[fw-wiz] Re: FirePass questions

From: Joseph Steinberg (joseph@whale-com.com)
Date: 02/18/03

  • Next message: Mike Hoskins: "[fw-wiz] (no subject)"
    From: "Joseph Steinberg" <joseph@whale-com.com>
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 18 Feb 2003 14:05:32 -0500
    

    So called "SSL VPN"s (such as the product that you mention) can be
    deployed securely -- but doing so requires addressing many concerns,
    not only related to the issue to which you refer of "punching a hole through
    your firewall" (which is obviously a serious problem), but also to
    the problem of people accessing from insecure locations such as
    Internet kiosks and leaving the browser cache, temporary files, and
    other data on machines that subsequent users can access.

    Whale has been in the business of offering secure SSL VPNs for almost
    two years, and whether you want to use our product or someone else's,
    you probably want to read the white paper available on our web site
    (http://www.whalecommunications.com/whitepapers)
    that discusses the security issues surrounding deploying SSL VPNs.

    Joseph Steinberg
    Director of Technical Services
    Whale Communications

    In response to:
    Date: Fri, 14 Feb 2003 10:37:46 -0600
    To: firewall-wizards@honor.icsalabs.com
    From: john.smith@minolta-qms.com
    Subject: [fw-wiz] FirePass questions

    Greetings Everyone,

            I've searched through the 2002 and 2003 Bugtraq, Firewall Wizards and VPN
    lists and not come up with anything.

            A group within our company is looking at the FirePass appliance
    (www.uroam.com). The appliance appears to work by punching a hole through
    your firewall and offers a whole range of services.

            My opinion is that this is a *very* bad thing:

            a) The group wants connectivity from a large enough number of locations
    that filtering would be next to impossible, if not impossible, therefore we
    would have to allow access to it from the whole world.
            b) We would eliminate the firewall from the security equation.
            c) We would be depending on the security of the appliance to protect the
    corporation, and it is designed to *grant* access, not prevent or deny it.

            My questions:

            1) Does anyone have any experience with the FirePass?
            2) Is there a way to securely offer access to this box?
            3) Am I totally off base in my above assumptions and my analysis of the
    appliance?

            Chances are I will be required to install this box. In this case the
    middle ground I am shooting for is only granting access to the box via VPN
    (even though they are eliminating 'traditional' VPN from the picture
    according to their literature). We already use VPN, so to me only allowing
    external access through the VPN is a trade-off - our security stance is no
    worse than it was before.

            Thanks for all your help.

    js

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



    Relevant Pages

    • Re: Firewall Info/Recommendations?
      ... in a quick search at CDW for "symantec firewall" I also found ... --Symantec Firewall/VPN 100 Appliance ... I'd say that $900 for "unlimited users" with some VPN capabilties ... > If you're referring to the Symantec Gateway products, $9,400 for a 50-user ...
      (comp.security.firewalls)
    • Re: Firewall Info/Recommendations?
      ... in a quick search at CDW for "symantec firewall" I also found ... --Symantec Firewall/VPN 100 Appliance ... I'd say that $900 for "unlimited users" with some VPN capabilties ... > If you're referring to the Symantec Gateway products, $9,400 for a 50-user ...
      (comp.security.firewalls)
    • Re: Prividing Intranet Website Access To External Users
      ... These linux-based appliances provide the SSL VPN functionality (incl. ... > I would probably integrate the ldap/dc as a security server on the ... > Earn your MS in Information Security ONLINE ...
      (Security-Basics)
    • Re: What is the most secure way to let users access work files from home
      ... >> Is VPN the way to go or does that create the hassle of not knowing ... authenticated and encrypted with TLS or SSL. ... It has the benefit of not giving network access to the ... you could set up a web document server and let ...
      (comp.security.misc)
    • Re: Deploying SSL-based VPNs
      ... correct as you'll need to install an active-x or java client of some ... VPN based SSL is merely a Reverse proxy with the capability to tunnel ...
      (Security-Basics)