Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Thu, Nov 03, 2011 at 05:43:13PM -0400, Tom Metro wrote: > > I can point to complete physical separation when the auditors > > come. That's worth more than the Comcast bill. > > Sure, but aren't there dozens of other places in your infrastructure > where your security *is* dependent on firewall rules, and thus you still > need to assure the auditors of the integrity of those systems? Yes... and we don't let random devices from outside connect to them. If a visitor comes in with a computer, they get to use the WiFi. > I bet when these "foreign" devices need access to the corporate network, > you're still using a VPN, which then makes the whole corporate LAN > accessible to the infected machine. > > I get that it can be complicated to forward specific ports (via ssh or > otherwise), but never got why large corporations were always so willing > to completely open their internal networks to their employee's home > computers, and always preferred VPNs to port forwarding (which I find > far simpler to setup, than a VPN client). Actually, we don't have a VPN. We use SSH port forwarding, as you describe. Less sophisticated users know that they click on the icon we provide which opens a shell window which asks for their passphrase. They don't particularly know that they have a key which is guarded by that passphrase, or that their browser is configured with an autoproxy that recognizes our internal domain names (different from the outside one) and routes those requests over the SSH forwarding tunnel. Locking them out is a simple matter of disabling their accounts on the small number of machines that serve as SSH gateways. Glamorous and sexy? No. Works really well, with well-understood failure modes? Yes. -dsr-
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |