[VPN] SSL "VPNs"

shannong shannong at texas.net
Sat Feb 8 13:43:34 EST 2003 

I definitely don't like the idea of unsecured clients using a socks
proxy client to gain entrance to an internal network. Most vendors use a
java applet to provide the socks proxy for remote access.  This means an
absent minded user could leave an open hole to the network at any public
station.  Spooky!

If we drop the name "SSL based VPN", I do like the use of such solutions
for providing remote access to web applications ONLY.  Deploying browser
based access to web applications to the Internet is CRAZY!  The worst
example that comes to mind is OWA 2000.  The OWA server must run an
Exchange serve and basically have full access to all your DCs.  Exposing
OWA to the Internet is one of the worst things an organization can do.
However, proxying the session at the edge of the network with a
mediating device that first checks credentials before allowing access to
the web server behind mitigates a lot of the problems.  Sure, you can
still hack at the proxy device, but these appliances are usually much
more secure than a Windows OS running a multitude of services to be
exploited. Much like a firewall or router, the limited code base and
services provided make them difficult to hack.   

The most secure design I've seen is from Whale Communications.  They
actually have two devices.  One is "outside" and one is "inside".  The
two devices are separated by an analog switching device that can only
connect to one side at a time. Because its analog, it can't be
manipulated by taking over the external server. The "outside" server
accepts URL requests and passively sends them inside where the URL is
inspected.  If the credentials are validated and the URL passes the
inspection list, then it is passed on to the target web server inside.
This means even if you hack the outside server, the only thing you can
do is pass URL requests to the inside server.  Because the URLs must
pass a known list of valid URL formats on the inside, the ability to do
harm or damage is severely limited.  The inside server is where the SSL
certificate is stored and management takes place.  My only complaint for
their design is that both servers are Win2k. The outside server does NOT
run IIS, but I would still prefer something that doesn't require daily
patching and excessive services.

-Shannon



-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of Paul Cardon
Sent: Friday, February 07, 2003 9:57 AM
To: Keith
Cc: vpn at lists.shmoo.com
Subject: Re: [VPN] SSL "VPNs"


Keith wrote:
 > There are 3rd party remote access security policy management
solutions
> that enforce desktop security policy on the remote desktop before 
> allowing connections and possibly can be adapted to work with 
> SSL-VPNs.(a 3rd party remote access policy enforcement agent check 
> before establishing the SSL-based VPN connection, etc).

That's great except that now you are back to having to install an 
agent/client on the remote desktop which is exactly what most people 
deploying SSL VPNs are trying to avoid.  That is the problem.  There are

fundamental security controls that can't be implemented at the remote 
desktop without an agent/client.  In my opinion that makes SSL VPNs 
unsuitable for any but very narrow applications with very restricted 
access to internal network resources.

 > Webmail is, currently, probably the most popular application for a  >
"SSL-based" VPN. What's to prevent some one from subverting a  >
telecommuters webmail session today to, somehow, get into the internal
> network today? Remote desktop security management tools/techniques.  >
i.e. personal firewall/IDS, desktop a/v, etc..

I'm not sure that web mail with or without an SSL VPN is appropriate for

some companies.  How would you feel about an executive on the planning 
committee of a top 5 financial institution reading e-mail about a yet to

be announced merger/acquisition at an airport web kiosk?  The SSL VPN 
only protects that data in transit.  There is nothing to protect it on 
the web kiosk itself.  If that environment is compromised or the 
operator is hostile, that data is as good as disclosed.

-paul

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list