[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: pptp over openvpn

  • Subject: [Openvpn-users] Re: pptp over openvpn
  • From: stefano@xxxxxxxxxxx
  • Date: Thu, 27 Jan 2005 13:39:09 +0100

> Since i'm allowing the traffic from openvpn to pass freely onto the lan
anyway, is there any additional security risk here?


If you want to grant access to some internal (and valuable) resouce to remote
users the best method from security point of view would be putting the VPN
server on a DMZ. Doing so the traffic coming from external VPN user (which can
be an potential intruder) have to cross conceptually two filter devices:

from Internet to DMZ (first filter)
from DMZ to LAN      (second filter)

Instead only one filter will be crossed by the traffic if you place the VPN
server on the LAN.

What is the difference? Imagine that some day (far we hope! Thank you all for
the GREAT work done so far...) a security flaw will be discovered in OpenVPN. In
the second approach, the attacker will have the opportunity to attack directly
your LAN resources.
In the first case, the traffic allowed between VPN server and LAN resources will
still be limited to the policies enforced (only the allowed application protocol
would become subject to attack), so the probability of compromise is lesser with
respect to the second case.

This mail sent through IMP: http://horde.org/imp/

Openvpn-users mailing list