[c-nsp] What does SSL VPN Devices offer?

Joe Horton jhorton at juniper.net
Mon Feb 20 14:35:37 EST 2006

A few comments.

SSL VPN is probably the most misunderstood VPN available today.  Yes,
client-less VPN is a total farce.  Any vendor who tells you otherwise is
flat out lying to you.  How else do you get a fat client on a PC to utilize
a "tunnel" of some type, unless you put something on the client.

The really big benefit to SSL VPNs is the ubiquity of access.  You don't
have to have your corporate laptop to gain some level of access.  And yes,
there are always concerns about keyloggers, etc.  That is why it is critical
to pick a product which properly handles that situation.

Today, there are two basic methods of picking an SSL solution.

#1 - Simply replace an existing IPSec solution.  This is typically driven by
the issues mentioned by another poster with getting access out of their
party networks, and the growing occurrence of carriers (and especially
hotels, etc) to block everything except 53,80, and 443.  If this is the path
you want, then many of the SSL VPN products (ours included) give you the
ability to load a network adapter (or something similar) on the remote
device and you get access very similar to IPSec. In this case, you would
most definitely want to limit access to trusted devices.

#2 - Deploy an access management system which gives you the ability to
securely permit access into your network by employees, contractors,
partners, customers, etc, etc. In this case, the functionality of the device
in the area of access control granularity would be a major feature.  This
extends to the ability to take a footprint of the remote device.  You
obviously would want to limit network based connectivity from third parties
into your network, and totally network level access from untrusted entities,
such as kiosks.  So you need the ability to scan the remote device and
authenticate the user so that you grant them the appropriate level of
access.  For example.

If the user is connecting from a trusted company own asset which is running
the acceptable AV and FW, then give it a network level connection, while
firewalling that user to areas he only needs access to.

If the user is connecting from a non-trusted assess, then limit his access
to only web based apps appropriate for that access, such as webmail, and
block the users ability to transmit attachements (both download and upload),

Or any level of access in between.

Lastly, to the comment about keyloggers, that is a serious concern and
should be addressed via two-factor auth, or through the use of some type of
click-able auth interface which can not be logged.  Or through the use of
dynamically loaded keylogger/spyware/malware detection engines, or all of
the above.

Many of the solutions on the market provide these types of features (or
course I feel ours is strongest), but SSL does deserve a proper examination
by any company or person based upon their needs and requirements.

Joe Horton
Systems Engineer
Juniper Networks
408-936-5102 Note New Office Number
972-529-8802 mobile
972 386-0190 Note New FAX

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Franklin
Sent: Monday, February 20, 2006 3:38 AM
To: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] What does SSL VPN Devices offer?

> > The primary advantage of SSL VPN is that it's client-less.
> Unless, of course, you want to do anything with it other than proxy
> HTTP, in which case "client-less" really means "an activeX or Java
> client gets downloaded on demand and might or might not work depending
> on a whole bunch of variables."

There are some fun variables here.

If it's a "corporate" computer, does your IT policy permit your web browser
to download an install a network shim layer?  Do your regular user accounts
have enough privilege to install a shim?  If so, why?

If it's a random Internet-café PC, do you really trust that there's no
keylogger already installed?  Regardless of how secure the network
connection has become, it doesn't help if you're sniffing at source.

"Clientless VPN" is a whole lot of smoke and mirrors.

The big win for SSL VPN, as far as I can see from investigation so far, is
that it gets you round the numerous ISPs and corporate networks you might be
visiting who block some combination of ESP, AH and ISAKMP.  The former in an
attempt to sell you "business" Internet at a huge premium if you want to do
anything other than look at the web (which is deliberately misleading
marketing, in terms of selling "Internet" access), the latter presumably in
the interest of stopping internal data leaking out (which is a bit more


____________   Tim Franklin                 e: tim at colt.net 
\C/\O/\L/\T/   Product Engineering Manager  w: www.colt.net 
 V  V  V  V    Managed Data Services        t: +44 20 7863 5714 
Data | Voice | Managed Services             f: +44 20 7863 5876  

cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4484 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20060220/afecd7c0/smime-0001.bin

More information about the cisco-nsp mailing list