kaihendry
commented
12 years ago What might the API look like?
Open Apachez- opened 12 years ago
kaihendry
commented
12 years ago What might the API look like?
kaihendry
commented
11 years ago I don't understand this scenario.
So correct me if I'm wrong. You want Webconverger to have the ability to tunnel to a certain end point, in the case that if infected by malware, you can control/mitigate the attack via software on your end point?
I think this use case is pretty exceptional. First off it's unlikely given the firewall etc. that a booted Webconverger is susceptible to remote attack. Each instance if infected will probably to be manually infected from Webconverger itself, given the nature of attacks. Given that, it's rare case that you need such extraordinary control of the network. If you did, couldn't you deploy Webconverger on a private network in any case? Isn't that easier? I do like to see as much "exported logic" to the router as reasonably possible.
Most people ask about VPN in the context of "dialling back in" to the service. I am against anyone doing this, but there are easier ways of doing it, using a ssh based concentrator for example.
As for filtering/controlled access, I think we need to dump most of our thoughts upon http://webconverger.org/filtering/
Using Webconverger is a great choice to get a more safer browsing from your clients (if its not possible to setup terminalservers of some sort).
For example running a Webconverger session (booting from a readonly iso) within VirtualBOX (or VMware or whatever virtualization one might prefer). Except for segmentation within the client you will always get a fresh start when booting from the readonly iso-file (so that malware doesnt stick over time - given that the client restarts his/hers virtualmachine every now and then or for that matter reboot their physical client).
However using Webconverger in an virtualized environment within a client will still bring the malware a possibility to infect the rest of your clients by using your network (in case you get a malware which can exploit the browser being used in Webconverger or any of the plugins such as Java, Flash, PDF reader etc).
Using OpenVPN or IPsec as encrypted tunnel from your Webconverger towards a gateway within your network will for cases (except a targeted attack) isolate the malware infected Webconverger client from the rest of your network (in case the shit will hit the fan ;-)
Of course a safe browsing setup would need other capabilities aswell (like a NGFW or similar as gateway along with ssl-termination, url-categorizing (only allow browsing to trusted sites) etc) however this feature request is if its possible to bring OpenVPN and/or IPsec as a connection method from within Webconverger (preferly with no option to allow split-tunneling)?