[Gllug] Suggestions for VPN solution

Bruce Richardson itsbruce at uklinux.net
Thu Feb 26 10:43:14 UTC 2004


On Thu, Feb 26, 2004 at 12:12:32AM +0000, Mike wrote:
> 
> What's your basis for paranoia regarding terminating connections on the
> mailserver?
> 
> As I see it, you have beasically 2 options. You can either run VPN
> software on the firewall box, or you can configure the firewall to allow
> VPN traffic through to a box behind the firewall, running the VPN
> software. Either way, your VPN connections will terminate on a machine
> that has complete, unfirewalled access to your network. If someone can
> expoit your VPN software you're screwed whichever box is termiating the
> connections.

That's not the whole story, though.  If the connection terminates at the
firewall box, the firewall box can apply fw rules to the traffic that
comes through the vpn connection.  It makes more sense to do that there
than on the mail host.


-- 
Bruce

It is impolite to tell a man who is carrying you on his shoulders that
his head smells.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040226/7ffab7a6/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list