[Nottingham] SSH, port-forward and X-forwarding magic

Martin martin at ml1.co.uk
Thu May 10 14:57:17 UTC 2018

On 10/05/18 13:42, J via Nottingham wrote:
> On 10 May 2018 at 12:18, Martin via Nottingham

>     Is your internal LAN still really secure and trusted with a VPN
>     tunnelling through your firewall from the unclean bad outside?
> No VPN inbound, only outbound (that's why I need SSH to get into my LAN)

And therein lies a too-often not seen oversight...

Once you establish a VPN, even if initiated outbound, what protection is
there then against an unsecured or compromised remote endpoint?

Note the VPN once established provides a tunnel that is freely open in
BOTH directions, in and out...

Also commonly, VPNs completely bypass all the perimeter firewalling!

I wonder what proportion of sysadmins bother to firewall the actual VPN

(Hence, good paranoia to assume your internal network is untrusted...)

> I guess you could expose them and use SSO or similar, but I am not sure
> how much better/worse that would be.

Yes, an SSO may be convenient for the users and admin. It is also a
single point of exploit/failure...

And then there are users that rely upon a "Single Sign On" provided by
well known big cloud providers that are known to be exploitative and
very leaky?!!!

> It's not my call.

Shame too many managers are non-technical...

There's a lot of room for FLOSS to improve our IT yet! ;-)


More information about the Nottingham mailing list