David Brown wrote on 10/24/2011 02:34 PM:
Using a VPN is certainly a possibility - our "road warriors" who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general.
I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter.
The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard.
I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC.
With VNC, both these issues are solved, since they are effectively working on their company desktops. Obviously running VNC over a VPN would improve the security, since everything is encrypted, and it would be possible to set that up. In particular, it would be easier to set OpenVPN rules to say only port 5900 is allowed, than to try to give all the required firewall rules to let users get local access from home machines to the company systems.
Exactly! :-) And it would be alot easier to configure/expand/maintain/monitor in the future
But encrypting VNC over a VPN is not really necessary - it is probably easier to use UltraVNC (or any other VNC with encryption built-in). It is also not much of a security issue since most employees have the same ISP as the company - there is very little possibility of eavesdropping or other attacks.
I also use VNC alot but personally I wouldnt do it in the "open" via a port forward. There might be some fancy software that offers "encryption" but personally I prefer to tunnel it through a VPN for security reasons. I trust OpenVPN with certificates far more than UltraVNC with "encryption".
Having OpenVPN installed on the home PC really isnt a problem, even for Windows users. You can have ready-to-deploy zip files with the config and the certificates ready for each user. They wouldnt have to remember any passwords and via the firewall rules you could make sure they only have access to the VNC port.
Vassilis _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
