[VPN] SSL "VPNs"

Siddhartha Jain losttoy2000 at yahoo.co.uk
Mon Feb 10 00:51:09 EST 2003 

VPN SSL is more of a marketing gimmick. SSL has been
used for a long time for secure access to web sites
and its a good thing if you only want to give users
access to the web site. 

I was surprised to see that most vendors use the SSL
Proxy appliance to only proxy HTTPS and don't have the
flexibility to wrap any protocol like SSLWrapper (see
freshmeat.net). If they do that (which IMHO is a very
simple task) then the offering of a SSL Proxy
Appliance is much better. 

In terms of authentication, Rainbow Technologies has a
good product. It integrates with their USB Token. So
if you plug out the token, the SSL session times out
instantly. 


 --- shannong <shannong at texas.net> wrote: > 
> I definitely don't like the idea of unsecured
> clients using a socks
> proxy client to gain entrance to an internal
> network. Most vendors use a
> java applet to provide the socks proxy for remote
> access.  This means an
> absent minded user could leave an open hole to the
> network at any public
> station.  Spooky!
> 
> If we drop the name "SSL based VPN", I do like the
> use of such solutions
> for providing remote access to web applications
> ONLY.  Deploying browser
> based access to web applications to the Internet is
> CRAZY!  The worst
> example that comes to mind is OWA 2000.  The OWA
> server must run an
> Exchange serve and basically have full access to all
> your DCs.  Exposing
> OWA to the Internet is one of the worst things an
> organization can do.
> However, proxying the session at the edge of the
> network with a
> mediating device that first checks credentials
> before allowing access to
> the web server behind mitigates a lot of the
> problems.  Sure, you can
> still hack at the proxy device, but these appliances
> are usually much
> more secure than a Windows OS running a multitude of
> services to be
> exploited. Much like a firewall or router, the
> limited code base and
> services provided make them difficult to hack.   
> 
> The most secure design I've seen is from Whale
> Communications.  They
> actually have two devices.  One is "outside" and one
> is "inside".  The
> two devices are separated by an analog switching
> device that can only
> connect to one side at a time. Because its analog,
> it can't be
> manipulated by taking over the external server. The
> "outside" server
> accepts URL requests and passively sends them inside
> where the URL is
> inspected.  If the credentials are validated and the
> URL passes the
> inspection list, then it is passed on to the target
> web server inside.
> This means even if you hack the outside server, the
> only thing you can
> do is pass URL requests to the inside server. 
> Because the URLs must
> pass a known list of valid URL formats on the
> inside, the ability to do
> harm or damage is severely limited.  The inside
> server is where the SSL
> certificate is stored and management takes place. 
> My only complaint for
> their design is that both servers are Win2k. The
> outside server does NOT
> run IIS, but I would still prefer something that
> doesn't require daily
> patching and excessive services.
> 
> -Shannon
> 
> 
> 
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com
> [mailto:vpn-admin at lists.shmoo.com] On
> Behalf Of Paul Cardon
> Sent: Friday, February 07, 2003 9:57 AM
> To: Keith
> Cc: vpn at lists.shmoo.com
> Subject: Re: [VPN] SSL "VPNs"
> 
> 
> Keith wrote:
>  > There are 3rd party remote access security policy
> management
> solutions
> > that enforce desktop security policy on the remote
> desktop before 
> > allowing connections and possibly can be adapted
> to work with 
> > SSL-VPNs.(a 3rd party remote access policy
> enforcement agent check 
> > before establishing the SSL-based VPN connection,
> etc).
> 
> That's great except that now you are back to having
> to install an 
> agent/client on the remote desktop which is exactly
> what most people 
> deploying SSL VPNs are trying to avoid.  That is the
> problem.  There are
> 
> fundamental security controls that can't be
> implemented at the remote 
> desktop without an agent/client.  In my opinion that
> makes SSL VPNs 
> unsuitable for any but very narrow applications with
> very restricted 
> access to internal network resources.
> 
>  > Webmail is, currently, probably the most popular
> application for a  >
> "SSL-based" VPN. What's to prevent some one from
> subverting a  >
> telecommuters webmail session today to, somehow, get
> into the internal
> > network today? Remote desktop security management
> tools/techniques.  >
> i.e. personal firewall/IDS, desktop a/v, etc..
> 
> I'm not sure that web mail with or without an SSL
> VPN is appropriate for
> 
> some companies.  How would you feel about an
> executive on the planning 
> committee of a top 5 financial institution reading
> e-mail about a yet to
> 
> be announced merger/acquisition at an airport web
> kiosk?  The SSL VPN 
> only protects that data in transit.  There is
> nothing to protect it on 
> the web kiosk itself.  If that environment is
> compromised or the 
> operator is hostile, that data is as good as
> disclosed.
> 
> -paul
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

More information about the VPN mailing list