New work VPN system - horrendous
May. 17th, 2010 08:22 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
johnridleyThey've switched to Juniper VPN at work - so that they can have ONE VPN system run from one central data center for all who-knows-how-many employees - it was about 45,000 BEFORE we merged with Reuters.
It doesn't allow partial routing at all - with it turned on, I can't even get to my network printer or any other device, all network activity is forced through the VPN, and the box up by the TV can't get to the torrents share on my machine so nobody can watch anything I've just downloaded in the last few weeks.
The VPN software they install is very intrusive; I really wouldn't want to allow it on my personal machine.
Moreover, since it goes into the data center in Eagan, local name resolution doesn't work - they put in all our desktop machines but none of the DNS for web servers etc, even those hosted in the same data center as the VPN. And routing is horrendous.
Luckily, it's trivial to set this up under a virtual XP install, and that also allows me to back it up and to replicate it across multiple machines - something they went to GREAT extents to keep people from doing - they require you to allow an active-x control in order to fingerprint your machine, send the fingerprint to an authentication server where it makes a public/private key pair just for your machine.
With the virtual machine, they can install whatever the hell they want, because it can't get out and wreck my machine, and I can copy the install to my laptop or whatever. They probably don't like it but I don't plan on hiding it. I'm in a position where if they decide they don't like what I'm doing, I'll require them to provide me with a company-issue laptop for working from home. I think they'll just roll with what I've already done.
It doesn't allow partial routing at all - with it turned on, I can't even get to my network printer or any other device, all network activity is forced through the VPN, and the box up by the TV can't get to the torrents share on my machine so nobody can watch anything I've just downloaded in the last few weeks.
The VPN software they install is very intrusive; I really wouldn't want to allow it on my personal machine.
Moreover, since it goes into the data center in Eagan, local name resolution doesn't work - they put in all our desktop machines but none of the DNS for web servers etc, even those hosted in the same data center as the VPN. And routing is horrendous.
Luckily, it's trivial to set this up under a virtual XP install, and that also allows me to back it up and to replicate it across multiple machines - something they went to GREAT extents to keep people from doing - they require you to allow an active-x control in order to fingerprint your machine, send the fingerprint to an authentication server where it makes a public/private key pair just for your machine.
With the virtual machine, they can install whatever the hell they want, because it can't get out and wreck my machine, and I can copy the install to my laptop or whatever. They probably don't like it but I don't plan on hiding it. I'm in a position where if they decide they don't like what I'm doing, I'll require them to provide me with a company-issue laptop for working from home. I think they'll just roll with what I've already done.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
All depends on how it is configured
Date: 2010-05-18 12:56 am (UTC)Re: All depends on how it is configured
Date: 2010-05-18 01:07 am (UTC)What I WANT is for them to route to the VPN only traffic that can't be handled any other way.
With the previous solution (Cisco) they had it so that I could access local 10.*.*.*, but everything else went through the VPN, so I could print and access shares, but no unmonitored browsing, bittorrent, etc.
But it was a fairly common solution so I was able to use ShrewSoft, which allowed me to modify the routes to suit me, and everything was good.
The new system is certificate based. I don't really know if it's possible to use it with shrewsoft. The old one just provided a config file, I imported it, and I was good to go. If I can even get the cert based stuff working with shrewsoft, it would be a challenge.
And in any case, I need the virtual machine in order to be able to replicate the certificate across multiple physical machines.
Also, I've read some, and looked at what they install, and I don't want that crap on my machine.
In my job, I'm often monitoring things for hours or even days, and I'm not getting paid full time during that time. To hell if I'm going to not be able to use my computer for days while I'm monitoring on the cheap.
no subject
Date: 2010-05-22 02:53 pm (UTC)no subject
Date: 2010-05-22 03:07 pm (UTC)It accomplishes their security goal either way. The VM should also certainly be proof against infection from the host, unless that's a damn smart infection.