Re: Prohibiting SSL VPNs

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 20 May 2004, John Kougoulos wrote:

> Hello all,
>
> Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
> like the one offered by F5 (Firepass), since this requires only the
> ability for the client to make an https connection (bypassing any kind of
> firewall/proxy)? Since this product (or any similar) creates some kind of
> PPP connection over https, installs routes on the PC etc. it will create a
> lot of problems. (see also: Worms, Air Gaps etc)

Don't allow end-user workstations to access the Internet directly.  Give
them a browser running on Terminal Server or X Windows, or VNC with the
screen piped back to their desktops.

Alternately, consider using ISA as a firewall for HTTPS for Windows
clients, and using the policy stuff to stop anything other than IE from
connecting.

Paul

> I know that I could possibly stop the downloading of ActiveX/Java applets
> via some kind of web filtering software but this also has a lot of
> side effects, or I could use some kind of whitelist for https connections,
> but this is too difficult to manage/maintain.

Make it self-maintaining- allow a base URL connection if you can wget a
page and server header over stunnel maybe?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards