[EXTERNAL] Re: Cisco recommends OpenConnect

Daniel Lenski dlenski at gmail.com
Sat Jun 11 15:26:37 PDT 2022


On Fri, Jun 10, 2022 at 9:57 AM David Woodhouse <dwmw2 at infradead.org> wrote:
> But IT departments using proprietary VPN products clearly *do* trust
> the likes of Cisco far more than we do, and the endorsement *is*
> meaningful to them. So it doesn't hurt to highlight it.
>
> Especially for individual users who are seeking "permission" to use
> OpenConnect against their corporate network, the endorsement could be
> very useful.

That's a good point. If "Cisco recommends it" gives more people cover
to use OpenConnect, that's helpful.

> > More seriously, I'm rather equivocal about encouraging corporate
> > network IT departments to replace proprietary clients with
> > OpenConnect.
> >
> > Those corporate network IT folks are always asking us things like,
> > "Hey, OpenConnect is great! We want to use it for our whole fleet. By
> > the way, can you make it so OpenConnect will check a flag sent by the
> > server and then disable access to other network devices?"…
> >
> > … and that's the part where I have to tell them, "Look, I'm not your
> > ally here, I'm your adversary. The reason I got involved in developing
> > OpenConnect was to work around all of these network security policies,
> > so that I could actually Get Stuff Done on the VPNs I was connecting
> > to. My primary interest in such policies is documenting and explaining
> > how to evade them."
>
> I strongly disagree with this.
>
> OpenConnect gives you *control*, sure. It *allows* you, as a user, to
> override and bypass certain policies. Strictly speaking, so do the
> proprietary clients if you try hard enough; we'd just a little more
> honest about it.
>
> But overriding security policies is *not* its raison d'être, as you
> seem to be implying above. If we don't yet support those "bar all local
> network access and route to the VPN so users can't even print" or "Bar
> all Legacy IP/IPv6 becaue the VPN only supports the other" features,
> that is a bug/missing feature and we *do* aspire to do those things by
> *default*, even if we know some users might disable them.
>
> I *absolutely* want to be the ally of corporate IT departments who want
> to use OpenConnect and want to know that it *can* meet their
> requirements. And does so out of the box without having to be tweaked.
>
> We are *also* the ally of individual users who want to have control of
> what's on their box, and who want to use properly integrated open
> source software. And where their desires mismatch with those of their
> employers, that's none of our business.

Much more balanced than my take. Upon reflection, I agree with all of
that too. 😅

Dan



More information about the openconnect-devel mailing list