Secure entry into remote systems
Satish Balay
balay at fastmail.fm
Wed May 19 06:08:00 UTC 2004
On Wed, 19 May 2004, Edward wrote:
> So, I was thinking about setting up dyndns or no-ip addresses for these
> servers, then opening up the firewall for either ssh or VPN. None of my
> customers have a static internet address.
>
> I've used ssh locally before, and that is really simple to set up, but
> because of the open hole I'll be creating my question is really: Should
> I be learning about setting up VPN tunnels into their systems instead?
>
> Anyone have any true experience using both and can shed some light on
> the security implications? Also, we're in Western Australia, with
> archaic PSTN networks (56K modem - so only 33K upstream), so any
> overheads incurred using one over the other I should also consider?
>
I'm just an ssh user - and I prefer it over vpn. It works pretty well
and is much less hassle.
Assuming OpenSSH and VPN solutins you are equally bug-free - the
weakest link would be the endpints (your machine or your client's box)
- not the connection (ssh/vpn)
With ssh - you can disable passwd auth and stick with key-auth. Now
the problem of securing the end point becomes securing the 'private
ssh key/(s)'.
And ssh can tunnel almost everything - including ssh - which sometimes
useful.. (for eg: your customer could invoke a ssh connection to the
outside/your box - which opens up the ssh port to the server. Now you
can ssh to this forwareded port - to connect to the server :) )
Satish
More information about the fedora-list
mailing list