Re: Clientless VPN (SSL VPN) vs HTTPS

[PCSC Information Services <info () pcsage biz>]

Hi Harbinger,

I believe that you are misinformed with respect to capabilities of  
SSL VPN.
You will note that on http://openvpn.net/ (an open source  
implementation)
that SSL VPN is quite robust and provides support for many networking
services that are not normally tunnelled over HTTPS.  For example:

With OpenVPN, you can:

    * tunnel any IP subnetwork or virtual ethernet adapter over a  
single UDP or TCP port,
    * configure a scalable, load-balanced VPN server farm using one  
or more machines which can handle thousands of dynamic connections  
from incoming VPN clients,
    * use all of the encryption, authentication, and certification  
features of the OpenSSL library to protect your private network  
traffic as it transits the internet,
    * use any cipher, key size, or HMAC digest (for datagram  
integrity checking) supported by the OpenSSL library,
    * choose between static-key based conventional encryption or  
certificate-based public key encryption,
    * use static, pre-shared keys or TLS-based dynamic key exchange,
    * use real-time adaptive link compression and traffic-shaping to  
manage link bandwidth utilization,
    * tunnel networks whose public endpoints are dynamic such as  
DHCP or dial-in clients,
    * tunnel networks through connection-oriented stateful firewalls  
without having to use explicit firewall rules,
    * tunnel networks over NAT,
    * create secure ethernet bridges using virtual tap devices, and
    * control OpenVPN using a GUI on Windows or Mac OS X.

As you will no doubt agree, this is much more robust than what you  
would normally expect from HTTPS.

Because SSL operates below http and has no knowledge of the higher  
level protocol,
SSL servers can only present one certificate for a particular IP/port  
combination.

A small amount of searching (googling for places that allow google as  
a verb ;) ) finds:

 http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/ 
2005-03/0077.html

Which includes a quite detailed analysis of SSL-VPN v. IPsec VPN.

Good luck with your implementation...

Sincerely,

Sean Swayze
info  AT pcsage DOT biz

On 10-Aug-06, at 11:55 PM, harbinger wrote:

> Hi
>
> These days SSL VPN has been the alternative to
> the tradition IPsec VPN, particularly for users that
> require only email access.
>
> However, what is the different in implementing SSL VPN -
> which essentially means allowing only webbased traffic i.e webmail,
> as compare to just to setup a webmail server running HTTPS.
>
> Can anyone point out the differences??
>
> Thanks
>
> ---------------------------------------------------------------------- 
> -----
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic  
> Excellence in Information Security. Our program offers unparalleled  
> Infosec management education and the case study affords you  
> unmatched consulting experience. Using interactive e-Learning  
> technology, you can earn this esteemed degree, without disrupting  
> your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------- 
> -----


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------