Re: [fw-wiz] Prohibiting SSL VPNs

From: Frederick M Avolio (fred_at_avolio.com)
Date: 05/21/04

  • Next message: Melson, Paul: "RE: [fw-wiz] Prohibiting SSL VPNs"
    To: John Kougoulos <koug@intranet.gr>, firewall-wizards@honor.icsalabs.com
    Date: Fri, 21 May 2004 14:27:06 -0400
    
    

    At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
    >...
    >Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
    >like the one offered by F5 (Firepass), since this requires only the
    >ability for the client to make an https connection (bypassing any kind of
    >firewall/proxy)? Since this product (or any similar) creates some kind of
    >PPP connection over https, installs routes on the PC etc. it will create a
    >lot of problems. (see also: Worms, Air Gaps etc)
    >...

    Generally speaking, SSL VPNs require authentication and then provide access
    control. IE, to call itself a "VPN" and SSL device has to do more than just
    do SSL (or TLS) encryption and server authentication. It has to also
    provide access control. Firepass, for example, supports strong
    authentication and access control and passed ICSA Labs SSL VPN certification.

    But, to answer your question, rather than just suggest it is based on a
    false premise, you could 1) write a policy that outlaws their use and 2)
    disallow SSL or TLS through the firewall (or other intrusion prevention
    device).

    DISCLOSURE: I've done consulting work for SSL VPN vendors in the past
    (writing papers for Aventail and Whale Communications) and consult for ICSA
    Labs in the SSL-TLS Consortium program.

    Fred
    Avolio Consulting, Inc.
    URL: http://www.avolio.com/
    Weblog: http://www.avolio.com/weblog/
    AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger: fred@avolio.com
    PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
                             BBF6 0B45 93C7 3521 CEA0

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Melson, Paul: "RE: [fw-wiz] Prohibiting SSL VPNs"