Matthew Smith wrote: > Quoth randall at 20/10/09 17:42... >> my question in this is, are there better ways to shield a web >> application from prying eyes except from fire-walling it? > > Some thoughts: > > In your situation, I don't think controlling access by allowing certain > IP addresses through your firewall is going to work. Or, it will work, > but it is impractical.
hence the question > > I would suggest that you use VPN (or SSH tunnels) and provide access > based on keys from any IP address. > > If you do this, access to the intranet is always screened by your VPS or > ssh software. Only people with the correct keys will be able to gain > access. have done this for a few laptops but besides the bit of extra key management, which is doable, it does involve setting up the VPN client which is a bit more challenging. have used OpenVPN so far on some ubuntu laptops but also setting it up on remote XP and Vista laptops is where it soon starts to become messy was my thought. my hopes were on a more centralised management without too many configs on the local clients, one of the reasons we made it a web application reachable by browser. > > NOTE: this can help prevent unauthorised access (keys can always fall > into the wrong hands - stolen laptops) but won't stop a DDoS attack > against your server. > > As an alternative, you could just allow direct Internet access to your > server, run the https server on a non-standard port and implement a > strict password policy. (This is assuming that your web application has > a login system.) mmm, this feels like playing hide and seek and gamble on the odds, it does have password protection but i'm not willing to rely on this alone. > > Personally, I'd be inclined to go for the VPS solution. That way, your > people can get access to other network services - problem would only be that with VPN ALL their traffic would pass my server (correct???), this would lead to serious speed/performance decrease for all other traffic for most of the clients. > they just have to have > the right key. Don't know if it's possible to set up a VPS where both a > key AND a password are required - this would help get around the stolen > laptop scenario. VPN i guess you ment? it can work with a key AND a password (have not implemented this tough since the laptops already have encrypted partitions and strong passwords) > > Hope this helps. its surely appreciated, Thanks > > Cheers > > M > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
