[VPN] IPSEC and Clientless VPN

shannong shannong at texas.net
Wed Jan 15 22:28:29 EST 2003


OF course, this is not a clientless VPN in that it requires an ssh
CLIENT.  Only some *nix platforms, like linux, provide an SSH client as
part of the default install.  Windows has no such client or option for
install.  SSH clients can be installed obviously from other vendor's,
but then that would not really be clientless.  Considering the 90% of
the "clients" in the world are Windows, this solution doesn't go very
far to meeting this gentleman's request of a clientless VPN.
Furthermore, it requires client side configuration for port forwarding.

SSL and SSH both lack the data authentication methods of IPSec.  Notice
that data authentication is not the same as data encryption.  SSH, SSL
and DES/3DES are vulnerable to birthday attacks and other such session
hijacking methods to inject data.  That is why IPSec employs data
authentication along with data encryption.

Ignoring that, I use SSh for port forwarding all the time!  Too bad
Windwos desktops don't support ssh.  There are even SSH servers for
Windows that will allow you to port forward across ssh.

As he mentioned, he'll lose packet inspection, filtering, virus
scanning, and IDS at the firewall if the encryption occurs from client
directly to server rather than at the ingress point of the network.

-Shannon

-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of James McNeill
Sent: Tuesday, January 14, 2003 8:04 PM
To: Richard Ginski; vpn at lists.shmoo.com
Subject: Re: [VPN] IPSEC and Clientless VPN


The easiest way I've ever seen to make a clientless VPN is to use PPP
over SSH. This isn't viable in all scenarios, but it offers an easy way
to make a well encrypted VPN without an actual client program. this
howto covers it in more detail:

http://www.tldp.org/HOWTO/VPN-HOWTO/index.html

There exist some scripts around the place to make this work quite
seemlessly.

HTH

-James


|
| I am being asked to consider accepting clientless VPNs (via SSL) as a
replacement to our IPSEC implementation.
|
| Currently, we have an IPSEC solution that provides, among other 
| security implementations, ip tunneling (hiding internally assigned ip 
| addresses while communicating to a VPN gateway.) The IP tunnelling 
| provides an extra layer of protection in that once packets are 
| decrypted at the gate, the firewall can then control the internal ip 
| addresses (non public) that have been tunnelled. I am concerned about 
| losing this layer of protection.
|
| Granted, clientless VPN's provide an easy way to have remote users 
| access
protected IT resources..because you don't have to mess with a client
installation.
|
| I am not looking for a conceptual answer here. However, I would like 
| to know if anyone else has wrestled with IPSEC vs Clientless VPN (ssl)

| and what they concluded.
|
| TIA
|
| _______________________________________________
| VPN mailing list
| VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn
|
|

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn




More information about the VPN mailing list