Re: [Openvpn-users] OT: Corporate VPN policy

[Terry Dooher <tdooher.lists@xxxxxxxxxxxxxxxxx>]

Scott Merrill wrote:
> Hi everyone.
>
> How are others mitigating this concern?  The best we've been able to 
> come up with so far is to provide static IPs to our remote users, and 
> restrict incoming VPN connections to those static IPs.

I only give VPN access to those that demonstrate a need for it. Of those 
people, I've firewalled the TUN adaptor to restrict access to certain machines 
and services, but this isn't going to stop users doing naughty things, it's to 
limit the damage that can be done if a certificate is compromised. I give 
authorised users as much access as they need to the resources they're 
authorised to access. I can't afford to do the static IP thing as people 
connect from hotels, cafes and airports.

Of course, this isn't really a technology issue, it's a human issue. If 
there's secrets worth protecting, make all staff sign a wide-ranging NDA. If 
they have already, then make an example of the first person to break it by 
burying them in lawyers (or soft peat) for 4 years. It's all you can do 
against employees misusing data they're allowed to see.

If your managers don't understand, ask them how exactly you can give remote 
access to someone without giving them remote access. Are they made to shut 
their eyes while they're working in the office? (If they reply "Technical 
details are your job, sonny." then just jump out of the window now, save 
yourself a lot of pain. :) )

To protect against _unauthorised_ people jumping your VPN, use the SSL/TLS 
stuff, educate your users on strong passphrases, and not leaving laptops 
unattended, put the keys+certs on USB pen drives, rotate certs every month or 
two and so on...

Terry.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users