Date: Tue, 11 Feb 2003 12:27:01 -0800
From: "" <>
To: Tina Bird <>
Subject: Re: [VPN] SSL "VPNs"

Hi Tina,

Yah, the "SSL VPN" space has gotten a lot of attention and a lot of hype, and it's a bit different from the sorts of solutions that usually get discussed on your mailing list.

FYI, You're right that there are essentially three classes of Aventail access (web browser, thin Java client, and fat Windows-app client.) The fat client is capable of handling UDP (although I think there are a few apps known to not work.) The fat client also can be configured to intercept all traffic and prevent a "split tunnel" if desired. I'm not sure about the other vendors you mentioned.

In the Web-only environment, you're certainly right that a savvy admin can just activate SSL and use it. Where things get tricker is where you don't have 1 internal web server, but you have dozens, all running on different machines with different software and managed by different departments. An HTTPS reverse proxy can be one way to impose a single point for controlling encryption, authentication, and access. It's a little like IPSEC tunnels; end-to-end isn't always the right thing for an IPSEC deployment either, even if the software to do it already exists on both peers.

Anyway, it prompted some interesting discussion. I agree with a lot of it -- when using Java for thin-client VPNs was first being hyped, I remember hearing Scott McNealy talk about how he wouldn't need to carry a laptop anymore, because he could read his email with any web kiosk or an Internet browser built into the TV of his hotel room. I hope he meant that it would be OK for people who are not the heads of large public corporations with fierce competitors. :-)

- Marc
Marc VanHeyningen
Internet Security Architect