Re: [fw-wiz] Prohibiting SSL VPNs

From: Frederick M Avolio (
Date: 05/21/04

  • Next message: Melson, Paul: "RE: [fw-wiz] Prohibiting SSL VPNs"
    To: John Kougoulos <>,
    Date: Fri, 21 May 2004 14:27:06 -0400

    At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
    >Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
    >like the one offered by F5 (Firepass), since this requires only the
    >ability for the client to make an https connection (bypassing any kind of
    >firewall/proxy)? Since this product (or any similar) creates some kind of
    >PPP connection over https, installs routes on the PC etc. it will create a
    >lot of problems. (see also: Worms, Air Gaps etc)

    Generally speaking, SSL VPNs require authentication and then provide access
    control. IE, to call itself a "VPN" and SSL device has to do more than just
    do SSL (or TLS) encryption and server authentication. It has to also
    provide access control. Firepass, for example, supports strong
    authentication and access control and passed ICSA Labs SSL VPN certification.

    But, to answer your question, rather than just suggest it is based on a
    false premise, you could 1) write a policy that outlaws their use and 2)
    disallow SSL or TLS through the firewall (or other intrusion prevention

    DISCLOSURE: I've done consulting work for SSL VPN vendors in the past
    (writing papers for Aventail and Whale Communications) and consult for ICSA
    Labs in the SSL-TLS Consortium program.

    Avolio Consulting, Inc.
    AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger:
    PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
                             BBF6 0B45 93C7 3521 CEA0

    firewall-wizards mailing list

  • Next message: Melson, Paul: "RE: [fw-wiz] Prohibiting SSL VPNs"