VPN PDQ
July 13, 2007 12:30 PM Subscribe
Sysadmin is out. Boss (pointy-haired) and assistant (bubble-headed) are going traveling with their company laptops and know just enough about wireless to get themselves in big trouble. How do I set up a user-proof VPN for them in the next few hours?
Need to get them wifi-capable but protected PDQ.
They'll be using Remote Desktop to access a terminal server back here at the office, which should be OK.
But it's that initial internet connection that worries me as both are prone to "Hey! This "linksys" connection is available, and it doesn't even need a password! I'll use that to get online! Oh, and here's another one - free public wifi - but it's misspelled. Oh well."
I'll never make them smart before they leave today - so my options are to set up something idiotproof or just disable their wireless cards.
Suggestions?
Need to get them wifi-capable but protected PDQ.
They'll be using Remote Desktop to access a terminal server back here at the office, which should be OK.
But it's that initial internet connection that worries me as both are prone to "Hey! This "linksys" connection is available, and it doesn't even need a password! I'll use that to get online! Oh, and here's another one - free public wifi - but it's misspelled. Oh well."
I'll never make them smart before they leave today - so my options are to set up something idiotproof or just disable their wireless cards.
Suggestions?
Response by poster: Sorry, that's Remote Desktop on windows XP.
Ask for more details if it'll help.
Is there a software solution? They're not going to learn how to do anything themselves in the next few hours, so solutions either need to do it for them or be something I can setup and teach them three steps to get connected.
posted by bartleby at 12:41 PM on July 13, 2007
Ask for more details if it'll help.
Is there a software solution? They're not going to learn how to do anything themselves in the next few hours, so solutions either need to do it for them or be something I can setup and teach them three steps to get connected.
posted by bartleby at 12:41 PM on July 13, 2007
If these two are truly as lacking tech know-how as you unkindly put it, then my advice is to skip any VPN/tunneling. Not only is there the risk of you screwing something up and (a) looking bad while (b) being on the hook to fix it at 4 a.m, but unless the laptop is locked down to require it, why would you think they'd use your VPN instead of just hopping on free wifi?
Calmly and clearly, when you give them the laptops, explain to them that they should never ever ever ever use them on a free public wifi network. Whatever hotel they're staying at probably has wifi (give them some short ethernet in case they don't), which is perfectly safe.
posted by mkultra at 12:42 PM on July 13, 2007
Calmly and clearly, when you give them the laptops, explain to them that they should never ever ever ever use them on a free public wifi network. Whatever hotel they're staying at probably has wifi (give them some short ethernet in case they don't), which is perfectly safe.
posted by mkultra at 12:42 PM on July 13, 2007
The problem is that they need to pay for DSL, which means accessing untrusted networks. This is an unsolved problem at present, though Boingo is on the verge of having the right environment to fix it.
You could set them up with this: http://www.hotspotvpn.com/
But by now they're already gone.
posted by effugas at 12:46 PM on July 13, 2007
You could set them up with this: http://www.hotspotvpn.com/
But by now they're already gone.
posted by effugas at 12:46 PM on July 13, 2007
mkultra--
Hotel networks aren't perfectly safe at all; they're trivial to hijack.
Believe it or not, everyone's moved to EVDO, due to the difficulty of an attacker to inject traffic.
posted by effugas at 12:47 PM on July 13, 2007
Hotel networks aren't perfectly safe at all; they're trivial to hijack.
Believe it or not, everyone's moved to EVDO, due to the difficulty of an attacker to inject traffic.
posted by effugas at 12:47 PM on July 13, 2007
Ah, I guess they're still 'round. Umm.
Give them a really weird web browser -- OffByOne -- disable all plugins in it, and tell them that's the only thing they're allowed to use to buy network access. Who's going to have OffByOne 0day? Then throw 'em through HotSpotVPN, and tell 'em they can surf normally from there.
Heh, I didn't say it was a good solution :)
posted by effugas at 12:49 PM on July 13, 2007
Give them a really weird web browser -- OffByOne -- disable all plugins in it, and tell them that's the only thing they're allowed to use to buy network access. Who's going to have OffByOne 0day? Then throw 'em through HotSpotVPN, and tell 'em they can surf normally from there.
Heh, I didn't say it was a good solution :)
posted by effugas at 12:49 PM on July 13, 2007
RDP is an encrypted protocol by default on all XP SP2 machines. Interception of data isnt a risk, only man-in-the-middle attacks. MITM for RDP randomly targeting yoru client seems kinda unlieky.
If you dont have an existing VPN you're going to have a hell of a time setting one up considering your constraints. It would probably be easier to setup a basic ras server and have them, gasp, dial in.
In a pinch you can install SSH on one of your servers and then configure putty to connect to SOCKS 5 (poor mans vpn). Configure the browser, email, etc to use the SOCKS proxy. RDP cannot use SOCKS, I believe.
Can you call your sysadmin? Maybe he has something setup.
posted by damn dirty ape at 1:12 PM on July 13, 2007
If you dont have an existing VPN you're going to have a hell of a time setting one up considering your constraints. It would probably be easier to setup a basic ras server and have them, gasp, dial in.
In a pinch you can install SSH on one of your servers and then configure putty to connect to SOCKS 5 (poor mans vpn). Configure the browser, email, etc to use the SOCKS proxy. RDP cannot use SOCKS, I believe.
Can you call your sysadmin? Maybe he has something setup.
posted by damn dirty ape at 1:12 PM on July 13, 2007
Response by poster: Thanks all for your help. I ended up disabling wireless and handing out ethernet cables. But all your suggestions give me a place to start for a future plan!
posted by bartleby at 2:59 PM on July 13, 2007
posted by bartleby at 2:59 PM on July 13, 2007
Don't set up any kind of VPN without talking to your sysadmin. Unless the pointy-haired one's VPN client is the only thing on his laptop with a connection to the wider Internet, and all the laptop's network traffic ends up routed through the VPN, it's just too easy to end up with a doofus-run machine with unrestricted Internet access that's effectively inside your corporate firewall. Do not want!
posted by flabdablet at 3:24 AM on July 14, 2007
posted by flabdablet at 3:24 AM on July 14, 2007
If you must do this on your own, a Yoggie Pico might be good enough.
posted by flabdablet at 3:30 AM on July 14, 2007
posted by flabdablet at 3:30 AM on July 14, 2007
This thread is closed to new comments.
You also might want to consider WinSCP, unless the environment is all Windows.
posted by four panels at 12:35 PM on July 13, 2007