VPN through BSD for Win2k, totally baffled
Chris BeHanna
behanna at zbzoom.net
Thu May 8 17:22:03 PDT 2003
On Thursday 08 May 2003 16:39, Michael Collette wrote:
> On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote:
> > It's hard to tell from your message where you are getting lost, but I'll
> > give it a shot. Assuming you have all your certificates (let's call
> > them client.crt/client.key, server.crt/server.key, and ca-local.crt):
>
> Took me a while to figure out how to even ask the question! After heading
> down a bunch of dead ends and all.
>
> A couple of follow up questions to this. If I go the route of handing out
> certificates to end users, is there a mechanism for revoking their rights
> to enter? Employees do get other jobs, and almost all of them are using
> laptops which they travel with. We've had folks get laptops stolen.
>
> Is the cert an all or nothing kinda deal. For instance, I need a different
> level of access than a salesperson. We have a programmer who needs access
> to different resources than myself or sales. All of these outside folks
> are on dynamic IPs.
Unless I miss my mark, all IPsec gets you is a secure tunnel to
the office network. It does not circumvent the usual user- and group-
based permissions, nor will it circumvent NTFS ACLs.
IOW, even after the IPsec link is established, the user *still*
has to log in, in which case you should be able to provide the kinds
of access controls you want via ACLs, netgroups, permissions masks,
etc.
Right?
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna at bogus.zbzoom.net
Turning coffee into software since 1990.
More information about the freebsd-security
mailing list