
tunnel back the other way. VNC or PcAnywhere [if remote printing is
desired] run inside the tunnel. Separate tunnels are setup for each
machine to be accessed, usually only one or two, as they are left
running and are on a UPS.
I'm not sure if the very high number of open ports you mention is
needed in this scenario. Admittedly the routers in question handle
this silently, but I thought only one.
A VPN tunnel connects and routes traffic between two or more networks
as if they were on the same LAN. Usually, you will be using the same
IP range for both sides, negating your software firewall (as it is
set to not block LAN traffic).
So a worm like Nimba that can spread through the MS SMB ports (File
and Print Sharing) would just bounce straight through the VPN and
infect everything.
You probably don't have all 65K ports open on your PC, provided it's
XP SP2 or better, but I argue that exposing anything just for the
purpose of remote access is a problem.
Also, if one of the PCs on either network is acting as a router (ICS,
Wireless Ad-Hoc) you don't even know what you are exposed to.
SSH is an elegant solution to this problem. You only need one port
open on a router, and can set it so there is no access to any of the
system except the tunneled connector port for RDP or similar. You can
easily use a secure token and / instead of a password. Once setup,
the connection is dead easy for the user to operate, etc.
There's a large private hospital in Brisbane that blocks outgoing
VPN, but not SSH. Even if they did, we could run it on any port we
liked (443 for example) to get around that.
The server was fairly tricky to setup on Windows, but that's changed
- COPSSH is a single install package that does the lot for you.
cheers,
Peter.
_______________________________________________
Gpcg_talk mailing list
[email protected]
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
