[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: locking XP client down

  • Subject: [Openvpn-users] Re: locking XP client down
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Wed, 24 Nov 2004 16:04:36 -0600

The problem as a whole (VPNned clients adding new entrypoints, and thus
security risks, to a network) is inherent, and thus something that can't
be completely eliminated.

That said, you'll do some amount of good by using "redirect-gateway"; that
will make communications w/ a system that's outside of the subnet you're
on (in this case, the network at Starbucks) go through the remote network.

This still won't help w/ traffic that initiates from a more malicious
consumers of bad coffee (or some malicious code on their laptops), since
they're on the same subnet as you and traffic to and from them goes
doesn't go through any gateway.

My company's policy requires VPNned clients to run firewalls and (if on
Windows) 3rd-party tools to scan for viruses and other malware. This kind
of preventative action (combined with restrictive firewall rules for
incoming connections) is probably your best option.

If we had the resources, we'd also be running a NIDS on our VPN server to
look for attacks coming from VPNned clients. Alas, we don't have the
available sysadmin hours to set that up, much less maintain and review it.

Openvpn-users mailing list