[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OT: Corporate VPN policy

  • Subject: Re: [Openvpn-users] OT: Corporate VPN policy
  • From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
  • Date: Thu, 03 Mar 2005 10:29:37 +1300
Scott Merrill wrote:

Hi everyone.

I have a wildly off-topic question, so please feel to address your replies to me off-list, if you'd prefer.

We've been using OpenVPN for some time now to (obviously) provide remote access to our office for several employees. Management is constantly struggling with how to provide access to those who need it, while simultaneously protecting our trade secrets. The fear is that a user will take their system (desktop or laptop) into a competitor, connect via VPN, and show them a lot of stuff we'd prefer they not see.

How are others mitigating this concern? The best we've been able to come up with so far is to provide static IPs to our remote users, and restrict incoming VPN connections to those static IPs.

OpenVPN has the same functionality as other commercial VPN solutions in this regard - namely that you can set per-user firewall settings. And that's it.

e.g user "salesguy" comes in, and the VPN server sets a ACL list limiting what internal hosts he can reach (say Intranet web server and Email). User "admin" comes in and the VPN server gives access to the entire network.

What you want is really part of the newer "Network Admission Control" paradigm being thrown around by the likes of Cisco and Microsoft. This issue you are referring to isn't specific to VPN - you need to "policy" your own wired/wireless networks too as well as remote access.

And again, none of this technology can stop an authorized user from downloading something they are allowed to download. Actually, I take that back - maybe a NIDS could do that - but you'd need a totally robust Document Classification system to be in place on your network before such a thing has much chance of working...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users