[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remote login
- Subject: Re: Remote login
- From: Chris Travers <..hidden..>
- Date: Sun, 28 Mar 2010 10:32:21 -0700
On Sun, Mar 28, 2010 at 8:11 AM, Michael Richardson <..hidden..> wrote:
>
> I'm also one of the maintainers of Openswan.
>
> CISCO VPN adapters are not IPsec compliant, btw.
> The are hacks in Openswan to make it work with "CISCO VPN Adapters" (not
> to be confused with CISCO IPsec solutions).
>
> OpenVPN has the advantage that it can innovate very quickly, since it is
> portable open source that runs on multiple platforms. It has the
> disadvantage that the group of people who work on it is small, and if
> there is a bug, it affects all versions. The openvpn folks have gotten
> lots right, but also lots and lots wrong.
Also I would probably point out that being non-standards-compliant is
both an advantage and a disadvantage. The advantage is that they are
not bound specifically to the standards specs. The disadvantage is
that they have to re-invent a lot of things themselves.
> If openvpn works for someone then great, use it.
Sure.
>
> One of the major challenges of IPsec is that microsoft just hasn't made
> it easy, and Apple has been rather "well, it works with CISCO VPN
> Adapters, we are done".
Speaking as a former Microsoftie, I have often been impressed at how
hard Microsoft can make it to do basic things... For example, setting
up a printer for "all users" at least as late as XP required hacking
the registry. I haven't tried on Vista or Windows 7. However, this
affects LedgerSMB because it means that a small business installation
of the software on Windows requires registry hacks...... I believe
this is a strategy to provide greater lock-in and product sales (want
to be able to print from a network service? buy our server software
instead!). Microsoft software is furthermore only "easy" to
interoperate with other Microsoft software and everything else is
system integrator territory.
I haven't played around much with Windows and IPSec but I would be
honestly surprised if it were easy.
> As far as I'm concerned, SSH tunnels (from windows, using passwords),
> SSL (HTTPS), IPsec (using PSK), and OpenVPN (often using PSK) are all
> pretty much equivalent in security. HTTPS is the simplest to support.
Properly configured, I would generally agree with this. The only
thing I would add is that I would only put HTTPS in that category for
access to LedgerSMB if client-side certificates are verified. HTTPS
otherwise is nothing more than an anti-eavesdropping measure and fails
to provide the additional level of protection that requiring a
pre-shared key in the other options provides.
Best Wishes,
Chris Travers