[KLUG Members] Are there any _secure_ VPN solutions for Linux?

Adam Williams members@kalamazoolinux.org
Wed, 01 Oct 2003 20:39:21 -0400

Previous message: [KLUG Members] Are there any _secure_ VPN solutions for Linux?
Next message: [KLUG Members] Meeting 2003-10-07 - Beginners Meeting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > How are we screwed? Looks like they fixed it.

Was it broke?  The article in question doesn't even imply that.

> > > magoo (mag00@voyager.net) wrote:
> > > So we are ALL just screwed, are we Adam?   RATS!
> Ask Adam, John.  He is the originator of the statement.
> You get confused on things so often... Mind wandering
> while you multi-task, eh John?  I know you mean well.

I said *IF* OpenSSL is insecure than we are all screwed.  Everything
links to the openssl libs: Samba, Apache, OpenVPN, OpenLDAP, Sendmail,
Evolution, Mozilla/Galeon/Epiphany, etc...

I didn't was OpenSSL was broken.  And there is a big  distance between
broken, secure, and "perfect".

> > OpenVPN just uses OpenSSL.  And if *THAT* isn't secure...... 
> > we are all just screwed.
> I wonder what Adam will say in response your implied 
> questioning of it?  Well Adam?  Is ANYTHING secure?
> Why do you say "...we are all just screwed?"

They've fixed it lots of times.  They'll fix it again.  Oh, well.  There
hasn't been a Mac-Truck-Sized vulnerability it quite a long time, mostly
just like obscure things that can only be exploited under pretty
specialized circumstances.

Note the article is talking about overall VPN security which includes a
lot more than just payload protection; thier is session setup,
management, congestion control, packet ordering, key exchange, etc... 
So you cane have a VPN with excellent payload encryption techniques that
is still a complete joke.

The author doesn't analyze OpenVPN, he just says he thinks SSL is
non-optimal - I supect for many of the same reasons shoving PPP packets
over an SSH port-forward via psuedo-tty is non-optimal - and these
aren't specifically security related but may relate to performance,
scalability, and efficiancy (but hey, we've all got 2Ghz processors).

> Since this is out in the public forum, consider these thoughts
> Are there MORE, yet to be discovered, vulnerabilities?
> Will they be fixed AFTER the fact... after discovery?
> What WILL Adam say? 

I'll just reiterate my all time favorite quote: "If you want something
done, ask an extremely busy person." - Sarah Michelle Gellar

>   Hmmmm!  SECURITY?  What IS that
> 'ideal vs. real' thing all about anyway?

Yep.

> Think Apache is "fixed" too?   Clue:   N O P E ! ! !  :-) 

I didn't see any testicales on my most recent Apache install.  So I just
assumed it was "fixed".

> How about Sendmail?  

Hasn't been a major security vulnerability in quite some time.

> Samba?  

Hard to say, 3.x.x just hit the street.  Adding connection signing and
Kerberos certainly can't hurt.  But then, there are those pesky Winbloze
machines on the other end of the wire.

> Others?  OK, there you go again!

Me, where am I going?

Previous message: [KLUG Members] Are there any _secure_ VPN solutions for Linux?
Next message: [KLUG Members] Meeting 2003-10-07 - Beginners Meeting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]