[lopsa-discuss] hardware VPN devices for laptops?

Marius Strom marius at marius.org
Tue Dec 20 22:43:30 PST 2005 

On Tue, 20 Dec 2005, Trey Harris wrote:
> That's one.  Another is that you may not trust Microsoft or whatever other 
> vendor produces your software VPN solution, and may not have the expertise 
> or resources to vet and maintain an open-source or in-house software 
> solution.

And you would trust the hardware vendor more why?  And you would have
the expertise to open up/disassemble/vet the hardware router?

> Another is that, with a software VPN, you're handing people a 
> general-purpose computer; you can't guarantee that they won't violate 
> policy by, say, routing their home LAN through your corporate firewall via 
> the VPN (they could very well do this unintentionally!).
> 
> With a hardware VPN, it's a network device that you can control.  Since it 
> has two interfaces (one to your computer, one to the internet), you can 
> (and should) make it a firewall, setting up a (relatively lax) DMZ for 
> every machine that connects to your VPN head.  "Don't plug anything into 
> this thing except your company-issued laptop, and never plug your laptop 
> into anything but this" is then an effective rule that even the most 
> non-technical employee can understand.  Accompany that by "violate either 
> rule and we will know and you WILL be terminated" in big red letters and 
> they'll get the idea.

IMHO, if the user is skilled enough to route their home LAN through the
software VPN, they'll do similar with the hardware box and a little
router on the backend. :)

> What do you do, with a software VPN, if you have to buy Wi-Fi hotspot 
> access before connecting?  You trust the software firewall to protect you 
> while you connect your computer directly to the wild network--if you're 
> infected with malware or have an insecure OS image, game over.  With a 
> hardware VPN, it can firewall your computer from the wild network, while 
> it serves as a bastion for HTTP and HTTPS while you complete the purchase.

Does the HW router in question have a wifi interface? (It seems from
what I've read on the thread that it's got two ethernet interfaces - one
to the computer, and one to the network)

-- 
                       /------------------------------------------------->
Marius Strom           | Always carry a short length of fibre-optic cable.
Professional Geek      | If you get lost, then you can drop it on the
IT Auditor             | ground, wait 10 minutes, and ask the backhoe
http://www.marius.org/ | operator how to get back to civilization.
                       \-------------| Mike Andrews |-------------------->

More information about the Discuss mailing list