Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] {OT} Allow work from home?
Date: Sun, 24 Jan 2016 19:10:57
Message-Id: 2260991.M0KRgvb1UU@dell_xps
In Reply to: Re: [gentoo-user] {OT} Allow work from home? by Rich Freeman
1 On Sunday 24 Jan 2016 13:44:12 Rich Freeman wrote:
2 > On Sun, Jan 24, 2016 at 1:36 PM, Mick <michaelkintzios@×××××.com> wrote:
3 > > On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote:
4 > >> On Sun, Jan 24, 2016 at 10:56 AM, Grant <emailgrant@×××××.com> wrote:
5 > >> > So the user is safe if I send all internet requests from her remote
6 > >> > laptop through the Zerotier connection (instead of only sending
7 > >> > requests to my server through Zerotier)?
8 > >>
9 > >> It depends on what you mean by "safe." If you mean that there is no
10 > >> possibility of malware stealing or messing with your data this is the
11 > >> case if:
12 > >>
13 > >> As long as:
14 > >> 1. You ensure that no malware enters through zerotier.
15 > >> 2. No malware is present before you set up zerotier.
16 > >> 3. No network connections are ever used other than zerotier.
17 > >>
18 > >> If you mean safe to mean that nothing bad happens to the user's system
19 > >> that wouldn't have happened if they use their own internet connect,
20 > >> there is no real harm in using yours, assuming you don't leak your own
21 > >> malware onto their system.
22 > >
23 > > As Rich alludes to if through Zerotier the user can only connect to your
24 > > webserver and no connections of the user are forwarded (through your
25 > > Zerotier- LAN, or your webserver) to the Internet, the XSS kind of
26 > > threats will be contained.
27 > >
28 > > However, as I understand it the Zerotier provides a split tunnel
29 > > arrangement. The user will be able to use their browser to connect
30 > > through Zerotier to your LAN, while through another window on the same
31 > > browser they will be able to connect to the Internet using their own
32 > > network.
33 >
34 > That, and after they disconnect from zerotier the malware that has
35 > been logging everything can go ahead and phone home to report in
36 > without going through whatever protections you'd have on your own
37 > network for outbound connections.
38
39 To cover most eventualities big corporates I know use:
40
41 a) Company issued laptops, which are completely locked down in terms of
42 applications and settings and connect to the corporate LAN via VPN with client
43 SSL certificate authentication.
44
45 b) For BYODs, Virtualised Citrix XenDesktop, totally controlled by the
46 corporate sysadmins, with DPI and webfiltering at the corporate firewall for
47 outgoing connections. Connections to Facebook, Twitter, prawn, etc. are
48 blocked.
49
50 Both of the above are provided as work tools and the users understand that
51 restrictions are part of their employment contract and at company time they
52 are not meant to spend their mornings organising junior's birthday party on
53 Facebook.
54
55 I don't know to what extent your users can be trusted and relied upon to
56 follow good working practices. Full VPN tunnel to the corporate LAN, plus up
57 to date antivirus products if they are using MSWindows and up to date Linux
58 PCs should protect from most attack vectors. Alternatively, locked down
59 Chrome books as Rich has already suggested and regular back ups should
60 hopefully protect your corporate data from irretrievable damage.
61
62 --
63 Regards,
64 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature