Yes, it seems that you are correct with server checking hardware ID of the computer, and not login/password themselves. This is probably the only possible explanation. However, at least in my understanding, this leads to some security risks. I would even say to huge ones. Basically, it means that I (as server administrator) am unable to control the ability of the clients to connect into my VPN. As soon as the client manages to connect for the first time, he will be always be able to connect, no matter what (well, at least, until hardware ID of his computer changes). In this case I don't understand what's the point of the whole user account system (particularly, the option to enable/disable user access). What concerns security risks I mentioned, here is my personal situation. I use NeoRouter to administer computers of my family relatives. Inside VPN, all clients have the privilege to access several services (shared family photos, videos, FTP server, database server, family website etc.). Now imagine one of the computers in my network gets infected with malware, or gets stolen. In my understanding, I would immediately disable corresponding user account to prevent accessing the VPN network. However, with NeoRouter, I am out of luck. Even if the attacker (human or malware) can't log in into NeoRouter Network Explorer (after I disable/delete corresponding user), he can still connect to all network services available inside the VPN (shared files, FTP server, etc.). Of course, one could say that I should protect access to above mentioned shared files, FTP server etc. with additional authentication - and, obviously, these services are protected. But what about, for example, our family website (which is not exposed to Internet and is available ONLY inside VPN)? The attacker could happily access it and I can't do anything about it. Also, attacker could execute various attacks (brute-force, DDOS, etc.) and again - I can't do anything about it. I mean, I can play with some firewall rules and disable access for compromised computer manually, but this is just a kludge and it is not how things are supposed to work. Or imagine the situation when I want to allow my friend to temporary access my VPN. After he connects once, I can't control him anymore, he always be able to login, even if I disable or delete his account. This very fact, that I, as administrator of the VPN server, am UNABLE to control who connects into my VPN, makes me quite desperate. I would expect different behaviour - if I disable John's account, John is not able to login into VPN anymore. This is how all network systems normally work. And even if NeoRouter's developers have chosen to use such a strange authentication policy (using hardware ID for known computers), they should provide some possibility to remove a computer from a list of known clients on the server. Unfortunately, it does not seem to be possible (or at least I don't know how to do that without editing NeoRouter_0_0_1.db file directly - which I see as a very dirty solution). What can I say... As someone who takes security concerns very seriously, I would immediately want to switch to a different product. If there was one. Unfortunately, I am not aware of any other product that can provide all the features that NeoRouter provides (Linux/Windows clients and full mesh VPN being the most important of them).
P.S. Still waiting for developers to comment.
|