On Tue, Jul 8, 2008 at 6:06 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: > On 7/8/08, Bill Marquette <[EMAIL PROTECTED]> wrote: >> >> With OpenVPN, you only have control of the client at time of install. >> With the "clientless" solutions from Juniper, F5, et al, they usually >> have the ability to check the security of the environment they're >> running in, in some manner (antivirus running, up to date patches, >> firewall, etc). They can then grant or deny access based on that >> security - with OpenVPN, if the credentials are good, you get in. I >> won't argue the points as to which is better, or whether you should >> even have remote access to your network, just wanted to point out some >> missing information in your argument. >> > > Yeah none of the VPN options in pfSense currently offer any client > side policy enforcement (patches accepted). Whether or not that's a > concern depends on your environment. Personally, almost all the VPN > deployments I've seen that have this capability do not use it for > various reasons.
It usually becomes a support nightmare when you allow personal workstations on your network. But it can easily be argued (to RB's points) that you shouldn't allow that in the first place. These solutions have a place, but it's usually mis-deployed to pretend to mitigate a security issue that is better solved with policy, education, and dollars spent giving your employees the tools they need to do their jobs instead of forcing them to use their own money to perform your work. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
