[ale] VPN connections at Emory

[David Tomaschik]

On Tue, Jan 22, 2013 at 11:39 AM, JD <jdp at algoloma.com> wrote:

> On 01/22/2013 01:38 PM, Ron Frazier (ALE) wrote:
> > The TOS at most institutions forbid guest access to wired ports.  But, we
> > won't mention that.  I don't know about this specific institution.
>
> Perhaps it would be easier to just bring a wifi router to plug into the
> podium
> port from now on?  I have a tiny travel wifi router that I use at other
> meetings
> which is perfect for this.
>
> > Un natted connections sound a bit disturbing.  I would think the whole
> > institution would be running on a giant nat.  Even so, I think a Windows
> > machine should be OK as long as the OS firewall was running.
>
> NAT is not a method of security.  It is the firewall and LACK of NAT
> forwarding
> to specific ports that matters.
>
> If you run iptables on your Linux machines (who has just 1?) with logging
> enabled, you can see all the traffic that "NAT routers" allow in that you
> would
> never expect to see. Seriously - enable logging on iptables and watch all
> the
> attempts from behind a NAT router. These are inbound packets, not
> responses.
>
>
While I certainly don't subscribe to the "NAT is security" mindset, I also
haven't seen many (any?) general NAT implementations that forward a lot of
spurious traffic.  Granted, I run OpenWRT at home with full SPI enabled,
but I actually do a lot of things with wireshark on that network segment
and the only "surprising" things I see is the shear volume of broadcast
traffic from various devices (cell phones, windows machines, etc.).  Never
seen anything from the outside.

That being said, obviously things like 1:1 NAT [1] offer no security.  But
with a "typical" 1:N NAT setup, the NAT machine has to decide which machine
of N the incoming packet goes to, so short of setting up a DMZ, most of
those implementations drop anything it doesn't have connection tracking
for.  (Which is why special conntrack modules are needed for things like
passive-mode FTP, anything that opens ports backwards, etc.)



> MS-Windows is not safe on any network, IMHO.  It is simply too much of a
> target.
> Linux without good firewall settings is scary too.
>
> > Re VPN, I was running hotspotvpn on Windows the other night at the
> meeting on
> > the wireless.  I was using HTTP protocol as far as what the menu says.  I
> > assume it was using SSL on 443.  I think it runs OpenVPN under the
> covers.
> > It was working fine.  When I ran speedtest.net to test it, it showed my
> data
> > exiting the tunnel in California.  Not the most efficient, perhaps, but
> it
> > worked.  They have a linux option, but I haven't gotten that working yet.
>
> I was using an NX remote desktop (ssh tunnel over port 443) while on
> Emory's
> Guest wifi network too. That worked.  I tried to use an ssh tunnel over a
> port
> in the 48K-55K range and it was blocked.  There didn't seem to be any
> dropped
> connection the entire time.