[Sussex] VPN attitudes

Steven Dobson steve at dobson.org
Sat Aug 26 22:23:38 UTC 2006


On Sat, 2006-08-26 at 21:15 +0100, Nic James Ferrier wrote:
> I'd like to do a quick survey about attitudes to VPNs with those of
> you who have some involvment in corporate LANs.

Okay Nik, I'm game.

> By VPNs I mean properly cryptographically secured VPNs using SSL or
> SSH.

I assumed that.

> If an Internet service (eg: webmail) allowed you to connect to it by
> setting up a VPN would you use it from work?

I'm not sure I understand the context of your question.

I run my own e-mail server, web server, DNS and all that jazz.  When I
am away from base I connect back to my ssh server running on one of my
DMZ boxes and from there can hop to the machine: mutt(1) to read e-mail,
compile a program, etc.

> Do the security policies at your place of work prevent setting up
> arbitary VPNs?

No, but then I work from home and I set the policies.

However, I did assist a friend in getting access to his home systems
while he was at work.  We set up an ssh server on port 443 and although
his work put a web proxy in place for surfing and blocked all other
ports they had to let port 443 traffic go unmolessed otherwise HTTPS
would not have worked.  With this he was able to log in to his home
systems and read his e-mail.

> Could you build an important enterprise tool (like an email system)
> based on a VPN?

That depends.  It depends where the data is coming from and where it is
heading to.  I am aware that it is possible, although not easy, to
determine the session key if one has access to some of the packets in
both encrypted and plain text form - that was how Enigma was broken, and
while the maths used is different, it is my understanding that the
principles remain true.

So I would _not_ arrange for my e-mails to travel over the VPN.  Because
if I send an e-mail over the VPN that is then relayed over the Internet
then that gives a potention cracker both the encryped and plain text to
work with.  my VPN security is compromised.

For e-mail there is no need anyway.  I would encrypt the payload of the
e-mail and send that in an un-encrypted mail message (not via the VPN).
Then any cracker sees the same encrypted data as the e-mail goes into my
mail server and then out again.

> If you do reply please tell me a little bit about the area in which
> you work. 

If you haven't guessed by now I am an IT consultant/develper working
from home for myself.

Steve





More information about the Sussex mailing list