[c-nsp] What does SSL VPN Devices offer?

Tim Franklin tim at colt.net
Mon Feb 20 04:37:42 EST 2006


> > The primary advantage of SSL VPN is that it's client-less.
> 
> Unless, of course, you want to do anything with it other than proxy
> HTTP, in which case "client-less" really means "an activeX or Java
> client gets downloaded on demand and might or might not work depending
> on a whole bunch of variables."

There are some fun variables here.

If it's a "corporate" computer, does your IT policy permit your web browser
to download an install a network shim layer?  Do your regular user accounts
have enough privilege to install a shim?  If so, why?

If it's a random Internet-café PC, do you really trust that there's no
keylogger already installed?  Regardless of how secure the network
connection has become, it doesn't help if you're sniffing at source.

"Clientless VPN" is a whole lot of smoke and mirrors.

The big win for SSL VPN, as far as I can see from investigation so far, is
that it gets you round the numerous ISPs and corporate networks you might be
visiting who block some combination of ESP, AH and ISAKMP.  The former in an
attempt to sell you "business" Internet at a huge premium if you want to do
anything other than look at the web (which is deliberately misleading
marketing, in terms of selling "Internet" access), the latter presumably in
the interest of stopping internal data leaking out (which is a bit more
valid).

Regards,
Tim.

-- 
____________   Tim Franklin                 e: tim at colt.net 
\C/\O/\L/\T/   Product Engineering Manager  w: www.colt.net 
 V  V  V  V    Managed Data Services        t: +44 20 7863 5714 
Data | Voice | Managed Services             f: +44 20 7863 5876  





More information about the cisco-nsp mailing list