Re: routing only certain traffic through vpn?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 22 Oct 2006 17:27:40 -0400
"Roberto C. Sanchez" <roberto@connexer.com> wrote:
> On Sun, Oct 22, 2006 at 03:54:24PM -0500, Jacob S wrote:
> > >
> > > I'm fairly certain that you know enough to keep it from being a
> > > problem, but the schemen you describe is a hair's breadth away
> > > from makig your company's VPN open to the public Internet. I
> > > just thought I'd point that out.
> >
> > Sorry, Roberto, a couple days of hard work on a house addition must
> > have fried my brain... I'm not following you. Care to expound on how
> > you think my company's vpn might be open to the public internet?
> >
> Simply that someone managing to compromise your machine from the
> public Internet would then have a direct route to your comapny's
> vpn. Even if you have disabled IP forwarding, someone compromising
> your machine can setup some sort of user-level proxy or simply enable
> ip forwarding (if they have root).
>
> Maybe I made it sound more serious than it really is. Basically, if
> both connections to the public net (direct and through the company
> VPN) are equally well protected, then you don't have to much to worry
> about (in terms of traffic leakage). But, for example, if your
> company's VPN connection is well secured and direct net connection is
> not, you could end up exposing your company's network. This is the
> same problem that you have with any sort of multi-interface system,
> except that VPNs are usually given a higher level of trust.
Ah, right, I follow you now. Both machines sit behind a firewall, so
it's certainly not our easiest target. That and if they got root on my
computer there are a lot more things I would be worried about them
getting besides the vpn connection.
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFPAV+kpJ43hY3cTURAqa7AKC4lyH2R6TXrWHK2faVNrurnK/QdwCfbAZo
Amx3pXUeL31XHSx19lkgOHg=
=Ju/x
-----END PGP SIGNATURE-----
Reply to: