[VPN] SSL "VPNs"

Paul Cardon paul at moquijo.com
Fri Feb 7 10:57:05 EST 2003


Keith wrote:
 > There are 3rd party remote access security policy management solutions
> that enforce desktop security policy on the remote desktop before
> allowing connections and possibly can be adapted to work with
> SSL-VPNs.(a 3rd party remote access policy enforcement agent check
> before establishing the SSL-based VPN connection, etc).

That's great except that now you are back to having to install an 
agent/client on the remote desktop which is exactly what most people 
deploying SSL VPNs are trying to avoid.  That is the problem.  There are 
fundamental security controls that can't be implemented at the remote 
desktop without an agent/client.  In my opinion that makes SSL VPNs 
unsuitable for any but very narrow applications with very restricted 
access to internal network resources.

 > Webmail is, currently, probably the most popular application for a
 > "SSL-based" VPN. What's to prevent some one from subverting a
 > telecommuters webmail session today to, somehow, get into the internal
 > network today? Remote desktop security management tools/techniques.
 > i.e. personal firewall/IDS, desktop a/v, etc..

I'm not sure that web mail with or without an SSL VPN is appropriate for 
some companies.  How would you feel about an executive on the planning 
committee of a top 5 financial institution reading e-mail about a yet to 
be announced merger/acquisition at an airport web kiosk?  The SSL VPN 
only protects that data in transit.  There is nothing to protect it on 
the web kiosk itself.  If that environment is compromised or the 
operator is hostile, that data is as good as disclosed.

-paul




More information about the VPN mailing list