Security Basics mailing list archives
SSL VPN
From: "John Canty" <John.Canty () Vibro-Meter com>
Date: Fri, 12 Dec 2003 07:58:11 -0500
I am in the process of revisiting our remote access solution, in doing so I realize that currently what we have (ipsec vpn) is rather clumsy and has it's security issues. The flip side of that coin is I also know what we have, and security problems that are inherent in ipsec vpns are fairly easy to mitigate. The reason I am looking at the SSL solution is due to many good things I hear of it. I can't be lead to believe that this is a perfect system, and without one in my hands I don't even know what potential risk it may cause. The neoteris, now netscreen product has so far dominated my research, it has the fail-over capability and the integration with (in)active directory, along with the securid functionality as well. My question to the populace of this list, is fairly straight forward. First, does anyone have one of these "new fangled" devices, and gone through its setup? If so, Do you see any potential for security problems, that being the case, what are they? I expect to put this thing in the dmz, probably not the way it was originally intended to work, and I also understand the implications of opening up the AD ports to the back end of the DMZ. I feel this risk is minimal due to the ability to remove most other servers from the dmz, and use this appliance/device for most of the user transaction processing. Relay servers will remain in the dmz, but even the comprimise of a relay server has minimal effect as long as it is noticed. Which leads to another question about the vpn appliances, under ideal circumstances I would like to dump its system logs off to a syslog server, has anyone done this? Thank you in advance for your help, //John --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SSL VPN John Canty (Dec 12)
- RE: SSL VPN Optrics Engineering - Shaun Sturby, MCSE (Dec 15)
- <Possible follow-ups>
- Re: SSL VPN Erik (Dec 15)