Ah ha! THanks! On 10/22/06, George Toft wrote: > > In a word - no. > > Let's assume you are sending a packet with some text via some > application. It gets encrypted, and header/trailer info is added. It > might even get fragmented based on MTU size. At the other end, the > packets get reassembled, unencrypted, and presented to the application. > Since the payload (or data) is encrypted at a higher layer, that > payload remains encrypted in the lower layers. > > The reverse is true as well on the other end - once the packets are > reassembled and decrypted, the payload can be read normally. This is > why the VPN endpoint needs to be controlled - once the data is out of > the tunnel, it's fair game to sniff and record. > > George Toft, CISSP, MSIS > 623-203-1760 > > > > > jordi laforge wrote: > > Thanks for the information. While I am new to VPNs I do understand the > > concept of how they work. That said I do appreciate all the good info > > you gave and will read those links. > > > > In order to save an email I'd like to include a question I had from one > > of Eric's emails. > > Since SSL vpns work at a higher OSI layer does that mean that the stuff > > at the lower layers is not encrypted? Like mac address and ip address. > > THanks all for answering my questions. You are most helpfull. > > > > > > On 10/21/06, *Kurt Granroth* > > wrote: > > > > jordi laforge wrote: > > > I'm trying to provide a roadwarrior situation. Here is what I'm > > looking at: > > > Small 8-12 user lan. > > > 4-5 of these users have home pc's(Windows) that they'd like to > use to > > > connect to the > > > office and user the file server\ email\ databases. > > > The windows file server has PPTP capabilities. > > > > > > I could either use the Windows PPTP or setup another server > running > > > Linux with openvpn. Or something else I haven't thought of....but > > you > > > guys suggest. > > > Whaddya think? > > > > Okay, it sounds like you're not all that familiar with VPNs in > general, > > based on your comments here and in later messages. I *strongly* > suggest > > doing some quick reading on that topic first before getting into > > specifics. The 'howstuffworks' entry on VPNs is not half-bad and > the > > wikipedia page is excellent. > > > > Here's the very very short summary: A VPN would allow your 'road > > warriors' to connect to the home office while they are at home or on > > the > > road. The user's remote laptop or desktop would get a special IP > that > > is specific to the VPN through which all traffic to work is > 'tunneled' > > in an encrypted manner. Done properly, the remote worker would be > able > > to access ALL of the services that she could normally access while > in > > the office... but in a safe and secure manner over the public > Internet. > > > > Now PPTP has the advantage here of being very easy to setup and if > you > > have one of the Windows Servers, then you have half of it already > nearly > > setup. You would need to get clients for any Linux users, but > that's > > not a problem as I'm fairly certain that there is now "native" > support > > in the kernel. > > > > HOWEVER, PPTP is considered to be fundamentally broken by some > respected > > cryptographers. A quote from Bruce Schneier: "Microsoft PPTP is > very > > broken, and there's no real way to fix it without taking the whole > > thing > > down and starting over." > > > > http://www.schneier.com/pptp-faq.html > > > > OpenVPN is a free solution that has so far been proven to be > rock-solid. > > It is, however, not as easy to setup as PPTP. In fact, if you want > to > > do anything more than a peer-to-peer setup, you will likely have to > do a > > considerable bit of reading and some configuration file editing. > > > > Mind you, while the reading is verbose, it's not hard to understand > and > > it shouldn't take more than a few hours to get everything > setup. I'm > > told, too, that some of the GUIs available make it a lot easier > (haven't > > used any of them) and some of the specialized distros like > Smoothwall > > and IPCop should make it even easier yet. > > > > Now this is a Linux group so we'll tend to lean towards using Linux > > based solution for the "server" side. I'm honor bound to tell you, > > though, that you don't have to. OpenVPN is fundamentally a > > peer-to-peer > > VPN (with some variances) and works just dandy on Windows. So you > > *could* run it as a service on your Windows Server and it would > likely > > chug away just fine. There is even a handy GUI for it. > > > > I recommend starting with some reading: > > > > http://openvpn.net/howto.html > > http://openvpn.net/INSTALL-win32.html > > http://openvpn.se/ > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > > > To subscribe, unsubscribe, or to change you mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > > ------------------------------------------------------------------------ > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change you mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >