-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 22 Oct 2006 17:27:40 -0400 "Roberto C. Sanchez" <[EMAIL PROTECTED]> wrote:
> On Sun, Oct 22, 2006 at 03:54:24PM -0500, Jacob S wrote: > > > > > > I'm fairly certain that you know enough to keep it from being a > > > problem, but the schemen you describe is a hair's breadth away > > > from makig your company's VPN open to the public Internet. I > > > just thought I'd point that out. > > > > Sorry, Roberto, a couple days of hard work on a house addition must > > have fried my brain... I'm not following you. Care to expound on how > > you think my company's vpn might be open to the public internet? > > > Simply that someone managing to compromise your machine from the > public Internet would then have a direct route to your comapny's > vpn. Even if you have disabled IP forwarding, someone compromising > your machine can setup some sort of user-level proxy or simply enable > ip forwarding (if they have root). > > Maybe I made it sound more serious than it really is. Basically, if > both connections to the public net (direct and through the company > VPN) are equally well protected, then you don't have to much to worry > about (in terms of traffic leakage). But, for example, if your > company's VPN connection is well secured and direct net connection is > not, you could end up exposing your company's network. This is the > same problem that you have with any sort of multi-interface system, > except that VPNs are usually given a higher level of trust. Ah, right, I follow you now. Both machines sit behind a firewall, so it's certainly not our easiest target. That and if they got root on my computer there are a lot more things I would be worried about them getting besides the vpn connection. Jacob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFPAV+kpJ43hY3cTURAqa7AKC4lyH2R6TXrWHK2faVNrurnK/QdwCfbAZo Amx3pXUeL31XHSx19lkgOHg= =Ju/x -----END PGP SIGNATURE-----
