[ale] VPN connections at Emory

Jim Kinney jim.kinney at gmail.com
Tue Jan 22 15:01:10 EST 2013


I take greater care to make my Linux systems secure than windwoes systems.
Why? I don't care about the windwoes systems. toss them in the trash, blow
on a new build, reconnect and wait for the next disaster.

My Linux systems provide a toolset that is not available on any windwoes
system and that toolset can wreak havoc on the entire Internet. So I keep
that toolset as locked down as I can make it.

The only way to really secure a windowes system is to remove the power cord
and weld the hard drive motor so it won't spin. Barring that, put the OS on
a replaceable drive with an offline spare in storage. User files are stored
on a Samba system that is scanned hourly. Bugged windwoes systems gets the
new drive and the old drive is wiped and rebuilt to support remote user
data.

Or run Linux and windwoes in a VM only. Once installed and fully patched,
take a VM snapshot. Keep user data on Linux system via a shared folder.
When windwoes gets screwed, restore from the snapshot.

On Tue, Jan 22, 2013 at 2:43 PM, Brian MacLeod <nym.bnm at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 1/22/13 1:38 PM, Ron Frazier (ALE) wrote:
> > The TOS at most institutions forbid guest access to wired ports.
> > But, we won't mention that.  I don't know about this specific
> > institution.
>
>
> It is forbidden to connect a network device to such ports.  If it were
> policy to forbid any guest access to wired ports, then that connection
> would not be there.  What they should do is wall that off behind the
> same security as the wireless, but that's an operational choice by
> Emory and it's not going to change here. I know at Tech and at my
> previous institution (Georgia Gwinnett), all publicly exposed network
> ports were either dead or secured/throttled as the wireless was.
>
>
>
> > Un natted connections sound a bit disturbing.  I would think the
> > whole institution would be running on a giant nat.  Even so, I
> > think a Windows machine should be OK as long as the OS firewall
> > was running.
>
>
> I can't even begin to state how wrong this is.  The vulnerabilities
> (even with OS firewall on) are far too great to allow this type of
> connection.  But honestly, a lot of this part of the discussion would
> be moot if the wired connection provided was secured as above.
>
> Just because I have a box running linux, I take great caution
> connecting to such networks because who knows what will come at my box
> as soon as I connect.
>
>
>
> > Re VPN, I was running hotspotvpn on Windows the other night at the
> > meeting on the wireless.  I was using HTTP protocol as far as what
> > the menu says.  I assume it was using SSL on 443.  I think it runs
> > OpenVPN under the covers.
>
>
>
> Right...so...same result...
>
> bnm
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQE4BAEBCAAiBQJQ/uv5Gxhoa3A6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbQAKCRD5
> XCJY/q4Y6D94B/46sy9RLBGPFIuGxbvqtLRUPbhrEFKByVhuM2f4tKfNVxaBk6Lk
> Y67o9Btu1ezuB2dKSp4JsWPBCCFik3Nip9AMkYAw6YT3C+cYajo290cacWrA0t/1
> jZegT4gxEFkjSfSN5uGqH5cx7ATbmobbxokEhROOuszuiBSnGXj9cOFlDF2B09aM
> K+b4u/H4s6VMDKilfaRzi60IRWFsvTQ/zYzN98GkpV30MNB759EiZDH68uC9FiWo
> 7669vOXhAcahJDO/oxrVx6dBsMFm2DzM/o6vM5Y/YAzkzT7qKi1nwT5dDcy7M5AJ
> YdaLt4GmrGw44n6Njp8oDsTQo3nj+vuTjxni
> =r36A
> -----END PGP SIGNATURE-----
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130122/18fd0c1e/attachment.html>


More information about the Ale mailing list