Full Disclosure mailing list archives

Re: SSL VPNs and security

From: Tim <tim-security () sentinelchicken org>
Date: Fri, 9 Jun 2006 10:05:51 -0400

Hello MZ,

I think SSL VPNs are a pretty lame idea in the first place, but for the
specific problem you bring up, would the following design work around
this?

Set up a wildcard record, *.webvpn.example.org, pointing to the device.
The device then maps all internal domain names or IP addresses to a
unique hostname, such as:  internalhost.webvpn.example.org, or
192-168-0-1.webvpn.example.org, etc.

Wouldn't this properly segment different internal sites, such that an
XSS in one wouldn't impact the other?  If so, pay attention all SSL VPN
vendors: it is your free idea for the week.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

SSL VPNs and security Michal Zalewski (Jun 08)
- Message not available
  - Re: SSL VPNs and security Michal Zalewski (Jun 08)
    - Re: SSL VPNs and security E Mintz (Jun 09)
- Message not available
  - Re: SSL VPNs and security E Mintz (Jun 09)
- Re: SSL VPNs and security Tim (Jun 09)
  - Re: SSL VPNs and security Brian Eaton (Jun 09)
    - Re: SSL VPNs and security Tim (Jun 09)
    - Re: SSL VPNs and security Q-Ball (Jun 12)
    - Re: SSL VPNs and security Ray P (Jun 13)
    - Re: SSL VPNs and security Q-Ball (Jun 13)
  - Re: SSL VPNs and security Michael Holstein (Jun 09)
    - Re: SSL VPNs and security Tim (Jun 09)
    - Re: SSL VPNs and security Michael Holstein (Jun 09)
    - Re: SSL VPNs and security Tim (Jun 09)
    - Re: SSL VPNs and security Brian Eaton (Jun 09)

(Thread continues...)