<html><head></head><body><div dir="ltr"><div dir="ltr"><div style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:20px 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="center" style="vertical-align:middle;"><img src="https://netfire.net/logo_sig_gen2.png" height="50" border="0" alt="" style="height:50px;min-height:50px;max-height:50px;font-size:0;" /></td><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 0 16px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 2px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Matt Harris<span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;">​</span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;color:#5E2A8F;font-family:Calibri,Arial,sans-serif;">CIO</td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:2px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">816‑256‑5446</td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Direct</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:700;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0;vertical-align:top;font-family:Calibri,Arial,sans-serif;">Looking for something?</td></tr><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:4px 0 24px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#6E6E6E;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="https://help.netfire.net/" target="_blank" id="LPlnk689713" title="Submit a ticket to our helpdesk!" style="text-decoration:underline;color:#6E6E6E;"><strong style="font-weight:400;">Helpdesk Portal</strong></a></span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="mailto:help@netfire.net" target="_blank" id="LPlnk689713" title="Send us an email!" style="text-decoration:underline;color:#6E6E6E;"><strong style="font-weight:400;">Email Support</strong></a></span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="https://my.netfire.net/" target="_blank" id="LPlnk689713" style="text-decoration:underline;color:#6E6E6E;"><strong style="font-weight:400;">Billing Portal</strong></a></span></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 16px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><img src="https://netfire.net/Flag-United-States-of-America.jpg" height="24" border="0" alt="" style="height:24px;min-height:24px;max-height:24px;font-size:0;" /></td><td align="center" style="padding:0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="center" style="padding:0 0 0 16px;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:#000001;font-size:14.67px;font-family:Calibri,Arial,sans-serif;font-weight:400;font-style:normal;text-align:left;"><tr style="font-size:14.67px;"><td style="font-family:Calibri,Arial,sans-serif;">We build and deliver innovative IT solutions.</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></div>On Mon, Feb 3, 2020 at 12:50 PM Christopher Morrow <<a href="mailto:morrowc.lists@gmail.com">morrowc.lists@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Sorry, to be a little less flippant and a bit more productive:<br>
  "I don't think every remote endpoint needs full access (or even some<br>
compromise based on how well you can/can't scale your VPN box's<br>
policies) access to the internal network. I think you don't even want<br>
to provide this access based on some loose ideas about 'ip address'<br>
and 'vpn identity'."<br></blockquote><div><br></div><div>This isn't particularly difficult or costly to do right, though. pfSense on a VM with relatively minimal resources running your VPNs works very well and can easily be configured to authenticate against, for example, LDAP as well. It also has a convenient firewall configuration user interface that's very straight-forward, so you don't need some highly-paid network engineering guru to manage the thing, either, so you can associate a given identity with a given address and then apply firewall rules right at that VPN border in addition to the other access controls that you should have in place upstream. Certainly giving full access to everyone is overkill, unnecessary, and can be problematic for obvious reasons - but at the same time, we're talking about back doors here when many of the same folks worried about these back doors also have wide open front doors at the same time. </div><div><br></div></div></div>
</body></html>