[K12OSN] new principal ... wants new feature

"Terrell Prudé Jr." microman at cmosnetworks.com
Wed Jul 4 07:11:42 UTC 2007

You bet it's possible; we do this all the time.  In the case of my
district, we use an IPSec VPN gateway and have people use something like
either VPNC or Cisco's VPN client.  Then, it's just like they're inside,
at their offices.  They get access to everything they'd have if they
were physically in the office.  It's great.

You have your choice of VPN gateways if you choose to go IPSec--you've
got Linux's OpenS/WAN, OpenBSD, Cisco, Nokia--you name it.  We didn't
want to deal with the *MAJOR* hassle of PKI and certificates either, so
we decided on using pre-shared group keys.  A lot of people scream at
the notion of using pre-shared group keys, but we find that it works
very well and actually is sufficiently secure for our needs.  Since
we're a Microsoft shop, we tell our VPN Concentrator (a Cisco 3060) to
authenticate against our Active Directory.  However, you could also
authenticate against a real LDAP directory or the VPN gateway's local
/etc/passwd file, for example.

For one small (4-person) business, I used a Cisco 2621 that they bought
off of eBay about four years ago.  The authentication is done on the
router's local username/password database.  Today, I'd recommend a 3725
instead of the 2621, and a crypto acceleration card would be very highly
recommended as well.  If you don't want to spend any money, then you've
got some learning to do.  I would recommend checking out OpenBSD 4.1's
IPSec gateway functionality.  It used to be a royal PITA to set up, but
it's now much, much easier.  You will also need a reasonably powerful
computer to do this; crypto, especially 3DES crypto, is rather
CPU-intensive, generally.  However, VIA C7 CPU's come with integrated
crypto acceleration right in the CPU, and they're low-power, so that's
an option.

Someone also mentioned using SFTP.  Yes, you can do that, and I have. 
But then, the box into which you have people SFTP'ing also needs to be
directly accessible from the Internet.  I wouldn't recommend doing that
unless you *really* know what you're doing.

Just as a note, please don't equate "open source" with "no cost."  MS
Internet Explorer or Apple's Safari for Windows doesn't cost money to
download, but neither one is open source.  And Red Hat Enterprise Linux,
which *is* open source, does cost money.  They're very different concepts.

Do you GNU!?
Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus

Kari Matthews wrote:
> Oh my.
> My new principal says that at his last school, the IT guy had the
> server set up so that you could login from anywhere (like home) and
> have access to his documents (on the server).  He claims that the last
> school had some kind of web interface.  Hmmm.
> I currently have a Ubuntu 6 server and use smbldap for students --
> students save papers and such on the server.  The main advantage of
> having a server, IMO, is DansGuardian.  None of the teachers do this
> -- they all save their stuff locally.  We use Google Apps for mail.
> Is there a way to set it up so people have access from outside the
> building to their stuff?  I only use open source, so if it costs
> anything, forget it.  This is a small school (80 students) with a
> small budget.  I am unsure how to proceed.  Does anyone have any
> suggestions?
> ~kari
> ------------------------------------------------------------------------
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070704/68fccde2/attachment.htm>

More information about the K12OSN mailing list