On 2013-10-16 7:30 PM, Jason Haar wrote:
> On 17/10/13 10:24, Sumit Dahiya wrote:
>> MITM attack is exactly why I'd like my users to go through OpenVPN.
>>
>> So I am hearing MITM (for general internet browsing) becomes more probable
>> if my server does not use the directive "redirect-gateway def1 bypass-dhcp"
>> vs. if it were using it, correct?
>>
> Yes it is more likely, but it's 0.0001% more likely (or not: maybe more
> or less)
>
> Give it a try and see how it goes. No-one can actually answer this
> question for your situation - only you can decide if it's appropriate or not
>
>


As all security discussions go; you can take the discussion to any point 
of failure. There is no 100% security. There are too many different attack
vectors out there. Basically the redirect gateway simply forces all 
traffic to go up over the VPN and out the VPN servers internet circuit 
(in the case where you're accessing resources not on your local 
network). If you have advanced security products in place then this has 
obvious benefit. But if it's just a matter of redirect then then it's 
basically a zero sum game. As someone pointed out Hotspot VPN usage 
really is only about protecting you from local eavesdropping. Unless the 
resource you are ultimately accessing is a fully encrypted channel 
somewhere the encryption is non-existent. You have to take ownership for 
what you can control and also understand what you can't. Typically your 
job is to do you best to ensure the integrity of access to your own 
resources. As an extreme...if google is inserting malware on every 
search response there is not much you can do unless - as mentioned above 
- your have invested and are directing your users through
a robust security infrastructure.

Cheers

C

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to