[CentOS] Pptp vpn server

Thu Nov 4 13:13:46 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 11/4/10 7:15 AM, Ross Walker wrote:
>
>> Those of us in the antipodes have a whole different reason for wanting
>> VPN connections to such insecure points as "shared hosting" or VPS
>> systems.
>
> I don't have to encrypt from my government, but I am required to encrypt all communication channels by my government, so this is all done over SSL/TLS or using a protocol's native encryption.
>
> When I say VPN I'm specifically talking about protocols that extend the internal routable network to the client PC.
>
> If the client PC was set up in a split pipe setup it would be like running your corporate LAN with either no firewall or a consumer level firewall product with questionable administration.

Things really aren't that simple, though. The big risk is not so much that an 
outside source will be able to route directly through the connection because 
most remote endpoints would be behind NAT, have an OS level firewall, and not be 
configured for routing anyway.  The more likely scenario is that the remote is 
corrupted by some sort of trojan/virus malware which can make its own outbound 
connectons or collect data to transmit later - and the problem is that this can 
occur at any time prior to the vpn connection.  It also isn't limited to vpns - 
the same thing can happen when laptops are connected to the LAN or if you insert 
any removable media, execute email attachments, browser plugins, etc., etc.  And 
browser plugins can even subvert what you are doing over ssl.  You probably 
permit outbound https connections and there's not much you can do to monitor them.

> You can filter within the VPN which protocols are passed but then at this point wouldn't it be better to do this at the firewall anyways?

How much can you filter once all your connections are using ssl?  And of course 
you are still assuming that the bad guys are on the other side of your firewall 
when statistics show otherwise.

-- 
   Les Mikesell
    lesmikesell at gmail.com