VPN? [OT]

[Bill Moran]

Oren Levy wrote:
> 
> Actually, my experience is that by and large users are
> really dumb; I make no distinction between
> unintelligent and too lazy to think--the result is the
> same. :)

True.

> I never considered using plain old file sharing and
> only considered a true (secure) VPN. Even so, I can
> see how a VPN accessed from an insecure (home, mobile,
> etc.) computer could pose huge security problems.

True again.

> Admittedly, my question was tangential, but related,
> to Samba as I figured Samba users also have set up
> their shares to be remotely accessed. Under Linux it
> seems like PopTop is the best solution so far. Setting
> up a VPN with Win2k is very easy - but am I to
> understand that it is also insecure?

We get more off-topic here. While related, it really is another issue.
One thing to consider is: what are you trying to secure? If it's your
user's files, then you probably don't want to let them work at home at
all, since you can't pratically ensure the security of their home
machines (what if a user "accidentally" saves a file to a local drive
instead of the network, what about caches?). Rule out laptops and
working on the road as well, since a stolen laptop can compromise a lot
of data.
But if you're trying to secure your network, it's a different story. You
want to keep weirdos from cracking your servers and installing virii,
deleteing files (that you are responsible for keeping backed up),
sending spam from you mail servers, and generally causing mayhem. At
that point things get easier. Force anyone who logs in to do so via a
secure, encrypted channel, insist that passwords are changed regularly,
cancel accounts that existed on laptops that were stolen, and keep the
proper firewalls, etc in place and you shouldn't have too much trouble.
To try to say "Do it like this and you'll be fine" is ridiculous. 40% of
the folks will have more security to manage than they need, and 40% will
be undersecured. That (estimated) 20% don't qualify as well-secured,
just luckily-secured. The proper way to do it is to determine what you
have to secure, and then take the time to understand the protocols, etc
that are being used so you can make intelligent decisions about how to
implement.
This is why those "server in a box" solutions that claim to be easy
enough for anyone to do will never take off. Because they really only
appeal to a small percentage of the people who need a server. The rest
will have too much management keeping the security working, too little
security for their needs or the whole thing messed up because they don't
understand it (or a combination of the three)
In the end, the only way to do it right, is to "do it right".

-Bill