[VPN] SSL "VPNs"
Paul Cardon
paul at moquijo.com
Fri Feb 7 10:57:05 EST 2003
Keith wrote:
> There are 3rd party remote access security policy management solutions
> that enforce desktop security policy on the remote desktop before
> allowing connections and possibly can be adapted to work with
> SSL-VPNs.(a 3rd party remote access policy enforcement agent check
> before establishing the SSL-based VPN connection, etc).
That's great except that now you are back to having to install an
agent/client on the remote desktop which is exactly what most people
deploying SSL VPNs are trying to avoid. That is the problem. There are
fundamental security controls that can't be implemented at the remote
desktop without an agent/client. In my opinion that makes SSL VPNs
unsuitable for any but very narrow applications with very restricted
access to internal network resources.
> Webmail is, currently, probably the most popular application for a
> "SSL-based" VPN. What's to prevent some one from subverting a
> telecommuters webmail session today to, somehow, get into the internal
> network today? Remote desktop security management tools/techniques.
> i.e. personal firewall/IDS, desktop a/v, etc..
I'm not sure that web mail with or without an SSL VPN is appropriate for
some companies. How would you feel about an executive on the planning
committee of a top 5 financial institution reading e-mail about a yet to
be announced merger/acquisition at an airport web kiosk? The SSL VPN
only protects that data in transit. There is nothing to protect it on
the web kiosk itself. If that environment is compromised or the
operator is hostile, that data is as good as disclosed.
-paul
More information about the VPN
mailing list