On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote:
> Bernd Eckenfels skrev:
> > In article <fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com>
> > you wrote:
> >> Use a VPN or an SSH tunnel to a trusted source.
> >
> > A very neat trick is using dynamic port forwarding of SSH (-D 1080). You
> > only need to
> > login to any SSH Server and enable the auto forwarding. Then you can enter
> > the SSH client as a SOCKS proxy server and you are done (for surfing).
> >
> You could use the -w option in newer ssh server versions to tunnel
> through virtual tun devices =)
One problem with tunnels is that you can accidently not use the tunnel.
E.g. I have eth0 which is connected to the insecure network, and
my encrypted tunnel to a secure network.
Although the tunnel is available, the unsecure eth0 is still also
available. I need to correctly set up the SOCKS proxy or set up the
routing tables, or do something to be sure that all my network traffic
is going through the tunnel and not just directly to the unsecure eth0.
There's no easy way to tell if you're doing it right, either, since the
web looks basically the same from the unsecure network as from the secure
one.
The Cisco VPN I use on my employer's Windows machine has an interesting
feature: it completely hides the unencrypted network. Once I create the
VPN tunnel, my machine releases it's local IP address and there is no
way for any network connections (other than the tunnel, of course) to go
over the unencrypted device. It is as if that device is disabled.
This makes it idiotproof, which is an important but often overlooked
aspect of security.
So, is is possible to do that sort of thing with a Linux laptop?
--- Wade
--
___ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
/ \ Plain text e-mail | Wade Richards --- w...@wabyn.net
| RIP | c1970 ~ c2000 | You can never tell which way the train went
|ASCII| Killed by HTML/RTF | by looking at the tracks.
| | in e-mail |
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
