|
|
"John H. Gause" <jgause@xxxxxxxxxxxxxxxxxxxx> said: > Good day all and TIA, > I have a situation where I would like to discontinue using IPSEC to > create tunnels to our clients' firewalls to monitor their servers. > > I would like to have the ability to assign clients' ip addresses when > connecting to our monitoring service (since just about every small > network uses the 192.X.X.X or similar) and for the clients to use their > own DNS or local gateway for internet access (not saying that is the > case with us) > I would like the ability to have different keys for each client. > > I would really like to use this product versus buying a Cisco VPN > concentrator and their VPN (mtu) client. Sorry not a big Cisco Fan :-) > Thanks > PS How good is the security of this product? So far OpenVPN's security model has stood up fairly well to critical scrutiny. A number of crypto experts have looked at the code (Peter Gutman for example) without finding any exploitable vulnerabilities. The security model is based on SSL/TLS for initial authentication and IPSec's ESP protocol for datagram security. One thing that I like to emphasize is that OpenVPN takes a multi-tier approach to security to protect against the failure of one level causing a catastrophic security breach. For example, consider an OpenVPN connection using SSL/TLS + the --tls-auth option. (1) The --tls-auth option creates an "HMAC firewall" on OpenVPN's receiving port, protecting against buffer overflow vulnerabilities that might exist in the downstream SSL/TLS code in OpenSSL and related libraries. This prevents an attacker from even beginning a TLS/SSL negotiation, and means that recent OpenSSL security advisories were unexploitable if OpenVPN was being used with --tls-auth. (2) OpenVPN has several options including --user, --group, and --chroot to lock down the OpenVPN process into an unprivileged state, so that if some vulnerability led to a code insertion exploit, the exploit would be contained and unable to elevate its privilege to root. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2003-12/msg00070.html on line 219 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2003-12/msg00070.html on line 219 |