[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  Michael Monaghan <mmonaghan at gmail dot com>
 Cc:  "Mitch (WebCob)" <mitch at webcob dot com>, dinesh at alphaque dot com, Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] External Authentication
 Date:  Wed, 22 Sep 2004 10:30:52 -0700
Michael,


> First I'd like to say thanks to everyone for chipping in on this
> thread.  Its nice to see a community share ideas in a constructive way
> for a change.  There've been a lot of great ideas thrown out both on
> the list and off.  Here's what I've learned so far:

I'd agree this is a very constructive and informative thread :)

> Sylikc's idea would work if technically minded users were involved,
> but most of our users are not.  Also most of the facilities we access
> from will not allow us to "install" programs on their computers.  Thus
> why we wanted this kind of functionality in the first place.

I execute the entire proxy-over-SSH setup with just PuTTY and browser
proxy configuration, both which could be scriptable from command line
for the most part, or use auto-proxy configuration from a URL to make
life even easier.  But you're right, there has to be at least SOME
client app to do the SSH Forwarding, but I'm thinking you mentioned
later running something off a CD, PuTTY doesn't install anything and
can be scripted to do the connection while the users are already using
an auto-configure-script to configure proxy on their browsers... then
this could still work.  (Or is it still too technical?)

> What I have left in the maybe category is:
> 
> - squid (http://www.squid-cache.org) : It can auth connections.  I
> have yet to find out if their auth is MAC, IP, or connection (http,
> https) based.
> 
> - OpenVPN (http://openvpn.org) : This is slick stuff and when the port
> with key management is done for m0n0 I have some projects for this.
> I'm guessing I can get the client to run from CD without installation,
> and since everything is in userland rather than kernel code, it should
> run without administrator privileges.

Doesn't any type of VPN solution require installing something on the
client's box(es)?


> - NetScreen-SA 1000 SSL VPN appliance.  It looks like it would do the
> job, but at 9K for 25 users it is hard to sell.  I sent my customer an
> E-Mail last night and I _can_ wait to see his reaction.  Of course
> when I look at the cost of the intrusion, 9K is nothing.  If anyone
> ever got his data damages could easily be in the tens of millions.

I think all of this boils down to the everlasting struggle between
good security, ease of use, and cheap ;).  I'd agree 9K is cheap when
it comes to data (priceless).  But convincing management that
cost-to-prevent < cost-to-repair, but cost-to-prevent = 9 with three
zeros after it can be quite difficult :D.  Anyhow, the NS SA 1000
definitely looks cool with no client software installation required to
work!


/sylikc