Summary

If you are a network administrator, I hope you will take one lesson away from this chapter: Don't bother with heavy-handed restrictions on external connectivity for internal users. By this I do not mean that you shouldn't use proxies and NAT/masquerade to hide details of your internal network from external attackers . Those measures make perfect sense. No, I'm merely arguing that the only way to prevent internal users from reaching any resource on the outside that they wish to use is to disconnect from the outside world completely.

If you allow any data to leave the network, then there is a way to use that path to carry data for other purposes. The very existence of tunneling renders moot restrictions on internal access to outside. Rather than impose restrictions that have dubious security benefits, concentrate on external security, proxies, and NAT. The more you restrict internal users, the more you will drive insecure activity underground where you cannot see it.

Frankly, you are much more likely to prevent internal abuse if you give internal users more trust. A user is much less likely to use an encrypted tunnel, thus totally denying you any ability to monitor, if you simply allow activity in the open .

If you are not a network administrator, please remember that the purpose of this chapter is not to encourage abuse of private networks. The purpose of this chapter is to show how you might achieve a legitimate goal, such as telecommuting or remote support in a secure and authenticated manner, even where the network infrastructure is not quite ready for such capability.

I would strongly advise you not to start setting up virtual networks and tunnels on the QT. In many organizations, such activity can certainly get you fired . If your company or organization has provision for safe external communications, by all means use that. Besides which, you can use SSH over those media as well.