Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 May 2003 20:22:00 -0400
From:      Chris BeHanna <behanna@zbzoom.net>
To:        security@freebsd.org
Subject:   Re: VPN through BSD for Win2k, totally baffled
Message-ID:  <200305082022.00173.behanna@zbzoom.net>
In-Reply-To: <200305081339.43667.metrol@metrol.net>
References:  <200305071921.33596.metrol@metrol.net> <20030508122637.GA97715@madman.celabo.org> <200305081339.43667.metrol@metrol.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday 08 May 2003 16:39, Michael Collette wrote:
> On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote:
> > It's hard to tell from your message where you are getting lost, but I'll
> > give it a shot.  Assuming you have all your certificates (let's call
> > them client.crt/client.key, server.crt/server.key, and ca-local.crt):
>
> Took me a while to figure out how to even ask the question!  After heading
> down a bunch of dead ends and all.
>
> A couple of follow up questions to this.  If I go the route of handing out
> certificates to end users, is there a mechanism for revoking their rights
> to enter?  Employees do get other jobs, and almost all of them are using
> laptops which they travel with.  We've had folks get laptops stolen.
>
> Is the cert an all or nothing kinda deal.  For instance, I need a different
> level of access than a salesperson.  We have a programmer who needs access
> to different resources than myself or sales.  All of these outside folks
> are on dynamic IPs.

    Unless I miss my mark, all IPsec gets you is a secure tunnel to
the office network.  It does not circumvent the usual user- and group-
based permissions, nor will it circumvent NTFS ACLs.

    IOW, even after the IPsec link is established, the user *still*
has to log in, in which case you should be able to provide the kinds
of access controls you want via ACLs, netgroups, permissions masks,
etc.

    Right?

--
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
                 Turning coffee into software since 1990.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305082022.00173.behanna>