Security Basics mailing list archives

Re: SSL VPN

From: Jurgen Vermeulen <jurgen () vermeulen-debondt be>
Date: Wed, 16 Jan 2008 20:31:15 +0100

Paul Hosking wrote:

It depends on what functionality you're choosing to use; "SSL VPN"
products tend to offer a bundle of fairly different remote access
solutions.  If you're doing something like web rewrites (kind of like
using a web-based web browser) then it's just the single IP address
involved.  If you use a full VPN like Juniper's Network Connect, then
you have an additional IP address assigned to a virtual adapter on the
user's system.

I've had a lot of positive experience with Juniper's IVE product line.
It is highly configurable and offers a number of different access
solutions (web rewrite, JAVA / ActiveX tunnels, RDP / Telnet / SSH
clients, web-based SMB / NFS file access, Network Connect - full VPN).
It has become something of a swiss army knife of remote access -
allowing us to tailor the solution to specific needs.  We can allow some
people full access and limit others to only the specific resource they
need.

I perform installations of most Juniper and check Point solutions. Imust say both Check Point's Connectra and Juniper's IVE are goodproducts. We also have a few Cisco SSL installations but I don't haveany hands-on experience with it.

If you already have Check Point firewalls running, you can easilyintegrate Connectra management on the SmartCenter (on R65), however theIVE does have a lot more configuration options and a nice variety ofappliances, combined with a decent web GUI. A simple SA-700 has basicclientless access and on top of that, you get the network connect IPSEClike solution. If you don't have too many users, this is mostly theideal solution. Put it in the DMZ and use a new private range for thenetwork connect clients.

If your users don't have admin privileges, you have the option to pushan installer service to the pcs. Once installed, all Juniperapplications like NC, SAM, host checker, ... can be installed/upgradedwith regular user rights.

If you're not 100% sure if it fits your needs, try to arrange atry-and-buy solution or demo.


Kind regards,
Jurgen

Current thread:

SSL VPN Kartik (Jan 15)
- RE: SSL VPN TVB NOC (Jan 15)
  - RE: SSL VPN Malhoit, Lauren (Jan 15)
    - RE: SSL VPN Paul Hosking (Jan 16)
    - Re: SSL VPN Jurgen Vermeulen (Jan 16)
    - Re: SSL VPN Albert Gonzalez (Jan 17)
  - RE: SSL VPN m.farid.shawara (Jan 21)
- Re: SSL VPN Tremaine Lea (Jan 15)
  - Re: SSL VPN Jason Thompson (Jan 15)
    - RE: SSL VPN Alex (Jan 15)
  - Re: SSL VPN Ivan . (Jan 16)
    - Re: SSL VPN mgk.mailing (Jan 17)
    - Re: SSL VPN Edy Lie (Jan 17)
- Re: SSL VPN Andrea Gatta (Jan 15)
- Re: SSL VPN Kurt Buff (Jan 15)

(Thread continues...)