Ethernet-over-VPN: What Could Possibly Go Wrong?
One of my readers sent me a link to SoftEther, a VPN solution that
[…] penetrates your network admin's troublesome firewall for overprotection. […] Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.
What could possibly go wrong with such a great solution?
Ignoring the security implications of bypassing those pesky firewalls (that someone put in place just to annoy you, not because they’d actually be needed), this wonderful bit of software allows you to bridge between an Ethernet and a VPN tunnel.
You can define a cascading connection between two or more remote Virtual Hubs. With cascading, you can integrate two or more remote Ethernet segments to a single Ethernet segment.
I won’t even start ranting about the beauties of running bridged Ethernet over WAN; it seems a lot of people prefer to learn from hands-on experience ;) However, all you need is someone establishing two VPN tunnels between two VLANs and you have a lot of blinking lights (rate-limited by the encryption speed of your VPN clients).
Finally, running TCP over TCP (in our case TCP-over-IP-over-Ethernet-over-SSL-over-TCP-over-IP-over-Whatever) isn’t the best idea ever, as people trying to run TCP over SSH figured out decades ago. Alas, some people never bother to check past experience and Rule 11 strikes again. But don’t despair, this wonder of technology can also run VPN over DNS or ICMP (as well as over UDP, which actually makes sense).
In short, I never cease to be amazed by how much time people spend inventing solutions that shouldn’t exist in the first place.
10 comments: