Date: Fri, 07 Feb 2003 10:57:05 -0500
From: Paul Cardon <paul@moquijo.com>
To: Keith <kpasley6@comcast.net>
Cc: "vpn@lists.shmoo.com" <vpn@lists.shmoo.com>
Subject: Re: [VPN] SSL "VPNs"

Keith wrote:
> There are 3rd party remote access security policy management solutions
> that enforce desktop security policy on the remote desktop before
> allowing connections and possibly can be adapted to work with
> SSL-VPNs.(a 3rd party remote access policy enforcement agent check
> before establishing the SSL-based VPN connection, etc).

That's great except that now you are back to having to install an agent/client on the remote desktop which is exactly what most people deploying SSL VPNs are trying to avoid. That is the problem. There are fundamental security controls that can't be implemented at the remote desktop without an agent/client. In my opinion that makes SSL VPNs unsuitable for any but very narrow applications with very restricted access to internal network resources.

> Webmail is, currently, probably the most popular application for a
> "SSL-based" VPN. What's to prevent some one from subverting a
> telecommuters webmail session today to, somehow, get into the internal
> network today? Remote desktop security management tools/techniques.
> i.e. personal firewall/IDS, desktop a/v, etc..

I'm not sure that web mail with or without an SSL VPN is appropriate for some companies. How would you feel about an executive on the planning committee of a top 5 financial institution reading e-mail about a yet to be announced merger/acquisition at an airport web kiosk? The SSL VPN only protects that data in transit. There is nothing to protect it on the web kiosk itself. If that environment is compromised or the operator is hostile, that data is as good as disclosed.

-paul