[unisog] SSL Based VPNs?

Darden, Patrick S. darden at armc.org
Fri Sep 26 12:16:25 GMT 2003


SSL VPN Security Problems:
	-no way to check to see if client pc has antivirus
	-no way to idle timeout (e.g. in an internet cafe, if a user forgets
to logout)
	-no way to keep passwords from being saved (e.g. in an airport
kiosk, on IE)

Other Cons:
	-Neoteris is imho Expensive
	-you must purchase a special module for each application to be
tunnelled (e.g. outlook-->exchange, terminal sessions, etc.)
	-severe limitations on available modules

Netilla looks like a better alternative to me.  Cheaper (active/passive
cluster with all modules for 150 simultaneous users costs about half as much
as a Neoteris solution).  Is able to tunnel *all* IP protocols via their
tunnel module.  Their proxy modules are sane.  They also stated to me that
their next version is due in November, and will address all the security
concerns stated above.

OTOH, Neoteris has active/active clustering, so they have load balancing and
slightly better clustering than Netilla.

IPSEC solutions are better for specific circumstances:
	-branch office, network to network solutions
	-when you need more control over remote PCs (e.g. most clients have
centrally controlled settings such as on/off for split tunnelling, checking
for antivirus, minimum client versions, idle timeouts, checking for a
personal firewall, etc.)

SSL solutions are GREAT when you need minimum security controls because your
users are skilled and knowledgeable folks.  Or, on the other hand, when they
are idiots who need a simple clientless solution and you don't need the
controls an IPSEC solution gives you.

--Patrick Darden


-----Original Message-----
From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu]
Sent: Thursday, September 25, 2003 5:31 PM
To: unisog at sans.org
Subject: [unisog] SSL Based VPNs?


Hi all,

Does anyone have any experience with SSL-based VPNs?  We were considering 
a traditional IPSEC based VPN, but have been testing SSL-based products 
from Neoteris and Nokia (their Secure Access System).  So far they look 
promising, especially with zero client installs, but there are some 
limitations.  (I can elaborate these limitations if no one else has any 
experience with these - that seems helpful.)

Has anyone else tested these recently in their networks?  Has anyone made 
the plunge and purchased one of these (type of) products?

Thanks,

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list