Date: Thu, 8 May 2003 20:22:00 -0400 From: Chris BeHanna <behanna@zbzoom.net> To: security@freebsd.org Subject: Re: VPN through BSD for Win2k, totally baffled Message-ID: <200305082022.00173.behanna@zbzoom.net> In-Reply-To: <200305081339.43667.metrol@metrol.net> References: <200305071921.33596.metrol@metrol.net> <20030508122637.GA97715@madman.celabo.org> <200305081339.43667.metrol@metrol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 08 May 2003 16:39, Michael Collette wrote: > On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote: > > It's hard to tell from your message where you are getting lost, but I'll > > give it a shot. Assuming you have all your certificates (let's call > > them client.crt/client.key, server.crt/server.key, and ca-local.crt): > > Took me a while to figure out how to even ask the question! After heading > down a bunch of dead ends and all. > > A couple of follow up questions to this. If I go the route of handing out > certificates to end users, is there a mechanism for revoking their rights > to enter? Employees do get other jobs, and almost all of them are using > laptops which they travel with. We've had folks get laptops stolen. > > Is the cert an all or nothing kinda deal. For instance, I need a different > level of access than a salesperson. We have a programmer who needs access > to different resources than myself or sales. All of these outside folks > are on dynamic IPs. Unless I miss my mark, all IPsec gets you is a secure tunnel to the office network. It does not circumvent the usual user- and group- based permissions, nor will it circumvent NTFS ACLs. IOW, even after the IPsec link is established, the user *still* has to log in, in which case you should be able to provide the kinds of access controls you want via ACLs, netgroups, permissions masks, etc. Right? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305082022.00173.behanna>