[Novalug] Meeting topic suggestion - openvpn

Peter Larsen plarsen@famlarsen.homelinux.com
Mon Oct 3 17:49:19 EDT 2011


On Mon, 2011-10-03 at 19:57 +0000, jecottrell3@comcast.net wrote: 
> What are you talking about? One Service...One Port. MySQL runs on port 3306, Oracle on 1521 IIRC.

No - Oracle SQL Net uses more than 1521. It uses ANY port in the range
of 16768 and up. Once a connection has been established, a process is
spawned listening to a session specific port and the client is told
which port to contact on the server. This port may even be on a separate
host.  Other systems uses similar approaches - one main listener to
initiate communication, and more lose and unpredictable ports for active
sessions. It's a way to deal with load balancing and avoiding single
points of failure.

Anyway - VPN is quite a lot more than just a gateway. It has tons of
additional security and it can even prevent access to specific parts of
the internal network etc.

> Why would you want the Server to use anything but the Standard Port?

Same reason most of us has SSH listening on something other than port
22. But that's beside the point. Listening is not the same as active
connections. Talk to your friendly network administrator and ask him
what he thinks of firewalling Oracle SQL Net connections - make sure you
bring a beer or two, because he's gonna sigh heavily and need some
encouragement. 

> 
> As for multiple hosts, I'll just SSH into each and any of them directly. The "parameter per host" is the IP Address.

Right - so you're going to tunnel the tunnel? On an already slow
connection things aren't going to be going any faster by adding
additional double/triple encryption layers. So imagine this - you're in
the need to access a given web-app on 10 systems. Given your scenario,
do you expect all 10 systems to be available to the open network and
hence all 10 needs to be secured for outside access? Regardless, how
would you go about accessing all 10 system's webpage?  With VPN all I do
is establish my connection, open my saved tab's and I have all 10 pages
show up through my company firewall etc. - encrypted and all. With SSH
tunnels, you've got quite a challenge ahead of you?  Not only do you
have to spoof addresses to local (hopefully you're not using enforced
SSL authentication) but you have to probably use your proxy's
web-browser?

> 
> JIM
> 
> ----- Original Message -----
> From: "Peter Larsen" <plarsen@famlarsen.homelinux.com>
> To: jecottrell3@comcast.net
> Cc: novalug@calypso.tux.org
> Sent: Monday, October 3, 2011 11:28:24 AM
> Subject: Re: [Novalug] Meeting topic suggestion - openvpn
> 
> Sorry - that's too easy. Oracle isn't the only protocol that does this.
> There are lots of technical reasons to do this. Another reason for not
> going in your proposed direction is having a ton of servers that you
> need to access. You'll require at least one parameter per host your way.
> It's really not feasible unless you only work on one central host.
> 
> On Mon, 2011-10-03 at 15:07 +0000, jecottrell3@comcast.net wrote: 
> > I wouldn't be using Oracle in the first place, and this is just another example of why.
> > 
> > One Service...One Port is how the Client/Server model goes.
> > 
> > Note that the problem I am trying to address is "access from home"...logging on to an internal machine and accessing the world from there. I'm not talking about "Arbitrary Access from Anywhere", altho it would seem like some products go out of their to make things difficult.
> > 
> > ssh -L can be used to set up tunnels for simple cases.
> > 
> > JIM
> > 
> > ----- Original Message -----
> > From: "Peter Larsen" <plarsen@famlarsen.homelinux.com>
> > To: novalug@calypso.tux.org
> > Sent: Monday, October 3, 2011 10:42:23 AM
> > Subject: Re: [Novalug] Meeting topic suggestion - openvpn
> > 
> > On Fri, 2011-09-30 at 22:22 +0000, jecottrell3@comcast.net wrote: 
> > > I don't know why anyone thinks that VPN is a good idea...once you are connected, you are actually On That Net, and can use Any and All methods of attack. By contrast with SSH, you need Specific Private Keys (I am assuming that Plain Passwords are disabled) as well as their Passphrases, and can only attack thru the SSH port.
> > 
> > Help me understand how you would do SSH tunneling with protocols like
> > Oracle's SQL Net that randomly assigns new socket pairs upon connection
> > - making your server wanting you to connect to a new special port on the
> > host? We have firewall plugins to deal with those kinds of crazyness -
> > but it's what we need access to when we connect to corporate networks.
> > 
> > > 
> > > I find it annoying that people hit me with SSH login attempts, but I don't worry about them.
> > > 
> > > JIM
> > > 
> > > ----- Original Message -----
> > > From: "Jon LaBadie" <novalugml@jgcomp.com>
> > > To: novalug@calypso.tux.org
> > > Sent: Wednesday, September 28, 2011 7:23:33 PM
> > > Subject: [Novalug] Meeting topic suggestion - openvpn
> > > 
> > > I'd really like a more secure way to get back to
> > > my home systems while traveling.  Although I've
> > > had no successful breakins (that I know about :)
> > > if my router lets ssh traffic through I always
> > > have attempted logins.
> > > 
> > > Perhaps a vpn would be a better solution.
> > > 
> > > Anyone else who would like such a talk?
> > > 
> > > Anyone comfortable giving it?
> > > 
> > > Jon
> > 
> > 
> 
> 


-- 
Best Regards
  Peter Larsen

Wise words of the day:
One doesn't have a sense of humor.  It has you.
		-- Larry Gelbart
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20111003/c1d33af2/attachment.asc>


More information about the Novalug mailing list