On Tuesday 10 of February 2009, Wade Richards wrote:
> On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote:
> > Bernd Eckenfels skrev:
> > > In article
you wrote:
> > >> Use a VPN or an SSH tunnel to a trusted source.
> > >
> > > A very neat trick is using dynamic port forwarding of SSH (-D 1080).
> > > You only need to login to any SSH Server and enable the auto
> > > forwarding. Then you can enter the SSH client as a SOCKS proxy server
> > > and you are done (for surfing).
> >
> > You could use the -w option in newer ssh server versions to tunnel
> > through virtual tun devices =)
>
> One problem with tunnels is that you can accidently not use the tunnel.
>
> E.g. I have eth0 which is connected to the insecure network, and
> my encrypted tunnel to a secure network.
>
> Although the tunnel is available, the unsecure eth0 is still also
> available. I need to correctly set up the SOCKS proxy or set up the
> routing tables, or do something to be sure that all my network traffic
> is going through the tunnel and not just directly to the unsecure eth0.
> There's no easy way to tell if you're doing it right, either, since the
> web looks basically the same from the unsecure network as from the secure
> one.
You can tell by checking routing tables, or visiting a web page that shows
your IP. And you should know the IP of your tunnel server
> The Cisco VPN I use on my employer's Windows machine has an interesting
> feature: it completely hides the unencrypted network. Once I create the
> VPN tunnel, my machine releases it's local IP address and there is no
> way for any network connections (other than the tunnel, of course) to go
> over the unencrypted device. It is as if that device is disabled.
>
> This makes it idiotproof, which is an important but often overlooked
> aspect of security.
>
> So, is is possible to do that sort of thing with a Linux laptop?
OpenVPN can do that as well - look for option --redirect-gateway
--
regards
Vladislav Kurz
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org