[unisog] SSL Based VPNs?

Steven Lee sl8c at unix.mail.virginia.edu
Sun Sep 28 07:50:48 GMT 2003


We use Smartgate as a VPN solution for satellite users.  They have a Java client 
but we just use the client side app.  Small download from the server, easy 
install.  Hardware is cheap.  We run on a Dell workstation for ~20 users. 
Software and licenses were a couple of grand.  Bought it about a year ago so 
kinda fuzzy on the amount.  Authenticates well off a Radius token server, which 
a Cisco IPSec VPN concentrator also authenticates against.  Has a session timeout.

Like mentioned previously, SSL solutions don't have have the management features 
IPSec solutions do.  Terminal sessions weren't considered when the product was 
bought but RDP works fine.  Not having ICMP is a pain, as is the inability to 
change the client's DNS and WINS servers which will be a pain when we stop using 
NAT.  No Windows file sharing.

Our networks group manages the VPNs and they prefer IPSec since it has better 
client management options.  Especially since we're using private IPs and the 
Cisco client has an integrated firewall.  I like Smartgate because I can 
download it quick and use it from anywhere.

Steven

Darden, Patrick S. wrote:
> SSL VPN Security Problems:
> 	-no way to check to see if client pc has antivirus
> 	-no way to idle timeout (e.g. in an internet cafe, if a user forgets
> to logout)
> 	-no way to keep passwords from being saved (e.g. in an airport
> kiosk, on IE)
> 
> Other Cons:
> 	-Neoteris is imho Expensive
> 	-you must purchase a special module for each application to be
> tunnelled (e.g. outlook-->exchange, terminal sessions, etc.)
> 	-severe limitations on available modules
> 
> Netilla looks like a better alternative to me.  Cheaper (active/passive
> cluster with all modules for 150 simultaneous users costs about half as much
> as a Neoteris solution).  Is able to tunnel *all* IP protocols via their
> tunnel module.  Their proxy modules are sane.  They also stated to me that
> their next version is due in November, and will address all the security
> concerns stated above.
> 
> OTOH, Neoteris has active/active clustering, so they have load balancing and
> slightly better clustering than Netilla.
> 
> IPSEC solutions are better for specific circumstances:
> 	-branch office, network to network solutions
> 	-when you need more control over remote PCs (e.g. most clients have
> centrally controlled settings such as on/off for split tunnelling, checking
> for antivirus, minimum client versions, idle timeouts, checking for a
> personal firewall, etc.)
> 
> SSL solutions are GREAT when you need minimum security controls because your
> users are skilled and knowledgeable folks.  Or, on the other hand, when they
> are idiots who need a simple clientless solution and you don't need the
> controls an IPSEC solution gives you.
> 
> --Patrick Darden
> 
> 
> -----Original Message-----
> From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu]
> Sent: Thursday, September 25, 2003 5:31 PM
> To: unisog at sans.org
> Subject: [unisog] SSL Based VPNs?
> 
> 
> Hi all,
> 
> Does anyone have any experience with SSL-based VPNs?  We were considering 
> a traditional IPSEC based VPN, but have been testing SSL-based products 
> from Neoteris and Nokia (their Secure Access System).  So far they look 
> promising, especially with zero client installs, but there are some 
> limitations.  (I can elaborate these limitations if no one else has any 
> experience with these - that seems helpful.)
> 
> Has anyone else tested these recently in their networks?  Has anyone made 
> the plunge and purchased one of these (type of) products?
> 
> Thanks,
> 
> Phil
> 
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> 
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================




More information about the unisog mailing list