Re: SSL VPN Risk Assessment

[Nick Owen <nickowen () mindspring com>]

blagoon () gmail com wrote:
> Hi all,
>
> I was tasked to do a risk assessment on our SSL VPN deployment. And I
> came up with the following: - Authentication: Single factor is too
> weak, we'll be to use a hard token for a 2nd factor. - End Point
> Security: we need to verify the integrity of the connecting host
> (company asset, antivirus, patches), install cache cleaner and force
> inactive session timeouts. - Access control: limit full vpn access,
> implement resource profiles for different group of users, or only RDP
> to users' desktop in the office.
>
> But apparently it is not enough for my manager, and asked to expand
> this report. Any suggestions on areas I might have missed?

Be sure to perform mutual authentication - ie verify the identity of the
server to the client as well as client to the server.  This will thwart 
network-based MITM attacks such as DNS poisoning which cannot be stopped 
by end-point security.  These types of attacks are fairly simple because 
of the prevalence of Wifi and of poorly configured DNS servers. Relying 
on users to validate server certificates has proven to be ineffective

I have written a how-to on this:
http://www.wikidsystems.com/documentation/howtos/how-to-secure-an-ssl-vpn-with-one-time-passcodes-and-mutual-authentication

for SSL-Explorer.  However, I would guess that there are many ways to 
skin this cat...

hth,

nick


--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid