On Sat, 05 Oct 2013 09:27:45 +0200 Jean-Marc Choulet <[email protected]> wrote:
> For now, we use OpenAFS in a VPN tunnel for WAN access. Is it secure > (or not) to use OpenVPN over WAN without our VPN ? If you use a VPN, it will almost certainly be more secure (and faster, compared to native openafs encryption with 'fs setcrypt'). Whether or not using openafs without a vpn is "secure" depends on your requirements. Native openafs communication can be encrypted with a single-DES session key, so if an attacker can break that DES key, they can impersonate the user for the duration of that session, and only that session. It is known that brute-forcing DES keys is feasible these days, but it does take time and resources (and I believe for this specific attack you'd need to intercept parts of a legit session). For the purposes of this paragraph, a "session" means an AFS token; you get one whenever you 'aklog'. So, if that sounds like a problem for you, then you probably want to keep your VPN. Any modern VPN system would be using something stronger than DES, and so would be more secure. If you need to encrypt the contents/payload of any openafs communication, the VPN would also be faster, since more modern crypto algorithms are almost all faster than the algorithm that openafs currently uses (known as "fcrypt"; similar to DES), in addition to being stronger. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
