[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] 2.0 Feature Freeze Discussion

  • Subject: Re: [Openvpn-users] 2.0 Feature Freeze Discussion
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Fri, 3 Dec 2004 09:22:49 -0500

On Fri, 03 Dec 2004 13:40:40 +0000, George Ross <gdmr@xxxxxxxxxxxx> wrote:
> > Ouch.  So if the certificate fails then the user can just use an
> > easily obtained ID and password combination?  Security controls should
> > be in serial not parallel.  In parallel the weakest link allows the
> > other secure links to be bypassed.  I would argue against this as it
> > breaks security best practices.
> >
> > *Not* what I want with a VPN solution.
> Different sites have different needs.

I agree, but this configuration would still break security best practices.

If this is ever supported in OpenVPN then it should not be a default
option and require extra configuration at the server that can't be
circumvented by the client.

I believe that James focus/goal is good security without hindering the
business.  This is why it is so flexible and offers so many options to
meet the security goals of many different sites.  I would say that
IMHO if you wish a security model that breaks security best practices
then you must do what you must.  On the other hand, again IMHO,
OpenVPN should not be... how to say this without being offensive... 
crippled, downgraded or you fill in your own word, for thoses that
want a robust product that follows security's best practices.

IMHO if you can get what you want by running multiple ports and
daemons/services then you have what you want without weakening the
security of OpenVPN.

[steps down off the soap box...]

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list