Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There's obviously quite a bit of misunderstanding here, so let me try to explain:
There are two entirely-different "use cases" here. One is that you want to securely connect two internal networks. The other is that you want to conceal your access to the outside world – or, merely, to secure your conversations among industrial spies within the same coffee shop.
In the latter case, you are establishing a VPN connection to a commercial provider who will then dump your now-unencrypted communications onto the public internet. The distinction here is not "the security of the pipe," but what it is ultimately connected to. No one will be able to intercept your messages, until they emerge at some IP-address (somewhere) that is publicly known to be "a public VPN endpoint." By then, "VPN will have done its job."
The "road warrior situation" entirely depends upon whether the participants are using digital certificates as opposed to PSKs = Pre-Shared-Keys = Stupid Passwords. If they are doing things properly, then each participant has a uniquedigitalcertificate which cannot be forged, although it can (and should be) "password protected." Without the password, the certificate cannot be used. But, if the underlying [unique ...] certificate has been [uniquely ...] revoked, then it worthless. Therefore, as soon as the company realizes that a particular laptop has been stolen, they can invalidate that computer's access, whether or not the encryption password surrounding that particular certificate had been compromised.
Last edited by sundialsvcs; 09-12-2023 at 09:52 PM.
All: Great feedback from everyone! LQ has the experts. Based on everything said, I went the Sonicwall route. As it turns out, there is no cost to start as the TZ400 device comes with 2 licenses and an additional 1 user license is about $50, 5 user license about $130. These are one-time costs, not subscriptions.
I had help from an expert with Sonicwall to configure the TZ400 device and add the first user (me). I downloaded NetExtender (the VPN client) to my Windows computer and configured it with server IP, credentials, etc. This is a remote computer so basically this is the "Road Warrior" situation. Thus far, this works fine.
Perhaps last issue on this mentioned by sundialsvcs in post #16: What certificate? I didn't see any certificate configs associated with the Sonicwall VPN stuff. Are you referring to the certificate warning that comes up when one connects via RDC?
If(!) you properly use digital certificates, both commonly-used VPN technologies (OpenVPN and IPSec) are equally reliable and secure. Tools are available for both to simplify the deployment of new road-warrior machines and the management of chores like certificate revocation. If your SonicWall has these features, feel free to exploit them: that’s what your company paid the big bucks for.
Good and easy-to-use client packages are readily available for both VPN technologies, and for every operating system. Your users “click on an icon at the top of the screen, wait for it to turn from grey to black, and that’s it.” They have no idea what actually happened, and they have no reason to care.
Per contra,PSKs = Pre-Shared Keys = Simple Passwords” will never be secure … Do not use them.
The only “truly interesting feature” of OpenVPN is its so-called tls-auth, which can conceal the presence of the VPN endpoint. Which entirely shuts down “nuisance” attempts to break in to it. (As long as you are using “port-free” UDP rather than TCP/IP … UDP being the default.)
Last edited by sundialsvcs; 09-15-2023 at 10:10 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.