[c-nsp] What does SSL VPN Devices offer?

Joe Horton jhorton at juniper.net
Mon Feb 20 14:38:57 EST 2006


There are areas within networks that a UTM device makes sense, and there are
areas where they don't.

There are products on the market which can do all of the items listed in a
single platform, some better than others, but anyone who says they can do it
at wirespeed is either lying or selling an incredibly expensive box.

You can just look at what is required for the different detection types and
see that.  For instance, proper AV scanning, not "network AV" (which really
is only a worm detection similar to IPS) requires the buffering and scanning
of full file structures, which requires protocol decode, buffering, etc.  To
do that at wirespeed would be nearly impossible.  But that doesn't mean
there isn't a user for in the network for some locations.

Joe
 
Joe Horton
Systems Engineer, JNCIS-FWV, JNCIA-M, JNCIA-J
Juniper Networks
408-936-5102 Note New Office Number
972-529-8802 mobile
972 386-0190 Note New FAX
mailto://jhorton@juniper.net
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joost greene
Sent: Monday, February 20, 2006 3:49 AM
To: sin
Cc: Asbjorn Hojmark - Lists; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] What does SSL VPN Devices offer?

Thanks for all who replied, i understand the major difference now.

there are a dozen of other products on the top of my head: Cisco ASA,
Fortinet, Juniper boxes (Netscreen, SSG), Cisco routers with CBAC....

So its confusing, i also see alot of stuff done on one box (IDS, AntiVirii,
AntiSPam, Firewall, NAT..) so do they really perform with all these stuff
there and enabled at wire speed as claimed, its alot to be done on a packet
if you ask me.



On 2/19/06, sin <sin at imacandi.net> wrote:
>
> Brett Frankenberger wrote:
>
> > Except when it doesn't work, in which case working around the problem
> > ends up being much more work than just installing a traditional VPN
> > client in the first place.
> >
>
> SSL VPN is the new buzzoword that vendors use to sell another appliance.
>
> It's just a proxypass/proxypass reverse apache like thingie that also
> does ssl termination and has "wizard" that set's the whole contraption up.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4484 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20060220/7e9f94b9/smime.bin


More information about the cisco-nsp mailing list