[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote login

On Sun, Mar 28, 2010 at 8:11 AM, Michael Richardson <..hidden..> wrote:

> I'm also one of the maintainers of Openswan.
> CISCO VPN adapters are not IPsec compliant, btw.
> The are hacks in Openswan to make it work with "CISCO VPN Adapters" (not
> to be confused with CISCO IPsec solutions).
> OpenVPN has the advantage that it can innovate very quickly, since it is
> portable open source that runs on multiple platforms.  It has the
> disadvantage that the group of people who work on it is small, and if
> there is a bug, it affects all versions.   The openvpn folks have gotten
> lots right, but also lots and lots wrong.

Also I would probably point out that being non-standards-compliant is
both an advantage and a disadvantage.  The advantage is that they are
not bound specifically to the standards specs.  The disadvantage is
that they have to re-invent a lot of things themselves.

> If openvpn works for someone then great, use it.

> One of the major challenges of IPsec is that microsoft just hasn't made
> it easy, and Apple has been rather "well, it works with CISCO VPN
> Adapters, we are done".

Speaking as a former Microsoftie, I have often been impressed at how
hard Microsoft can make it to do basic things...  For example, setting
up a printer for "all users" at least as late as XP required hacking
the registry.  I haven't tried on Vista or Windows 7.  However, this
affects LedgerSMB because it means that a small business installation
of the software on Windows requires registry hacks......  I believe
this is a strategy to provide greater lock-in and product sales (want
to be able to print from a network service?  buy our server software
instead!).  Microsoft software is furthermore only "easy" to
interoperate with other Microsoft software and everything else is
system integrator territory.

I haven't played around much with Windows and IPSec but I would be
honestly surprised if it were easy.

> As far as I'm concerned, SSH tunnels (from windows, using passwords),
> SSL (HTTPS), IPsec (using PSK), and OpenVPN (often using PSK) are all
> pretty much equivalent in security.  HTTPS is the simplest to support.

Properly configured, I would generally agree with this.  The only
thing I would add is that I would only put HTTPS in that category for
access to LedgerSMB if client-side certificates are verified.  HTTPS
otherwise is nothing more than an anti-eavesdropping measure and fails
to provide the additional level of protection that requiring a
pre-shared key in the other options provides.

Best Wishes,
Chris Travers