Re: [fw-wiz] Prohibiting SSL VPNs

From: John Kougoulos (
Date: 05/25/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] AIX LPAR security"
    Date: Tue, 25 May 2004 15:59:59 +0300 (EEST)

    Thanks everyone for their replies. What worries me most of all is that in
    the near future probably MS will bundle such VPN connection with every
    Winxxx server product, enabled by default, thus enabling everyone to
    establish a VPN connection to everywhere (his ADSL connected home?). Less
    "security aware" people will think that "since it's a VPN, it's safe"
    making this a nightmare for virus propagation issues & enabling lots of

    Of course there is software (like which
    will tunnel everything over HTTP so disabling SSL/TLS is a temporary

    The fact that these devices are certified means that the product gives the
    ability to the administrator of such device to enforce a policy. He may
    not. These are features that worry the one who wants to offer VPN services
    to his employees. Is there any method that this tunnel could be identified
    by the network administrator where the client VPN initiates? This is what
    a certification authority should do!

    I know of course that a malicious user can connect two networks if there
    is Layer 3 connectivity between the two sites. A telnet/SLIP like
    combination would be enough. However we are facing here the fact that we
    have "certified firewall-bypassing-with-no-method-to-identify VPNs".

    It is difficult to convince some people that the VPN service (which is
    certified) offered by the "big-x-company/bank/whatever" may not be secure
    enough (having in mind that they already use it for the past 6 months with
    no problems). It would be nice if this VPN couldn't work and given the
    fact that someone has to do some business using this technology I would be
    contacted to provide a solution (providing some external connection to
    this PC). That's the way it worked on classic IPSEC (using ESP/IKE

    Anyway, thanks again all for their replies.


    On Fri, 21 May 2004, Frederick M Avolio wrote:

    > At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
    > >...
    > >Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
    > >like the one offered by F5 (Firepass), since this requires only the
    > >ability for the client to make an https connection (bypassing any kind of
    > >firewall/proxy)? Since this product (or any similar) creates some kind of
    > >PPP connection over https, installs routes on the PC etc. it will create a
    > >lot of problems. (see also: Worms, Air Gaps etc)
    > >...
    > Generally speaking, SSL VPNs require authentication and then provide access
    > control. IE, to call itself a "VPN" and SSL device has to do more than just
    > do SSL (or TLS) encryption and server authentication. It has to also
    > provide access control. Firepass, for example, supports strong
    > authentication and access control and passed ICSA Labs SSL VPN certification.
    > But, to answer your question, rather than just suggest it is based on a
    > false premise, you could 1) write a policy that outlaws their use and 2)
    > disallow SSL or TLS through the firewall (or other intrusion prevention
    > device).
    > DISCLOSURE: I've done consulting work for SSL VPN vendors in the past
    > (writing papers for Aventail and Whale Communications) and consult for ICSA
    > Labs in the SSL-TLS Consortium program.
    > Fred
    > Avolio Consulting, Inc.
    > URL:
    > Weblog:
    > AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger:
    > PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
    > BBF6 0B45 93C7 3521 CEA0

    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "Re: [fw-wiz] AIX LPAR security"

    Relevant Pages

    • RE: PPTP VPN connection problems
      ... Since you want to contact your local MS support for help, ... Additional, you can establish the VPN connection from internal client, that ... | A ping to the server would result in "Request timed out". ...
    • RE: PPTP VPN connection problems
      ... But I do not think it is in the ADSL router itself. ... They do not say it but maybe they prohibit VPN connections ... fix IP for my connection – PPPoE/PPPoA) subscription at belgacom in Belgium ... | A ping to the server would result in "Request timed out". ...
    • Re: VPN Client
      ... Thanks for the help on losing the remote connection when you connect to VPN. ... Regarding the router port forward issue, you should point the port 1723 to ...
    • Re: VPN Ports to Open
      ... the VPN connection after you change the firewall before SBS. ... On the server, please stop the Routing and Remote Access service. ... Total GRE packets sent = 1 ...
    • Re: SBS2003, Sharepoint, VPN (and dialup) question
      ... As a default Microsoft VPN connection, after the client establish the connection with SBS server, the default ... I think you need to set the remote SBS server DNS as main DNS server. ...