New work VPN system - horrendous
May. 17th, 2010 08:22 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
johnridleyThey've switched to Juniper VPN at work - so that they can have ONE VPN system run from one central data center for all who-knows-how-many employees - it was about 45,000 BEFORE we merged with Reuters.
It doesn't allow partial routing at all - with it turned on, I can't even get to my network printer or any other device, all network activity is forced through the VPN, and the box up by the TV can't get to the torrents share on my machine so nobody can watch anything I've just downloaded in the last few weeks.
The VPN software they install is very intrusive; I really wouldn't want to allow it on my personal machine.
Moreover, since it goes into the data center in Eagan, local name resolution doesn't work - they put in all our desktop machines but none of the DNS for web servers etc, even those hosted in the same data center as the VPN. And routing is horrendous.
Luckily, it's trivial to set this up under a virtual XP install, and that also allows me to back it up and to replicate it across multiple machines - something they went to GREAT extents to keep people from doing - they require you to allow an active-x control in order to fingerprint your machine, send the fingerprint to an authentication server where it makes a public/private key pair just for your machine.
With the virtual machine, they can install whatever the hell they want, because it can't get out and wreck my machine, and I can copy the install to my laptop or whatever. They probably don't like it but I don't plan on hiding it. I'm in a position where if they decide they don't like what I'm doing, I'll require them to provide me with a company-issue laptop for working from home. I think they'll just roll with what I've already done.
It doesn't allow partial routing at all - with it turned on, I can't even get to my network printer or any other device, all network activity is forced through the VPN, and the box up by the TV can't get to the torrents share on my machine so nobody can watch anything I've just downloaded in the last few weeks.
The VPN software they install is very intrusive; I really wouldn't want to allow it on my personal machine.
Moreover, since it goes into the data center in Eagan, local name resolution doesn't work - they put in all our desktop machines but none of the DNS for web servers etc, even those hosted in the same data center as the VPN. And routing is horrendous.
Luckily, it's trivial to set this up under a virtual XP install, and that also allows me to back it up and to replicate it across multiple machines - something they went to GREAT extents to keep people from doing - they require you to allow an active-x control in order to fingerprint your machine, send the fingerprint to an authentication server where it makes a public/private key pair just for your machine.
With the virtual machine, they can install whatever the hell they want, because it can't get out and wreck my machine, and I can copy the install to my laptop or whatever. They probably don't like it but I don't plan on hiding it. I'm in a position where if they decide they don't like what I'm doing, I'll require them to provide me with a company-issue laptop for working from home. I think they'll just roll with what I've already done.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-05-22 02:53 pm (UTC)no subject
Date: 2010-05-22 03:07 pm (UTC)It accomplishes their security goal either way. The VM should also certainly be proof against infection from the host, unless that's a damn smart infection.