Why we have a VPN

October 30, 2011

I recently read Die, VPN! We're all "telecommuters" now (via Hacker News), which prompted me to think about why we have a VPN server for external access and why we're likely to keep it for the foreseeable future. What it boils down to is two factors.

The major reason why we have a VPN because of limitations. We have a VPN because of insecure internal software that we can't expose to the Internet, because of a presumed lack of security of some of the machines on our network, and because we simply don't have enough public IPs to directly expose all of our machines on the Internet even if we wanted to. So, for example, in order to get access to our Samba server your IP address must be inside our firewall, and that's it. There's very little that we can do about these limitations (although I suppose the still theoretical advent of IPv6 will deal with the last issue).

The minor reason is because any number of things do not have a better or at least more convenient authentication scheme than 'you have a University of Toronto IP address'. This includes both internal and external resources (such as access restricted journals that the UofT subscribes to). Even when there are additional magic ways of getting access to these things, having a UofT IP address remains the most convenient way for our users and our VPN means that they can have one regardless of where they actually are.

(These two conveniences combined are why I set up an IPSec tunnel for my home machine so that it has an internal IP address.)

Sidebar: a little technicality

I was careful to say 'for external access' up there, because we also use our VPN as part of our internal wireless infrastructure. We're required to authenticate all wireless access, and we also want as much wireless traffic as possible to be encrypted. The easiest way to do this is to get wireless users to immediately bring up a VPN connection, which creates both authentication and full encryption of wireless traffic. I think that this doesn't really count as a pro-VPN reason because it's effectively an implementation detail (and one that we could move away from with better wireless technology).

Comments on this page:

From at 2011-10-30 10:15:56:

For wireless, is there are reason why you're not using 802.11i (aka, "WPA2")? It's been out for a few years now and has been shown to be secure using AES. I guess the only "catch" would be setting up a RADIUS server.

By cks at 2011-10-30 15:32:27:

Our current access points are sufficiently old that they only support 802.11[abc], not any of the modern spiffy (and fast) protocols.

Written on 30 October 2011.
« Why ZFS dedup is not something we can use
Deduplication is always going to be expensive »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 30 01:34:27 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.