[Discuss] Security

[dsr at tao.merseine.nu (Dan Ritter)]

On Thu, Nov 03, 2011 at 05:43:13PM -0400, Tom Metro wrote:
> > I can point to complete physical separation when the auditors
> > come. That's worth more than the Comcast bill.
> 
> Sure, but aren't there dozens of other places in your infrastructure
> where your security *is* dependent on firewall rules, and thus you still
> need to assure the auditors of the integrity of those systems?

Yes... and we don't let random devices from outside connect to
them. If a visitor comes in with a computer, they get to use the
WiFi.

> I bet when these "foreign" devices need access to the corporate network,
> you're still using a VPN, which then makes the whole corporate LAN
> accessible to the infected machine.
> 
> I get that it can be complicated to forward specific ports (via ssh or
> otherwise), but never got why large corporations were always so willing
> to completely open their internal networks to their employee's home
> computers, and always preferred VPNs to port forwarding (which I find
> far simpler to setup, than a VPN client).

Actually, we don't have a VPN. We use SSH port forwarding, as you
describe.

Less sophisticated users know that they click on the icon we provide
which opens a shell window which asks for their passphrase. They
don't particularly know that they have a key which is guarded by that
passphrase, or that their browser is configured with an autoproxy that
recognizes our internal domain names (different from the outside one)
and routes those requests over the SSH forwarding tunnel.

Locking them out is a simple matter of disabling their accounts on the
small number of machines that serve as SSH gateways.

Glamorous and sexy? No. Works really well, with well-understood
failure modes? Yes.

-dsr-