Re: [fw-wiz] Prohibiting SSL VPNs
From: Frederick M Avolio (fred_at_avolio.com)
Date: 05/21/04
- Previous message: Gwendolynn ferch Elydyr: "[fw-wiz] Re: Best Practices"
- In reply to: John Kougoulos: "[fw-wiz] Prohibiting SSL VPNs"
- Next in thread: John Kougoulos: "Re: [fw-wiz] Prohibiting SSL VPNs"
- Reply: John Kougoulos: "Re: [fw-wiz] Prohibiting SSL VPNs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: John Kougoulos <koug@intranet.gr>, firewall-wizards@honor.icsalabs.com Date: Fri, 21 May 2004 14:27:06 -0400
At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
>...
>Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
>like the one offered by F5 (Firepass), since this requires only the
>ability for the client to make an https connection (bypassing any kind of
>firewall/proxy)? Since this product (or any similar) creates some kind of
>PPP connection over https, installs routes on the PC etc. it will create a
>lot of problems. (see also: Worms, Air Gaps etc)
>...
Generally speaking, SSL VPNs require authentication and then provide access
control. IE, to call itself a "VPN" and SSL device has to do more than just
do SSL (or TLS) encryption and server authentication. It has to also
provide access control. Firepass, for example, supports strong
authentication and access control and passed ICSA Labs SSL VPN certification.
But, to answer your question, rather than just suggest it is based on a
false premise, you could 1) write a policy that outlaws their use and 2)
disallow SSL or TLS through the firewall (or other intrusion prevention
device).
DISCLOSURE: I've done consulting work for SSL VPN vendors in the past
(writing papers for Aventail and Whale Communications) and consult for ICSA
Labs in the SSL-TLS Consortium program.
Fred
Avolio Consulting, Inc.
URL: http://www.avolio.com/
Weblog: http://www.avolio.com/weblog/
AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger: fred@avolio.com
PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
BBF6 0B45 93C7 3521 CEA0
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Gwendolynn ferch Elydyr: "[fw-wiz] Re: Best Practices"
- In reply to: John Kougoulos: "[fw-wiz] Prohibiting SSL VPNs"
- Next in thread: John Kougoulos: "Re: [fw-wiz] Prohibiting SSL VPNs"
- Reply: John Kougoulos: "Re: [fw-wiz] Prohibiting SSL VPNs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
