From owner-freebsd-security@FreeBSD.ORG Thu May 8 17:22:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4146A37B404 for ; Thu, 8 May 2003 17:22:03 -0700 (PDT) Received: from PIKES.panasas.com (gw2.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB26443FBF for ; Thu, 8 May 2003 17:22:01 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from waumbek.panasas.com ([172.17.2.36]) by PIKES.panasas.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2AZL3D40; Thu, 8 May 2003 20:22:00 -0400 From: Chris BeHanna Organization: Western Pennsylvania Pizza Disposal Unit To: security@freebsd.org Date: Thu, 8 May 2003 20:22:00 -0400 User-Agent: KMail/1.5.1 References: <200305071921.33596.metrol@metrol.net> <20030508122637.GA97715@madman.celabo.org> <200305081339.43667.metrol@metrol.net> In-Reply-To: <200305081339.43667.metrol@metrol.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305082022.00173.behanna@zbzoom.net> Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: behanna@zbzoom.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 00:22:03 -0000 On Thursday 08 May 2003 16:39, Michael Collette wrote: > On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote: > > It's hard to tell from your message where you are getting lost, but I'll > > give it a shot. Assuming you have all your certificates (let's call > > them client.crt/client.key, server.crt/server.key, and ca-local.crt): > > Took me a while to figure out how to even ask the question! After heading > down a bunch of dead ends and all. > > A couple of follow up questions to this. If I go the route of handing out > certificates to end users, is there a mechanism for revoking their rights > to enter? Employees do get other jobs, and almost all of them are using > laptops which they travel with. We've had folks get laptops stolen. > > Is the cert an all or nothing kinda deal. For instance, I need a different > level of access than a salesperson. We have a programmer who needs access > to different resources than myself or sales. All of these outside folks > are on dynamic IPs. Unless I miss my mark, all IPsec gets you is a secure tunnel to the office network. It does not circumvent the usual user- and group- based permissions, nor will it circumvent NTFS ACLs. IOW, even after the IPsec link is established, the user *still* has to log in, in which case you should be able to provide the kinds of access controls you want via ACLs, netgroups, permissions masks, etc. Right? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990.