On Wed, Jul 1, 2009 at 2:18 PM, Erik Goldoff<egold...@gmail.com> wrote: > Wow ! I disagree completely ... Opening up VPNs to home users' privately > owned equipment, with questionable security/infection status seems MUCH more > risky than opening RDP ports on the firewall ...
Use a firewall. You've heard of firewalls, right? ;-) Firewalls aren't just something that protects the corporate network from the Internet. Firewalls can protect sections of the corporate net from other sections of the corporate net, or computers on the corporate net from threats within the perimeter, or, indeed, the corporate network from unauthorized VPN traffic. If you firewall your VPN connection such that only TCP/3389 is allowed, you're allowing exactly *nothing* more than you are with RDP without a VPN, but providing considerably better protection. An RDP session transported over a good VPN with public-key authentication is going to be *much* more secure than RDP alone. > I'm really curious as to why you consider a publicly available RDP session > such a risk ? (1) Passwords are *so* 20th century. Even a really "strong" password like "MfdnwF4ra!" isn't going to come close to the security provided by a 1024-bit or 2048-bit public key. And with RDP requiring a password on top of that, you've got two-factor authentication for cheap. (2) Exposing *any* protocol listener from an inside server directly to the outside Internet makes me nervous. Better to wrap it in a VPN, in my book. It is true that VPN implementations themselves can have security vulnerabilities, but I'd rather put my trust in a VPN designed for security than RDP which had security bolted on later. (3) Defense in depth. With the above, someone would have to crack both the VPN *and* RDP to get anywhere. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~