[lopsa-discuss] hardware VPN devices for laptops?

William Reading bill at aggienerds.org
Tue Dec 20 23:16:22 PST 2005 

On Dec 21, 2005, at 12:43 AM, Marius Strom wrote:

> On Tue, 20 Dec 2005, Trey Harris wrote:
>> That's one.  Another is that you may not trust Microsoft or  
>> whatever other
>> vendor produces your software VPN solution, and may not have the  
>> expertise
>> or resources to vet and maintain an open-source or in-house software
>> solution.
>
> And you would trust the hardware vendor more why?  And you would have
> the expertise to open up/disassemble/vet the hardware router?

While this is true, the hardware vendor at least has to stay  
relatively independent of operating system, whereas the software  
vendor can say that X product only supports Windows. (Of course the  
converse can also be true, so it really might come down to which  
vendor you prefer. The airport express, for instance, can be a pain  
to set up on a non Windows or Apple machine.)

>> Another is that, with a software VPN, you're handing people a
>> general-purpose computer; you can't guarantee that they won't violate
>> policy by, say, routing their home LAN through your corporate  
>> firewall via
>> the VPN (they could very well do this unintentionally!).
>>
>> With a hardware VPN, it's a network device that you can control.   
>> Since it
>> has two interfaces (one to your computer, one to the internet),  
>> you can
>> (and should) make it a firewall, setting up a (relatively lax) DMZ  
>> for
>> every machine that connects to your VPN head.  "Don't plug  
>> anything into
>> this thing except your company-issued laptop, and never plug your  
>> laptop
>> into anything but this" is then an effective rule that even the most
>> non-technical employee can understand.  Accompany that by "violate  
>> either
>> rule and we will know and you WILL be terminated" in big red  
>> letters and
>> they'll get the idea.
>
> IMHO, if the user is skilled enough to route their home LAN through  
> the
> software VPN, they'll do similar with the hardware box and a little
> router on the backend. :)

I can definitely agree with this one--having been a user on at least  
several large corporate networks, I haven't run across one yet that  
doesn't appear to be vulnerable to someone setting up a reverse ssh  
tunnel to connect from home.

>> What do you do, with a software VPN, if you have to buy Wi-Fi hotspot
>> access before connecting?  You trust the software firewall to  
>> protect you
>> while you connect your computer directly to the wild network--if  
>> you're
>> infected with malware or have an insecure OS image, game over.   
>> With a
>> hardware VPN, it can firewall your computer from the wild network,  
>> while
>> it serves as a bastion for HTTP and HTTPS while you complete the  
>> purchase.
>
> Does the HW router in question have a wifi interface? (It seems from
> what I've read on the thread that it's got two ethernet interfaces  
> - one
> to the computer, and one to the network)

Additionally (and with the above SSH trick in mind), does having the  
hardware router really help if a determined attacker has compromised  
the software on the machine?

--WFR
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2367 bytes
Desc: not available
Url : http://lopsa.org/pipermail/discuss/attachments/20051221/e941ae23/smime.bin

More information about the Discuss mailing list