Securing a Windows lab environment.
-
@scottalanmiller said:
@Bill-Kindle said:
Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.
How many outsiders do you have utilizing your lab?
Just myself right now. I fire up the lab in virtualbox when I want to use it, and remote into the guests using Pertino and RDP. pFsense is used to completely seperate the network from the host machine using a virtual router.
I guess I could give access to 6 more people with my personal Pertino account.
-
@Bill-Kindle said:
I guess I could give access to 6 more people with my personal Pertino account.
yes, they would all get access to each other too.
-
@scottalanmiller said:
@Bill-Kindle said:
I guess I could give access to 6 more people with my personal Pertino account.
yes, they would all get access to each other too.
True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.
-
@Bill-Kindle said:
True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.
Definitely not something on their short term roadmap. It's a VPN solution, not meant for how you are using it. They have a lot of stuff, like enterprise class VLANs, to address for core customers long before they look at something like that. Considering it is designed to be a LAN, that goes against a lot of their core design.
-
@scottalanmiller said:
@Bill-Kindle said:
True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.
Definitely not something on their short term roadmap. It's a VPN solution, not meant for how you are using it. They have a lot of stuff, like enterprise class VLANs, to address for core customers long before they look at something like that. Considering it is designed to be a LAN, that goes against a lot of their core design.
Still, for what I'm using it for at the moment it works.
-
@Bill-Kindle said:
Still, for what I'm using it for at the moment it works.
Yes, but as a single user it's very different than how the OP is looking to use it.
-
@scottalanmiller said:
@Carnival-Boy said:
Cheers. So in what way are the end users exposed to each other? What could an attack on one to another look like?
The exposure is the same as being on the same LAN because, effectively, they are.
So fundamentally Pertino works the same as Hamachi? There is nothing particularly insecure about Hamachi compared with other VPNs? I ask because a couple of times now people have told me on Spiceworks I shouldn't use Hamachi for security reasons without explaining why they think that.
-
@Carnival-Boy said:
So fundamentally Pertino works the same as Hamachi? There is nothing particularly insecure about Hamachi compared with other VPNs? I ask because a couple of times now people have told me on Spiceworks I shouldn't use Hamachi for security reasons without explaining why they think that.
Pertino is a modern Hamachi, yes. Hamachi hasn't been developed in many years, maybe close to a decade. Pertino is a far more powerful, currently developed direct Hamachi competitor. Pertino only has one model because they have extra tooling that sits in the hubs that you don't see (you don't host your own hubs like Hamachi) that provide monitoring, information, security, features, etc.
Any VPN is insecure if you don't control the end points. It's the same as letting random people walk into your office and attach to your switches. It's not that they are less secure than other VPNs, no idea why people would say that. It's just that VPNs themselves expose end users to the LAN, the LAN to end users and the end users to each other. Even VPNs that don't appear to do that, do that in the end.
But if you would allow the end points in question to directly attach to your LAN, then the VPN is no less secure than that.
This particular thread, though, is about allowing arbitrary outsiders to access a lab. Using a VPN to do that means that arbitrary outsiders, not employees on company equipment, are being exposed to each other and to the OP via the VPN. That's where the insecurity is. It's like having a lab that allows people to bring their own equipment and plug into the switch.
-
Yeah, sorry, didn't mean to hijack the thread. As you were....
-
Sorry for abandoning this thread. My fiance is having some complications with her pregnancy and its been keeping us busy. She is doing much better today, though.
-
@IRJ said:
Sorry for abandoning this thread. My fiance is having some complications with her pregnancy and its been keeping us busy. She is doing much better today, though.
Hope all is well, will keep you in my thoughts and prayers.
-
@IRJ said:
Sorry for abandoning this thread. My fiance is having some complications with her pregnancy and its been keeping us busy. She is doing much better today, though.
OH gosh, I hope that everything is okay. That is always so scary.
-
@IRJ said:
Sorry for abandoning this thread. My fiance is having some complications with her pregnancy and its been keeping us busy. She is doing much better today, though.
Completely understandable! We only had to deal with fairly typical morning sickness for both of my wife's pregnancies. I count myself so lucky on that front. I have known many people with varying issues.
