On Sun, Oct 22, 2006 at 03:54:24PM -0500, Jacob S wrote: > > > > I'm fairly certain that you know enough to keep it from being a > > problem, but the schemen you describe is a hair's breadth away from > > makig your company's VPN open to the public Internet. I just thought > > I'd point that out. > > Sorry, Roberto, a couple days of hard work on a house addition must > have fried my brain... I'm not following you. Care to expound on how > you think my company's vpn might be open to the public internet? > Simply that someone managing to compromise your machine from the public Internet would then have a direct route to your comapny's vpn. Even if you have disabled IP forwarding, someone compromising your machine can setup some sort of user-level proxy or simply enable ip forwarding (if they have root).
Maybe I made it sound more serious than it really is. Basically, if both connections to the public net (direct and through the company VPN) are equally well protected, then you don't have to much to worry about (in terms of traffic leakage). But, for example, if your company's VPN connection is well secured and direct net connection is not, you could end up exposing your company's network. This is the same problem that you have with any sort of multi-interface system, except that VPNs are usually given a higher level of trust. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
