On Mon, Sep 18, 2006 at 08:36:44AM -0400, Daniel Senie wrote:
At 04:33 AM 9/18/2006, Jim Mercer wrote:
if the hosts inside the VPN can only be accessed by hostnames served up inside the VPN, then it is more likely the users can be confident that their data is actually traversing the VPN.
it works, or it don't.
Or, the user's computer is still caching information. Internet Explorer is does this, and other browsers may as well. I keep a link to a script on my Windows desktop labelled "Flush DNS" and wind up using it often. If the user is accessing sites across the VPN, and as another poster writes the VPN drops, packets containing juicy, private information could well leak out in places people didn't intend.
As risks go, this might not be too severe in many cases, but if you were doing a security assessment for sarbox or hippa, would you consider it safe? Do the remote sites indeed have filters blocking traffic to/from RFC1918 space that don't traverse the VPN?
maybe ut some null routes on the PC's for the blocks, and have them overridden when the VPN comes up. could be done as part of the install of the VPN software/config? -- [ Jim Mercer jim@reptiles.org +971 50 436-3874 ] [ I want to live forever, or die trying. ]