[Nottingham] SSH, port-forward and X-forwarding magic

[J]

On 10 May 2018 at 12:18, Martin via Nottingham <
nottingham at mailman.lug.org.uk> wrote:

> Do not underestimate the false sense of security of a VPN/tunnel...
>
Not my call.


> Are your endpoints themselves secure and trustworthy?
>
The VPN? I have no clue, I don't manage that.


> Do your local machines (lazily) assume the internal LAN to be secure and
> trusted?
>
No. Every personal machine is firewalled with only the specific ports
opened (which is, generally speaking, almost none).
The corporate box? Pretty sure it is, but I have little control over that.

Is your internal LAN still really secure and trusted with a VPN
> tunnelling through your firewall from the unclean bad outside?
>
No VPN inbound, only outbound (that's why I need SSH to get into my LAN)

Are your systems still secure when they assume all their connections are
> "local only" and yet you now have a remote connection from "somewhere
> else"...
>
Mine? Yes, AFAIK.
Corporate? Mine seem to be, I have stories about others. :-)

... As demonstrated by the giggle of remote workers working for two
> different corporates/call-centres, and using two VPNs that then
> inadvertently connect the internal networks of those two remote entities
> together for much hilarity...
>
 I have seen that happen.

That's the usual lame lazy excuse of the Proprietary world and the old
> game of lock-in...
>
The services are not on the public internet, so some kind of tunnel/proxy
is needed.
I guess you could expose them and use SSO or similar, but I am not sure how
much better/worse that would be.
It's not my call.

J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20180510/c5fb061a/attachment.html>