On 11/4/10 7:15 AM, Ross Walker wrote: > >> Those of us in the antipodes have a whole different reason for wanting >> VPN connections to such insecure points as "shared hosting" or VPS >> systems. > > I don't have to encrypt from my government, but I am required to encrypt all communication channels by my government, so this is all done over SSL/TLS or using a protocol's native encryption. > > When I say VPN I'm specifically talking about protocols that extend the internal routable network to the client PC. > > If the client PC was set up in a split pipe setup it would be like running your corporate LAN with either no firewall or a consumer level firewall product with questionable administration. Things really aren't that simple, though. The big risk is not so much that an outside source will be able to route directly through the connection because most remote endpoints would be behind NAT, have an OS level firewall, and not be configured for routing anyway. The more likely scenario is that the remote is corrupted by some sort of trojan/virus malware which can make its own outbound connectons or collect data to transmit later - and the problem is that this can occur at any time prior to the vpn connection. It also isn't limited to vpns - the same thing can happen when laptops are connected to the LAN or if you insert any removable media, execute email attachments, browser plugins, etc., etc. And browser plugins can even subvert what you are doing over ssl. You probably permit outbound https connections and there's not much you can do to monitor them. > You can filter within the VPN which protocols are passed but then at this point wouldn't it be better to do this at the firewall anyways? How much can you filter once all your connections are using ssl? And of course you are still assuming that the bad guys are on the other side of your firewall when statistics show otherwise. -- Les Mikesell lesmikesell@xxxxxxxxx _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos