RE: SSL VPN Risk Assessment

["Eric Pinkerton" <EPinkerton () soulaustralia com au>]

My reading of this is that you just need to express the rationale behind
your recommendations in terms the people who have to fork out the cash
for it will understand, ie the bottom line, what will they have to
spend, against what it could cost them if they don't.

Their job is to choose to either accept or mitigate these risks so as
the expert they are looking for your help on justifying the costs
associated.

Its not enough to say you need 2 factor auth, you have to say why you
think this is the case - talk about the dangers of keyloggers, or do a
password audit and show that some passwords can be easily guessed etc
etc etc.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of blagoon () gmail com
Sent: Saturday, March 08, 2008 2:55 AM
To: security-basics () securityfocus com
Subject: SSL VPN Risk Assessment

Hi all,

I was tasked to do a risk assessment on our SSL VPN deployment. And I
came up with the following:
- Authentication: Single factor is too weak, we'll be to use a hard
token for a 2nd factor.
- End Point Security: we need to verify the integrity of the connecting
host (company asset, antivirus, patches), install cache cleaner and
force inactive session timeouts.
- Access control: limit full vpn access, implement resource profiles for
different group of users, or only RDP to users' desktop in the office.

But apparently it is not enough for my manager, and asked to expand this
report. Any suggestions on areas I might have missed?

Thanks,