Re: [fw-wiz] Prohibiting SSL VPNs
From: John Kougoulos (koug_at_intranet.gr)
To: firstname.lastname@example.org Date: Tue, 25 May 2004 15:59:59 +0300 (EEST)
Thanks everyone for their replies. What worries me most of all is that in
the near future probably MS will bundle such VPN connection with every
Winxxx server product, enabled by default, thus enabling everyone to
establish a VPN connection to everywhere (his ADSL connected home?). Less
"security aware" people will think that "since it's a VPN, it's safe"
making this a nightmare for virus propagation issues & enabling lots of
Of course there is software (like http://www.loopholesoftware.com) which
will tunnel everything over HTTP so disabling SSL/TLS is a temporary
The fact that these devices are certified means that the product gives the
ability to the administrator of such device to enforce a policy. He may
not. These are features that worry the one who wants to offer VPN services
to his employees. Is there any method that this tunnel could be identified
by the network administrator where the client VPN initiates? This is what
a certification authority should do!
I know of course that a malicious user can connect two networks if there
is Layer 3 connectivity between the two sites. A telnet/SLIP like
combination would be enough. However we are facing here the fact that we
have "certified firewall-bypassing-with-no-method-to-identify VPNs".
It is difficult to convince some people that the VPN service (which is
certified) offered by the "big-x-company/bank/whatever" may not be secure
enough (having in mind that they already use it for the past 6 months with
no problems). It would be nice if this VPN couldn't work and given the
fact that someone has to do some business using this technology I would be
contacted to provide a solution (providing some external connection to
this PC). That's the way it worked on classic IPSEC (using ESP/IKE
Anyway, thanks again all for their replies.
On Fri, 21 May 2004, Frederick M Avolio wrote:
> At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
> >Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
> >like the one offered by F5 (Firepass), since this requires only the
> >ability for the client to make an https connection (bypassing any kind of
> >firewall/proxy)? Since this product (or any similar) creates some kind of
> >PPP connection over https, installs routes on the PC etc. it will create a
> >lot of problems. (see also: Worms, Air Gaps etc)
> Generally speaking, SSL VPNs require authentication and then provide access
> control. IE, to call itself a "VPN" and SSL device has to do more than just
> do SSL (or TLS) encryption and server authentication. It has to also
> provide access control. Firepass, for example, supports strong
> authentication and access control and passed ICSA Labs SSL VPN certification.
> But, to answer your question, rather than just suggest it is based on a
> false premise, you could 1) write a policy that outlaws their use and 2)
> disallow SSL or TLS through the firewall (or other intrusion prevention
> DISCLOSURE: I've done consulting work for SSL VPN vendors in the past
> (writing papers for Aventail and Whale Communications) and consult for ICSA
> Labs in the SSL-TLS Consortium program.
> Avolio Consulting, Inc.
> URL: http://www.avolio.com/
> Weblog: http://www.avolio.com/weblog/
> AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger: email@example.com
> PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
> BBF6 0B45 93C7 3521 CEA0
firewall-wizards mailing list