[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] new principal ... wants new feature



You bet it's possible; we do this all the time.  In the case of my district, we use an IPSec VPN gateway and have people use something like either VPNC or Cisco's VPN client.  Then, it's just like they're inside, at their offices.  They get access to everything they'd have if they were physically in the office.  It's great.

You have your choice of VPN gateways if you choose to go IPSec--you've got Linux's OpenS/WAN, OpenBSD, Cisco, Nokia--you name it.  We didn't want to deal with the *MAJOR* hassle of PKI and certificates either, so we decided on using pre-shared group keys.  A lot of people scream at the notion of using pre-shared group keys, but we find that it works very well and actually is sufficiently secure for our needs.  Since we're a Microsoft shop, we tell our VPN Concentrator (a Cisco 3060) to authenticate against our Active Directory.  However, you could also authenticate against a real LDAP directory or the VPN gateway's local /etc/passwd file, for example.

For one small (4-person) business, I used a Cisco 2621 that they bought off of eBay about four years ago.  The authentication is done on the router's local username/password database.  Today, I'd recommend a 3725 instead of the 2621, and a crypto acceleration card would be very highly recommended as well.  If you don't want to spend any money, then you've got some learning to do.  I would recommend checking out OpenBSD 4.1's IPSec gateway functionality.  It used to be a royal PITA to set up, but it's now much, much easier.  You will also need a reasonably powerful computer to do this; crypto, especially 3DES crypto, is rather CPU-intensive, generally.  However, VIA C7 CPU's come with integrated crypto acceleration right in the CPU, and they're low-power, so that's an option.

Someone also mentioned using SFTP.  Yes, you can do that, and I have.  But then, the box into which you have people SFTP'ing also needs to be directly accessible from the Internet.  I wouldn't recommend doing that unless you *really* know what you're doing.

Just as a note, please don't equate "open source" with "no cost."  MS Internet Explorer or Apple's Safari for Windows doesn't cost money to download, but neither one is open source.  And Red Hat Enterprise Linux, which *is* open source, does cost money.  They're very different concepts.


--TP
_______________________________
Do you GNU!?
Microsoft Free since 2003--the ultimate antivirus protection!


Kari Matthews wrote:
Oh my.

My new principal says that at his last school, the IT guy had the server set up so that you could login from anywhere (like home) and have access to his documents (on the server).  He claims that the last school had some kind of web interface.  Hmmm.

I currently have a Ubuntu 6 server and use smbldap for students -- students save papers and such on the server.  The main advantage of having a server, IMO, is DansGuardian.  None of the teachers do this -- they all save their stuff locally.  We use Google Apps for mail.

Is there a way to set it up so people have access from outside the building to their stuff?  I only use open source, so if it costs anything, forget it.  This is a small school (80 students) with a small budget.  I am unsure how to proceed.  Does anyone have any suggestions?

~kari

_______________________________________________ K12OSN mailing list K12OSN redhat com https://www.redhat.com/mailman/listinfo/k12osn For more info see <http://www.k12os.org>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]