David Brown wrote on 10/24/2011 02:34 PM:

Using a VPN is certainly a possibility - our "road warriors" who use a
laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my
home machine regularly to access everything in the network here. Where
VPNs are the right solution, they are what we use.

But I see two disadvantages of VPNs. They give too much access.
Obviously firewall rules can be added to limit access in some ways, but
it is somewhere between difficult and impossible to get the right
balance between security and functionality here. How do I set up
firewalls that lets the user access company files on a server from their
home machine without also opening these files to whatever malware
they've installed? I can proscribe rules and regulations for computers
on the company network, I can monitor them for suspicious behaviour, and
do regular checks. But I can't do that for people's home computers. I
can do so on a limited basis for a few users, especially for those with
company laptops that they use from home or outside, but it is not
scalable in general.

I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter.

The other disadvantage of a VPN is that the we use a lot of specialised
software - people can't easily install it on their home machines. They
may also need different sorts of access to different machines - trying
to get routine and firewalling rules that allow this over a VPN without
being too permissive is hard.

I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC.

With VNC, both these issues are solved, since they are effectively
working on their company desktops.

Obviously running VNC over a VPN would improve the security, since
everything is encrypted, and it would be possible to set that up. In
particular, it would be easier to set OpenVPN rules to say only port
5900 is allowed, than to try to give all the required firewall rules to
let users get local access from home machines to the company systems.

Exactly! :-) And it would be alot easier to configure/expand/maintain/monitor in the future

But encrypting VNC over a VPN is not really necessary - it is probably
easier to use UltraVNC (or any other VNC with encryption built-in). It
is also not much of a security issue since most employees have the same
ISP as the company - there is very little possibility of eavesdropping
or other attacks.

I also use VNC alot but personally I wouldnt do it in the "open" via a port forward. There might be some fancy software that offers "encryption" but personally I prefer to tunnel it through a VPN for security reasons. I trust OpenVPN with certificates far more than UltraVNC with "encryption".

Having OpenVPN installed on the home PC really isnt a problem, even for Windows users. You can have ready-to-deploy zip files with the config and the certificates ready for each user. They wouldnt have to remember any passwords and via the firewall rules you could make sure they only have access to the VNC port.

List mailing list

Reply via email to