On 10/19/10 1:33 PM, Ted Roche wrote: > On Tue, Oct 19, 2010 at 3:48 PM, Paul McNett<[email protected]> wrote: > >> I use VNC over OpenVPN tunnel. > > I've always meant to get around to trying out OpenVPN. It's easy > enough for me to set up PuTTY and VNC and get it working, but it's not > something to hand to a civilian. A VPN (Virtual Private Network) means > that your machine effectively is attached to the remote network as if > it was physically plugged in. There are some real security > implications: a firewall set up as a perimeter defense doesn't work > for the remote LAN, and your own machine needs to be protected from > whatever is roaming around the client's LAN. (I had a client a few > years ago who experimented with some extremely dangerous technologies; > occasionally something would get loose on their LAN. I declined their > invitation to set up a VPN connection ;)
Each office (main in Hollister CA and the remote offices) has a Linux shorewall firewall with 3 interfaces: wan, lan, and vpn. The firewall controls what type of traffic comes and goes on each interface. For the road-warriors, I explicitly lock down almost everything except what they need to function. There are also users that want to work from home from their personal computers that I have no control over. So I go to their house, install the OpenVPN client service and set up the keys, and install VNC Viewer, and then I SSH into the firewall to lock down everything except the VNC port. Sure, there are still security implications (laptop getting stolen and person hacks into the vpn before I can shut down the key, for instance), but practically I am in complete control of everything from my humble home office. > That can be a problem with clients "dialing-in" (who has a dial, any > more?) from home: their machine at home is now plugged into the office > LAN. The home PC is often shared among the family, and the chances > that it's well maintained and free of malware is a real concern. Their default gateway (0.0.0.0) won't route through the vpn, unless you wanted to configure it that way, and the perimeter firewall at the office only allows expected port(s) from expected client(s) through. > The disadvantage is an advantage, too: if you're using the Windows LAN > Manager protocols, you can search out their file servers and printer > and access the local resources you need in-house. It is convenient. Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
