tbenson@... Benson) 28.04.04 11:47
>To go a step further, Virtual PRIVATE Networks are intended to connect
>trusted networks or hosts.
>If you do not trust the network or host you have connecting,
>they shouldn't be connected through a VPN,
What else should i use?
>this gives access to the web administration port of ipcop,
>unless you lock down the range of the internal network.
>In general you don't have VPN connections for untrusted clients,
Imagine a road worrier, several days on journey,
connection his notebook into every customers net,
going in every bad webpages using his free, unfiltered internet access...
"Normaly" when that guy comes back from his journey, his notebooks
goes into quarantine, all trojans, worms and viruses are removed there
before his is allowed to conect the companies net. (I saw
"live" what happens if a worm infected notebook is plugged into
a bigger companies network, where nobody had patched their PCs to a
current state, because they are "secure" behind 2 casdaded fw-1 firewall
appliances, strong mail filtering etc....)
But with VPN he is allowed to connect his dirty notebook directly
to the green company LAN?
I think a VPN is an replacement for a "dedicated lease line"?
On a typical, conventional leased line you (mostly) have a router
on each end.
With those routers resp. their packet filters, you can fine adjust
very easy what the other end of the lease line can access and what not.
>you setup a firewall rule and port forwarding, and let them access to the
>individual service and/or services they require. If you had to stack
>IPCops to block additional traffic, I think you chose the wrong
>solution in VPN to provide access to the remote students or users.....
And what other solution can be used?
Sometime it is not sufficient just to copy the information
to a web server in orange to make it available for rw.
Sometimes it is required to connect a totally stupid old computers
(which can't be hardend) via telnet(!) or VNC from outside to
manipulate it or to see what the user is really doing.
There is no way to install a personal firewall on the PC on
green. Too it is not wise to portforward telnet or VNC to the
real internet, because they are "clear text".
A very restricted way would be ssh tunnels.
It has too the advantage, that dynamic IPs are no problems.
But it is very complicate to handle, because there is no DNS
supporting you: All services are mapped to 127.0.0.1 on the road warriors
PC on serveral ports. 127.0.0.1:12678, was it the internal marketing
webserver or was it the development documentation webserver?
If the tunnels are made "reverse", no server must be run at the
home site, and the sshd on the notebook maybe tcp wrapped
to the fixed home IP. All configurations are done on the home site,
the notebook have only to carry the public ssh key of the home site.
The home site exactly defines, what the rw can access.
Too it is possible to tunnel servers from totally different network parts
to the notebook, what's not possible with current IPcop VPN, (except
when making a dedicated GRE-tunnel).
But: for UDP you have to implent an extra tunnel.
And: Tunneling TCP thru TCP thru TCP is not good for the performance
in the case of bad connections conditions (packet loss).
There is no free lunch?
<=====>--------------ocholl, Kiel, Germany ------------