Re: [Openvpn-users] OpenVPN client security checks

[Jon Bendtsen <jon.bendtsen@xxxxxxxxxx>]

Den mandag 2.jan kl. 17:08 skrev John A. Sullivan III:

> On Mon, 2006-01-02 at 16:06 +0100, Jon Bendtsen wrote:
> > Den mandag 2.jan kl. 14:18 skrev John A. Sullivan III:
> >
> > > Hello, all.  I was fascinated to see a reference to using NMAP in  
> > > the
> > > client scripts.  It sounds like we have the opportunity to do some
> > > sort
> > > of end point security check before allowing connections.  That
> > > would be
> > > a powerful alternative to some of the proprietary SSL solutions.
> > >
> > > However, I can also see all sorts of shortcomings.  For example,  
> > > if we
> > > check for open ports and the client is behind a NAT firewall which
> > > also
> > > protects public servers on a DMZ, I would imagine we would show  
> > > false
> > > positives.
> >
> > Why not just check both the outside of the tunnel and the inside, and
> > then
> > compare the results?
> <snip>
> If we do that, we could simply test inside the tunnel but do we have
> access to test inside the tunnel before we have finalized the  
> tunnel? In
> other words, if the purpose of this test is to see if it is safe to
> allow the user to establish a tunnel, how do we check the inside  
> before
> we allow the tunnel?
>
> The address is accessible in the client-connect script.  Can we  
> actually
> send traffic to it before that script has concluded? Thanks - John

No, i dont think you can do that, but using the management interface you
can disconnect a client. And since you already do a firewall, i would  
simply
just install a firewall that only enables you to scan the client.  
Then decide if
the client is safe or not, and either disconnect the client or lift  
the firewall such
that the client from the inside of the tunnel has what ever access  
you want it
to.


JonB

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users