Are there any problems with using a vpn connection instead of a usb ? What are some possible security risks?
If the VPN connection is based on OpenVPN, which uses OpenSSL by default, there would be for example the heartbleed bug
, if it is not yet fixed on the machine you use.
So windows servers are not affected by this bug. Microsoft uses something called sstp to secure vpn.
It totally depends on the software used.
But in genertal, the more complex and big a system is, the more points of failure there are. And here, we have two instead of one computer, they both are online, and you have a vpn in between. Enhanced physical security may be worth it, depending on the situation. Nice to know that noone can just break in, grab a computer, and has everything he needs.
The important part is to distinguish two designs:
- "security measures in parallel", like a chain where you only have to break the weakest link (break one of the two computers or the VPN)
- "security measures in series", like layers where you have to break through all of them (like n-of-m, on paper wallets, encrypted)
Besides that, a "safe fallback" is good. "If anything irregular happens, it all shuts down and is fine" (like full hdd encryption for example). Also, consider every single component to be compromised. A million bonus points for designing a setup where every single component may be compromised at the same time, and you still don't lose :-)
The system I am building for a project, will be responsible for transferring unsigned transactions from hot storage to cold storage, signed them and bring them back online via some api and broadcast them. The setup I have come up with is using VPN over SSTP protocol which is not affected by the heartbleed bug and 2 form authentication on azure. So the idea is everytime a user wants to either withdraw funds from cold storage or send bitcoins/altcoins and if there isnt enough coins in the hot wallet, the user would have to vpn into the cold storage and provide 2fa. Then the cold storage server will sign the transaction and send back the signed transaction to the hot storage through vpn.