["Followup-To:" header set to comp.os.linux.security.]
On 2010-01-25, Greg Russell <(E-Mail Removed)> wrote:
> We have an iptables firewalling router setup here that is working well,
> as we've stress-tested it from external sites using all the attack tools
> we can find.
>
> We have several users that are "on the road" and require connectivity
> from various sites such as motels, coffeehouses, airports and dialup to
> various ISPs. We'd like to have a secure tunneling connection for these
> users, and we'd like to ask what might be a viable solution that works
> for all these various connection points?
>
> By viable I mean that even username and password wouldn't be sniffable
> during connection initiation.
All three, SSH (v2), IPsec (Openswan is good choice indeed, ipsec-tools
is pretty crappy in configuration) and OpenVPN are viable according to
your definition.
SSH would be least problematic, it's just a single TCP port to be
enabled (and the port could be stolen from HTTPs, which is pretty
commonly passed through firewalls) and would work ideally for me, Linux
admin. But would it be as simple for your users?
IPsec in Openswan implementation is simple to configure once you manage
to understand IPsec itself (and that could be difficult). You need to
consider the other side of connection, though, and if it's Windows, you
may need to do some more set up. But as it is a VPN, your users will see
resources as if they are connected directly to your network. And one
more thing, IPsec requires some non-standard setup for NATs. If you
don't know IPsec yet, don't use it now and save yourself a headache.
OpenVPN is a bit more troublesome in preparing configuration file than
Openswan (not too much, though, if you know IP networks well), but it
needs just a single port (UDP or TCP, you choose) and still gives you
a VPN.
If your users are experienced un*x users, I'd stay with SSH. If they're
just clerks and/or management, I'd go for OpenVPN.
--
Secunia non olet.
Stanislaw Klekot
|
Similar Threads
Linear Mode
