Security Basics mailing list archives
RE: SSL VPN Risk Assessment
From: "Eric Pinkerton" <EPinkerton () soulaustralia com au>
Date: Tue, 11 Mar 2008 14:47:36 +1100
My reading of this is that you just need to express the rationale behind your recommendations in terms the people who have to fork out the cash for it will understand, ie the bottom line, what will they have to spend, against what it could cost them if they don't. Their job is to choose to either accept or mitigate these risks so as the expert they are looking for your help on justifying the costs associated. Its not enough to say you need 2 factor auth, you have to say why you think this is the case - talk about the dangers of keyloggers, or do a password audit and show that some passwords can be easily guessed etc etc etc. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of blagoon () gmail com Sent: Saturday, March 08, 2008 2:55 AM To: security-basics () securityfocus com Subject: SSL VPN Risk Assessment Hi all, I was tasked to do a risk assessment on our SSL VPN deployment. And I came up with the following: - Authentication: Single factor is too weak, we'll be to use a hard token for a 2nd factor. - End Point Security: we need to verify the integrity of the connecting host (company asset, antivirus, patches), install cache cleaner and force inactive session timeouts. - Access control: limit full vpn access, implement resource profiles for different group of users, or only RDP to users' desktop in the office. But apparently it is not enough for my manager, and asked to expand this report. Any suggestions on areas I might have missed? Thanks,
Current thread:
- SSL VPN Risk Assessment blagoon (Mar 07)
- Re: SSL VPN Risk Assessment Nick Owen (Mar 07)
- Re: SSL VPN Risk Assessment Pierre Cadieux (Mar 11)
- <Possible follow-ups>
- RE: SSL VPN Risk Assessment Eric Pinkerton (Mar 11)