1 |
On Wed, 13 Feb 2008 08:19:48 -0800 |
2 |
Grant <emailgrant@×××××.com> wrote: |
3 |
|
4 |
> > > > Even if you just want to encrypt some clear-text protocol that |
5 |
> > > > doesn't have an encrypted equivalent, a vpn is still overkill. |
6 |
> > > > For that you use ssh tunneling (which is essentially the same |
7 |
> > > > thing as an encrypted version of a protocol). 'ssh -X' is the |
8 |
> > > > classic example of easily tunneling a protocol that doesn't |
9 |
> > > > have a native encrypted equivalent. |
10 |
> > > |
11 |
> > > I see what you're saying. Can tunneling through ssh be made |
12 |
> > > automatic so that a cron job initiates a script that opens a |
13 |
> > > tunnel between the remote server and local print server and pages |
14 |
> > > are printed through the tunnel? |
15 |
> > |
16 |
> > Sure. ssh is just a process after all and in principle encapsulated |
17 |
> > whatever gets put into it. All you need is a connection that isn't |
18 |
> > firewalled out and an sshd that is listening to what is coming in. |
19 |
> > |
20 |
> > ssh will even port forward for you and can be made to transform any |
21 |
> > tcp connection to appear to come from whatever port you want. What |
22 |
> > you put inside the tunnel is up to you. If the print server won't |
23 |
> > accept what is coming in, then google will find you any number of |
24 |
> > apps that will mangle the traffic. |
25 |
> > |
26 |
> > > > Your statement "it seems like running SSH inside a VPN is better |
27 |
> > > > for security than running SSH on a non-standard port" is |
28 |
> > > > non-sensical. From a security and encryption perspective, ssh |
29 |
> > > > and OpenVPN are exactly the same thing - stuff wrapped in an |
30 |
> > > > encryption layer provided by ssl, complete with exactly the |
31 |
> > > > same key setup should you choose to use that route. |
32 |
> > > |
33 |
> > > What about having ssh, imap, smtp, cups, and possibly a |
34 |
> > > non-standard https port all hidden within a VPN? Should that be |
35 |
> > > considered a benefit of running a VPN? |
36 |
> > |
37 |
> > I've filed the original post somewhere else and forgot the |
38 |
> > scenario :-) Is this a setup you need to be present often or even |
39 |
> > all the time? If so, you have 5 protocols in use, and setting up |
40 |
> > tunnels could become cumbersome. You might consider that it's more |
41 |
> > effort than it's worth and a VPN that is there and JustWorks(tm) is |
42 |
> > preferable. I would call that a sensible use of a VPN :-) |
43 |
> > |
44 |
> > I don't think there's a golden rule about when using a VPN is right |
45 |
> > or wrong. It's more like "do the advantages outweigh the hassle of |
46 |
> > setting it up and maintaining it?". Sometimes this answer is |
47 |
> > obvious, sometimes less so. Sometimes it's a judgement call. |
48 |
> |
49 |
> Thanks a lot for everyone's help. Here is a more to-the-point list of |
50 |
> what I'd like to accomplish: |
51 |
> |
52 |
> 1. encrypt CUPS printouts between remote server and local print server |
53 |
> 2. add an additional layer of security around SSH and CUPS on local |
54 |
> firewall/print server |
55 |
> 3. add an additional layer of security around SSH, IMAP, and |
56 |
> non-standard port HTTPS on remote server |
57 |
> 4. enable access to SMTP on remote server for me which is blocked by |
58 |
> my local ISP |
59 |
> |
60 |
> It sounds like I have 3 choices: |
61 |
> |
62 |
> 1. VPN |
63 |
> 2. SSH tunneling |
64 |
> 3. Zebedee tunneling |
65 |
> |
66 |
> Would all 3 of these choices accomplish all 4 requirements? I would |
67 |
> think SSH tunneling can't really add an additional layer around SSH. |
68 |
|
69 |
Encrypted packets, encrypted? Why not? |
70 |
|
71 |
> I'd like to have something I can leave up all the time so the services |
72 |
> are always protected and I don't have to go through an extra step to |
73 |
> use email or print from the remote server. Can all 3 of these be left |
74 |
> up all the time? Is there any reason not to leave this type of |
75 |
> functionality up all the time? |
76 |
|
77 |
I don't use tunnels, but leave VPN up all the time. |
78 |
|
79 |
> It sounds like VPN would be the most difficult to set up and maintain, |
80 |
> followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm |
81 |
> wrong though. With tunneling, would I need to set up 4 or 5 different |
82 |
> tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm |
83 |
> using Zebedee)? |
84 |
|
85 |
tunnels aren't configured, but would probably have to be created |
86 |
at boot. vpn is, I suppose, not super easy to configure. I will send |
87 |
you my config files though if you want. |
88 |
|
89 |
> To send me mail, mail servers need to connect to my remote server's |
90 |
> SMTP right? Would setting up a tunnel or VPN for my SMTP access |
91 |
> interfere with that? |
92 |
|
93 |
Not if you tunnel through to the right ports - or in the case of a VPN, |
94 |
no. |
95 |
|
96 |
-- |
97 |
gentoo-user@l.g.o mailing list |