SSL VPN

["John Canty" <John.Canty () Vibro-Meter com>]

I am in the process of revisiting our remote access solution, in doing
so I realize that currently what we have (ipsec vpn) is rather clumsy
and has it's security issues. The flip side of that coin is I also know
what we have, and security problems that are inherent in ipsec vpns are
fairly easy to mitigate.

The reason I am looking at the SSL solution is due to many good things I
hear of it. I can't be lead to believe that this is a perfect system,
and without one in my hands I don't even know what potential risk it may
cause. The neoteris, now netscreen product has so far dominated my
research, it has the fail-over capability and the integration with
(in)active directory, along with the securid functionality as well.

My question to the populace of this list, is fairly straight forward.
First, does anyone have one of these "new fangled" devices, and gone
through its setup? If so, Do you see any potential for security
problems, that being the case, what are they? I expect to put this thing
in the dmz, probably not the way it was originally intended to work, and
I also understand the implications of opening up the AD ports to the
back end of the DMZ. I feel this risk is minimal due to the ability to
remove most other servers from the dmz, and use this appliance/device
for most of the user transaction processing. Relay servers will remain
in the dmz, but even the comprimise of a relay server has minimal effect
as long as it is noticed. Which leads to another question about the vpn
appliances, under ideal circumstances I would like to dump its system
logs off to a syslog server, has anyone done this?

Thank you in advance for your help,

//John


---------------------------------------------------------------------------
----------------------------------------------------------------------------