[VPN] SSL "VPNs"
Paul Cardon
paul at moquijo.com
Thu Feb 6 15:24:33 EST 2003
Tina Bird wrote:
[SNIP]
> Details below for specific comments and questions on the three vendors I
> "reviewed." My requirements for the solution are: it must be able to
> support arbitrary custom database applications; it has to do granular
> user based access control (they all satisfied that requirement); it must
> contain the equivalent of "no split tunneling" or some other mechanism
> for defending against piggy back attacks (none of them did that).
[SNIP]
> None of these vendors claims to address the split tunneling issue; none
> of them offers convincing evidence that they can route arbitrary
> IP-based traffic to an internal location, which I believe is a necessity
> in most environments.
I work at a Fortune 100 corporation in an industry where security is
very important. We have had a lot of interest in SSL "VPNs" because of
the perceived ability to deploy without a client. There are two
significant issues that resulted in a decision to continue to use a
traditional VPN client for thin client remote access.
The first was the "no split tunneling" capability. I don't know how
this can be done without hooking into the IP stack and I don't know how
that can be done with a browser, a Java applet, and a non-admin user
account. SSL VPNs really can't enforce or ensure any kind of real
client-side security. Sure they could check for certain other software
and configuration but that only goes so far and only works in a
non-hostile environment. If an SSL VPN is available for use to a large
user base it will be used at j-random web cafes, kiosks, conferences
etc. It is too easy to use these things in highly hostile locations.
The second was that the VPN gateway would have fairly broad access to
the WAN and I was not willing to depend on either Apache or IIS to
secure that type of access. The SSL VPN products I have seen are built
on one or the other. All of our Internet accessible web servers have
additional security controls on the back side that restrict what they
can communicate with on our internal network. To make VPN access a
useful service we can't restrict the backend connectivity like we do
with our web apps.
Now perhaps some companies who are using this technology understand
these risks and have decided they are acceptable but I doubt there are
money. When the vendors don't have an answer to either of those
questions I would be certain that the majority of their customers aren't
asking. The vendor says it's secure so it must be and many purchasers
leave it at that.
-paul
More information about the VPN
mailing list