[Nottingham] SSH, port-forward and X-forwarding magic
Martin
martin at ml1.co.uk
Thu May 10 14:57:17 UTC 2018
On 10/05/18 13:42, J via Nottingham wrote:
> On 10 May 2018 at 12:18, Martin via Nottingham
> Is your internal LAN still really secure and trusted with a VPN
> tunnelling through your firewall from the unclean bad outside?
>
> No VPN inbound, only outbound (that's why I need SSH to get into my LAN)
And therein lies a too-often not seen oversight...
Once you establish a VPN, even if initiated outbound, what protection is
there then against an unsecured or compromised remote endpoint?
Note the VPN once established provides a tunnel that is freely open in
BOTH directions, in and out...
Also commonly, VPNs completely bypass all the perimeter firewalling!
I wonder what proportion of sysadmins bother to firewall the actual VPN
traffic?...
(Hence, good paranoia to assume your internal network is untrusted...)
> I guess you could expose them and use SSO or similar, but I am not sure
> how much better/worse that would be.
Yes, an SSO may be convenient for the users and admin. It is also a
single point of exploit/failure...
And then there are users that rely upon a "Single Sign On" provided by
well known big cloud providers that are known to be exploitative and
very leaky?!!!
> It's not my call.
Shame too many managers are non-technical...
There's a lot of room for FLOSS to improve our IT yet! ;-)
Enjoy,
Martin
More information about the Nottingham
mailing list