Date: Sat, 8 Feb 2003 12:43:34 -0600
From: shannong <shannong@texas.net>
To: "vpn@lists.shmoo.com" <vpn@lists.shmoo.com>
Subject: RE: [VPN] SSL "VPNs"


I definitely don't like the idea of unsecured clients using a socks proxy client to gain entrance to an internal network. Most vendors use a java applet to provide the socks proxy for remote access. This means an absent minded user could leave an open hole to the network at any public station. Spooky!

If we drop the name "SSL based VPN", I do like the use of such solutions for providing remote access to web applications ONLY. Deploying browser based access to web applications to the Internet is CRAZY! The worst example that comes to mind is OWA 2000. The OWA server must run an Exchange server and basically have full access to all your DCs. Exposing OWA to the Internet is one of the worst things an organization can do. However, proxying the session at the edge of the network with a mediating device that first checks credentials before allowing access to the web server behind mitigates a lot of the problems. Sure, you can still hack at the proxy device, but these appliances are usually much more secure than a Windows OS running a multitude of services to be exploited. Much like a firewall or router, the limited code base and services provided make them difficult to hack.

The most secure design I've seen is from Whale Communications. They actually have two devices. One is "outside" and one is "inside". The two devices are separated by an analog switching device that can only connect to one side at a time. Because it's analog, it can't be manipulated by taking over the external server. The "outside" server accepts URL requests and passively sends them inside where the URL is inspected. If the credentials are validated and the URL passes the inspection list, then it is passed on to the target web server inside. This means even if you hack the outside server, the only thing you can do is pass URL requests to the inside server. Because the URLs must pass a known list of valid URL formats on the inside, the ability to do harm or damage is severely limited. The inside server is where the SSL certificate is stored and management takes place. My only complaint for their design is that both servers are Win2k. The outside server does NOT run IIS, but I would still prefer something that doesn't require daily patching and excessive services.

-Shannon