[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Re: Openvpn-users digest, Vol 1 #508 - 10 msgs

Subject: Re: [Openvpn-users] Re: Openvpn-users digest, Vol 1 #508 - 10 msgs
From: Alberto Gonzalez Iniesta <agi@xxxxxx>
Date: Sun, 11 Apr 2004 18:54:10 +0200

On Sun, Apr 11, 2004 at 12:35:33PM +0200, Mathias Sundman wrote:
> On Sun, 11 Apr 2004, Alberto Gonzalez Iniesta wrote:
> 
> > On Sun, Apr 11, 2004 at 12:32:14AM -0500, Tom Barcellona wrote:
> > >
> > > > The only feature I'm still missing is either a build in firewall in
> > > > the windows client, or maybe preferable a way to control an existing
> > > > firewall software from OpenVPN.
> > >
> > > That would be a nice feature, but its starting to move outside the realm
> > > of OpenVPN. There are some commercial "SSL vpn" boxes that have that
> > > feature, but no open source ones as of yet. (google for "ssl vpn" to see
> > > a few of them) I don't know what James thinks of this.
> >
> > IMHO That's completely out of the scope of the VPN software. And that
> > would only add complexity (thus bringing insecurity) to OpenVPN.
> 
> I agree it's starting to move outside the realm of OpenVPN, that's why I
> said "preferable a way to control an existing firewall software". That I
> don't think is taking OpenVPN to far.
> 
> 
> > The firewall rules should be handled by the firewall software, which
> > should have nothing to do with the VPN software or the office suite.
> 
> So you don't see any point in beeing able to verify that a VPN client has
> a specific firewall rule-set applied before allowing him access to the
> protected network?
> 

Right, there's NO point in the *VPN* verifying the *firewall*.
The VPN HAS TO verify that the incoming connection is from an allowed IP.
The VPN HAS TO authenticate the client ID.
The VPN HAS TO allow remote (authorized) clients access to the local
network. (That's its main goal after all).
But...
The VPN cannot check if the firewall is up & running.
The VPN cannot check if the rules for the incoming connection are set and
in place.
The VPN cannot check if those rules have SENSE.
The VPN cannot check if the remote client is smart enough to fool the
firewall.

Those are all jobs of the firewall and its admin.
But that's just my point of view :)



-- 
Alberto Gonzalez Iniesta   | BOFH excuse #395:
agi@(agi.as|debian.org)    | Redundant ACLs.
Encrypted mail preferred   | 

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- [Openvpn-users] Re: Openvpn-users digest, Vol 1 #508 - 10 msgs
  - From: Tom Barcellona
- Re: [Openvpn-users] Re: Openvpn-users digest, Vol 1 #508 - 10 msgs
  - From: Alberto Gonzalez Iniesta
- [Openvpn-users] Re: Openvpn-users digest, Vol 1 #508 - 10 msgs
  - From: Mathias Sundman

Prev by Date: [Openvpn-users] Easy-rsa for Windows
Next by Date: Re: [Openvpn-users] OpenVPN 2.0-test20 released
Previous by thread: [Openvpn-users] Re: Openvpn-users digest, Vol 1 #508 - 10 msgs
Next by thread: [Openvpn-users] Easy-rsa for Windows
Index(es):
- Date
- Thread