Since many people are already familiar with openVPN, this seemed like a good idea. However, in and of itself openVPN is not sufficient. The most convenient way for people to be able to work is for them to be able to directly connect to their already existing desktop. All of the users here run either Windows XP (tm) or Windows 2000 (tm), which suggests rdesktop as a solution. But rdesktop can't get through the firewall and we won't open our firewall for that traffic as it would be too hard to secure. Adding openVPN allows for more security, but it runs into the following problems within the scope of our implementation:
- We would have to set up openVPN server on EACH internal desktop and each external client machine (at home, at the Internet cafe, or wherever) and it would therefore be highly subject to IT time and in general be a pain to get set up and working for each separate user's setup.
- If you allow a direct remote session (even over openVPN) you run into several potential security risks.
- key loggers on the external client box
- attacks directly on the internal Windows(tm) box through the VPN ports that are now open and exposed on the Internet.
- viruses, spy ware and other malware on the client box infecting the internal workplace desktop (and any others that it has connection with) through the established VPN connection.
- having the private key stored on multiple desktops around the organization on unsecured desktops. Someone with access to that key (which would need to be on the internal machine in order to establish the the VPN connection) could allow unauthorized key-making.
- Only the specific external machine that is setup by IT services personnel would be able to connect and use the resources, when what is actually desired is that the authorized user can get access from anywhere.
In order to eliminate the security issues above and to make it less of a difficult system to maintain into the future, I suggested creating a Linux live CD that boots, logs into an openVPN server that connects the external and internal networks, and then automatically opens the individuals internal desktop using rdesktop.