D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] SDTJ - VPN Talk

 


On 12/10/2019 16:25, Giles Coochey wrote:
Hi All,

It was good to be at Paignton Library for the South Devon Tech Jam this afternoon, disappointing we couldn't get my laptop on the projector - something I must look into. As I mentioned, I thought I would leave some of the reference URLs for further reference of VPNs:

An Open-VPN based solution (consumer) - I have no affiliation with them, other than using Open-VPN open-source technology myself, and you can Google for other VPN providers, your choice should involve a combination of who you trust offset against your local network provider, and of course cost.

https://www.privatetunnel.com/pricing/

The National Cyber Security Centre (UK) about SSL VPN Advisory:

https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities

A Similar Advisory Note from the NSA (US):

https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF

Cipher Suites supported by StrongSWAN (The IPsec site-to-site solution we explored in the talk), note - many of these Cipher Suites are also supported by OpenVPN, so the same advice as to their security provisions also apply, as they do with Pfsense solutions, cross referencing these with the recent advisories above should help you choose a secure configuration, perhaps not against the NSA themselves, but certainly about what they perceive others:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Legacy Example Configurations for StrongSWAN, while they are labelled "Legacy" this just means the Legacy method of configuration, as opposed to legacy methods of security. For me, I find them simpler to understand than the newer way of configuring StrongSWAN, the end result of security in implementation is the same:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2StrokeExamples

NetGate supply small appliances, to full enterprise solutions, but can also provide Open-Source PFsense images to run under any old x86_64 hardware should anyone want to investigate both OpenVPN or IPsec site to site VPN solutions without the need of involving a third-party (and thus avoiding necessary trust issues we discussed):

https://www.netgate.com/solutions/pfsense/

The above link, only shows Appliance & Could solutions, if looking for an in-house implementation then the open-source community site can be found here:

https://www.pfsense.org/download/


As always, I'm available by Email for further in-depth advice, and opinion, which are my own of course!

Best Regards,

Giles Coochey

PS - Paul - if you could forward these links to anyone at the talk, who might not have been on the DCGLUG list.



--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq